Beberapa waktu setelah menulis artikel pertama , di mana saya dengan cerdik mengelola jsonnet dan gitlab, saya menyadari bahwa pipeline memang bagus, tetapi tidak perlu sulit dan tidak nyaman.
Dalam kebanyakan kasus, tugas tipikal diperlukan: "buat YAML dan taruh di Kubernetes". Sebenarnya, inilah yang dilakukan CD Argo dengan sangat baik.
Argo CD memungkinkan Anda menghubungkan repositori Git dan menyinkronkan statusnya ke Kubernetes. Secara default, ada dukungan untuk beberapa jenis aplikasi: Kustomize, Helm charts, Ksonnet, bare Jsonnet atau hanya direktori dengan manifes YAML / JSON.
Set ini akan cukup untuk sebagian besar pengguna, tetapi tidak untuk semua orang. Untuk memenuhi kebutuhan semua orang, Argo CD memiliki kemampuan untuk menggunakan perkakas kustom.
Pertama-tama, saya tertarik dengan kemungkinan menambahkan dukungan untuk qbec dan git-crypt , yang telah dibahas sepenuhnya di artikel sebelumnya.
Sebelum melanjutkan dengan konfigurasi, Anda harus terlebih dahulu memahami cara kerja CD Argo.
Untuk setiap aplikasi yang ditambahkan, ada dua fase:
- init — , : , .
- generate — , YAML stream, , .
, Argo , Helm. Argo CD Helm , .
Argo Helm-, .
QBEC
Qbec jsonnet, Helm-, Argo CD Helm-, Argo CD .
qbec argocd :
- Argo CD custom plugin .
- argocd-repo-server.
# cm.yaml
data:
configManagementPlugins: |
- name: qbec
generate:
command: [sh, -xc]
args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"']( init )
$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)", init-:
# deploy.yaml
spec:
template:
spec:
# 1. Define an emptyDir volume which will hold the custom binaries
volumes:
- name: custom-tools
emptyDir: {}
# 2. Use an init container to download/copy custom binaries into the emptyDir
initContainers:
- name: download-tools
image: alpine:3.12
command: [sh, -c]
args:
- wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# 3. Volume mount the custom binary to the bin directory (overriding the existing version)
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /usr/local/bin/qbec
name: custom-tools
subPath: qbec
- mountPath: /usr/local/bin/jsonnet-qbec
name: custom-tools
subPath: jsonnet-qbec$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)":
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: qbec-app
namespace: argocd
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
project: default
source:
path: examples/test-app
targetRevision: fix-example
plugin:
env:
- name: ENVIRONMENT
value: dev
name: qbec
repoURL: https://github.com/kvaps/qbec
syncPolicy:
automated:
prune: trueENVIRONMENT .
:
, !
git-crypt
Git-crypt . git.
git-crypt .
git-crypt unlock init- custom-, , . Helm Jsonnet, GUI- (values- ).
, .
Argo CD - , -, git:
#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ecArgo CD git fetch . git-crypt unlock .
docker- :
$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3, Argo . gpg- :
$ kubectl exec -ti deploy/argocd-repo-server -- bash
$ printf "%s\n" \
"%no-protection" \
"Key-Type: default" \
"Subkey-Type: default" \
"Name-Real: YOUR NAME" \
"Name-Email: YOUR EMAIL@example.com" \
"Expire-Date: 0" \
> genkey-batch
$ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev' 8CB8B24F50B4797D . :
$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2020-09-04 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub rsa3072 2020-09-04 [E]
$ gpg --armor --export-secret-keys 8CB8B24F50B4797D:
# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: argocd-gpg-keys-secret
namespace: argocd
stringData:
8CB8B24F50B4797D: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
=yj11
-----END PGP PRIVATE KEY BLOCK-----$ kubectl apply -f argocd-gpg-keys-secret.yaml, argocd-repo-server, deployment:
$ kubectl -n argocd edit deploy/argocd-repo-server gpg-keys volume projected, :
spec:
template:
spec:
volumes:
- name: gpg-keys
projected:
sources:
- secret:
name: argocd-gpg-keys-secret
- configMap:
name: argocd-gpg-keys-cmArgo CD gpg- , .
:
$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>
sec rsa3072 2020-09-03 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb rsa3072 2020-09-03 [E], ! Argo CD .
:
$ GNUPGHOME=/app/config/gpg/keys gpg --armor --export 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pem:
$ gpg --edit-key 8CB8B24F50B4797D
trust
5argo :
$ git-crypt add-gpg-user 8CB8B24F50B4797D: