Установка и настройка ArgoCD

Задачи:

• Используя HELM установить ArgoCD и helmfile;
• Подключить keyclock;
• Настроить правила размещения на нодах;
• Сделать уведомления в телеграм.

ArgoCD + helmfile

Подключение репозитория HELM ArgoCD

helm repo add argo https://argoproj.github.io/argo-helm

Пример values.yaml

repoServer:
  volumes:
    - name: helmfile-plugin
      emptyDir: {}
    - name: custom-tools
      emptyDir: {}
    - name: helmfile-plugin-tmp
      emptyDir: {}
    - name: helm-data-home
      emptyDir: {}

  extraContainers:
    - name: helmfile-plugin
      image: travisghansen/argo-cd-helmfile:latest
      command: [/var/run/argocd/argocd-cmp-server]
      env:
        - name: HELMFILE_GLOBAL_OPTIONS
          value: "--environment default"
        - name: HELM_DATA_HOME
          value: /home/argocd/.local/share/helm
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
      volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
        - mountPath: /tmp
          name: helmfile-plugin-tmp
        - mountPath: /usr/local/bin/argo-cd-helmfile.sh
          name: custom-tools
          subPath: argo-cd-helmfile.sh
        - mountPath: /usr/local/bin/helmfile
          name: custom-tools
          subPath: helmfile
        - mountPath: /home/argocd/.local/share/helm
          name: helm-data-home

  initContainers:
    - name: download-tools
      image: alpine:3.18
      command: [sh, -c]
      args:
        - |
          set -ex
          apk add --no-cache wget curl ca-certificates
          wget -O /custom-tools/argo-cd-helmfile.sh https://raw.githubusercontent.com/travisghansen/argo-cd-helmfile/master/src/argo-cd-helmfile.sh
          chmod +x /custom-tools/argo-cd-helmfile.sh
          wget -O /custom-tools/helmfile https://github.com/helmfile/helmfile/releases/download/v0.156.0/helmfile_0.156.0_linux_arm64.tar.gz
          tar -xzvf /custom-tools/helmfile -C /custom-tools
          chmod +x /custom-tools/helmfile

      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

Добавление авторизации через keyclock

часть с настройкой keyclock пропущена, на офф сайте всё подробно описано

Нужно добавить в values.yaml:

configs:
  cm:
    url: https://argocd.example.com # обязательно должно быть иначе не заработает
    admin.enabled: false
    oidc.config: |
      name: Keycloak
      issuer: https://keyclock.example.com/realms/<role>
      clientID: argocd
      clientSecret: $oidc.keycloak.clientSecret
      requestedScopes:
        - openid
        - profile
        - email
  rbac: # задается по-умолчанию чтобы у всех пользователей был полный доступ
    policy.default: role:admin  
  secret:
    extra:
      oidc.keycloak.clientSecret: "<токен из keyclock>"

Мониторинг в Телеграм

в личные сообщения ArgoCD сообщения не посылает

Нужно добавить в values.yaml:

notifications:
  enabled: true
  name: notifications-controller
  argocdUrl: "https://argocd.example.com"

  logFormat: "json"
  logLevel: "info"

  secret:
    create: true
    items:
      telegram-token: "68...07:AAER7p...VZeHF" # ТОКЕН

  notifiers:
    service.telegram: |
      token: $telegram-token

  templates:
    template.app-deployed: |
      message: |
        🚀 Application {{.app.metadata.name}} deployed!
    template.app-health-degraded: |
      message: |
        ❗ Application {{.app.metadata.name}} health degraded.
        View: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}
    template.app-sync-failed: |
      message: |
        🔥 Application {{.app.metadata.name}} sync failed: {{.app.status.operationState.message}}
    template.app-sync-succeeded: |
      message: |
        ✅ Application {{.app.metadata.name}} synced successfully!

  triggers:
    trigger.on-deployed: |
      - description: Application is synced and healthy
        oncePer: app.status.sync.revision
        send:
          - app-deployed
        when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'

    trigger.on-health-degraded: |
      - description: Application has degraded
        send:
          - app-health-degraded
        when: app.status.health.status == 'Degraded'

    trigger.on-sync-failed: |
      - description: Application syncing has failed
        send:
          - app-sync-failed
        when: app.status.operationState.phase in ['Error', 'Failed']

    trigger.on-sync-succeeded: |
      - description: Application syncing has succeeded
        send:
          - app-sync-succeeded
        when: app.status.operationState.phase in ['Succeeded']

  subscriptions:
    - recipients:
        - telegram:-10028430271 # ID группы
      triggers:
        - on-sync-succeeded
        - on-sync-failed
        - on-deployed
        - on-health-degraded

Определение нод для ArgoCD

В каждый блок, (если нет то добавить), нужно прописать в values.yaml:

notifications:
  nodeSelector:
    cloud: aws
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: cloud # ВАШ ЛЕЙБЛ
                operator: In
                values: [aws] # ЗНАЧЕНИЕ
              - key: instance-type # ВАШ ЛЕЙБЛ
                operator: In
                values: [large]  # ЗНАЧЕНИЕ
<...>

Список блоков:

repoServer
controller
server
dex
redis
applicationSet
notifications