Kubernetes ArgoCD

Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts


Делаю:
15.02.2021


https://www.youtube.com/watch?v=XNXJtxkUKeY


Original Gist

https://gist.github.com/vfarcic/48f44d3974db698d3127f52b6e7cd0d3


$ export INGRESS_HOST=$(minikube --profile my-profile ip)
$ echo ${INGRESS_HOST}
192.168.49.2



export BASE_HOST=[...] # e.g., $INGRESS_HOST.nip.io

export REGISTRY_SERVER=https://index.docker.io/v1/

# Replace `[...]` with the registry username

export REGISTRY_USER=[...]

# Replace `[...]` with the registry password

export REGISTRY_PASS=[...]

# Replace `[...]` with the registry email

export REGISTRY_EMAIL=[...]

# Replace `[...]` with the GitHub token

export GH_TOKEN=[...]

# Replace `[...]` with the GitHub email

export GH_EMAIL=[...]



$ cd ~/tmp
$ git clone https://github.com/vfarcic/argo-combined-app
$ git clone https://github.com/vfarcic/argo-combined-demo.git




$ cd argo-combined-app



$ cat kustomize/base/ingress.yaml \
 | sed -e "[email protected]@staging.argo-combined-app.$BASE_HOST@g" \
 | tee kustomize/overlays/staging/ingress.yaml

$ cat kustomize/overlays/production/rollout.yaml \
 | sed -e "s@vfarcic@$REGISTRY_USER@g" \
 | tee kustomize/overlays/production/rollout.yaml

$ cat kustomize/overlays/staging/deployment.yaml \
 | sed -e "s@vfarcic@$REGISTRY_USER@g" \
 | tee kustomize/overlays/staging/deployment.yaml




$ cd argo-combined-demo

$ cat orig/sealed-secrets.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee production/sealed-secrets.yaml

$ cat argo-cd/base/ingress.yaml \
 | sed -e "[email protected]@argo-cd.$BASE_HOST@g" \
 | tee argo-cd/overlays/production/ingress.yaml

$ cat argo-workflows/base/ingress.yaml \
 | sed -e "[email protected]@argo-workflows.$BASE_HOST@g" \
 | tee argo-workflows/overlays/production/ingress.yaml

$ cat argo-events/base/event-sources.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
    | sed -e "[email protected]@webhook.$BASE_HOST@g" \
 | tee argo-events/overlays/production/event-sources.yaml

$ cat argo-events/base/sensors.yaml \
 | sed -e "s@value: vfarcic@value: $GH_ORG@g" \
 | sed -e "s@value: CHANGE_ME_IMAGE_OWNER@value: $REGISTRY_USER@g" \
 | tee argo-events/overlays/production/sensors.yaml

$ cat production/argo-cd.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee production/argo-cd.yaml

$ cat production/argo-workflows.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee production/argo-workflows.yaml

$ cat production/argo-events.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee production/argo-events.yaml

$ cat production/argo-rollouts.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee production/argo-rollouts.yaml

$ cat production/argo-combined-app.yaml \
 | sed -e "[email protected]/[email protected]/$GH_ORG@g" \
 | sed -e "s@- vfarcic@- $REGISTRY_USER@g" \
 | tee production/argo-combined-app.yaml

$ cat staging/argo-combined-app.yaml \
 | sed -e "[email protected]/[email protected]/$GH_ORG@g" \
 | sed -e "s@- vfarcic@- $REGISTRY_USER@g" \
 | tee staging/argo-combined-app.yaml

$ cat apps.yaml \
 | sed -e "s@vfarcic@$GH_ORG@g" \
 | tee apps.yaml



$ kubectl apply --filename sealed-secrets



$ kubectl --namespace workflows \
 create secret \
 docker-registry regcred \
 --docker-server=$REGISTRY_SERVER \
    --docker-username=$REGISTRY_USER \
 --docker-password=$REGISTRY_PASS \
    --docker-email=$REGISTRY_EMAIL \
 --output json \
 --dry-run=client \
 | kubeseal --format yaml \
 | tee argo-workflows/overlays/production/regcred.yaml

# Wait for a while and repeat the previous command if the output contains `cannot fetch certificate` error message



$ echo "apiVersion: v1
kind: Secret
metadata:
name: github-access
namespace: workflows
type: Opaque
data:
token: $(echo -n $GH_TOKEN | base64)
user: $(echo -n $GH_ORG | base64)
email: $(echo -n $GH_EMAIL | base64)" \
 | kubeseal --format yaml \
 | tee argo-workflows/overlays/workflows/githubcred.yaml




$ echo "apiVersion: v1
kind: Secret
metadata:
name: github-access
namespace: argo-events
type: Opaque
data:
token: $(echo -n $GH_TOKEN | base64)" \
 | kubeseal --format yaml \
 | tee argo-events/overlays/production/githubcred.yaml



git add .

git commit -m "Manifests"

git push

cd ..


GitOps deployments


$ cd argo-combined-demo



$ cat production/argo-cd.yaml



$ kustomize build \
 argo-cd/overlays/production \
 | kubectl apply --filename -

$ kubectl --namespace argocd \
 rollout status \
 deployment argocd-server



$ export PASS=$(kubectl \
 --namespace argocd \
 get secret argocd-initial-admin-secret \
 --output jsonpath="{.data.password}" \
 | base64 --decode)

$ argocd login \
 --insecure \
 --username admin \
 --password $PASS \
    --grpc-web \
    argo-cd.$BASE_HOST

$ argocd account update-password \
 --current-password $PASS \
 --new-password admin



http://argo-cd.$BASE_HOST

admin / admin




$ kubectl apply --filename project.yaml

$ kubectl apply --filename apps.yaml


Events and workflows

$ cat argo-events/overlays/production/event-sources.yaml

$ cat argo-events/overlays/production/sensors.yaml

open https://github.com/$GH_ORG/argo-combined-app/settings/hooks

open http://argo-workflows.$BASE_HOST



$ cd ../argo-combined-app

# This might not work with providers that do not expose the IP but a host (e.g., AWS EKS)

$ export ISTIO_HOST=$(kubectl \
 --namespace istio-system \
 get svc istio-ingressgateway \
 --output jsonpath="{.status.loadBalancer.ingress[0].ip}")

$ echo $ISTIO_HOST

$ cat kustomize/base/istio.yaml \
 | sed -e "[email protected]@argo-combined-app.$ISTIO_HOST.xip.io@g" \
 | tee kustomize/overlays/production/istio.yaml

$ cat config.toml \
 | sed -e "s@Where DevOps becomes practice@Subscribe now\!\!\!@g" \
 | tee config.toml



git add .

git commit -m "A silly change"

git push


GitOps upgrades

open http://staging.argo-combined-app.$BASE_HOST


Canary deployments

cat kustomize/overlays/production/rollout.yaml

kubectl argo rollouts
–namespace production
get rollout argo-combined-app
–watch

open http://argo-combined-app.$ISTIO_HOST.xip.io