ArgoCD 的雷碰過的人就知道 @TSMC IT Community Meetup #4

Johnny Sung
ArgoCD 的雷
碰過的人就知道 !

Full stack developer
Johnny Sung (宋岡諺)
https://fb.com/j796160836
https://blog.jks.coffee/
https://www.slideshare.net/j796160836
https://github.com/j796160836

大綱
https://thenounproject.com/icon/trash-7104850/
•什麼是 ArgoCD？
•Kubernetes 介紹
•撰寫 Kubernetes 資源
•Kustomize
•Helm
•ArgoCD 安裝與設定

有剛從 Docker 進入 Kubernetes 的朋友嗎？
"

What?is?GitOps?
GitOps?是一種用於基礎架構和應用配置管理的技術方法，透過?Git?作為版本控
制系統來自動化和管理。它使得部署和運維過程變得更加透明、可追蹤及可重
現。在?GitOps?的實踐中，所有的配置文件都存儲在?Git?倉庫中，這樣任何的
更改都必須通過?Git?的提交和審核流程。當配置文件被更新後，自動化的⼯具
會檢測到變更並將新配置應用到生產環境中，從而保證系統的持續性和一致
性。
https://foxutech.com/lets-understand-about-gitops/

https://www.atlassian.com/blog/bitbucket/5-pull-request-must-haves

•版本控制和審計跟蹤：使用 Git 作為單一資訊來源 (Single source of truth)，
確保所有變更都有記錄和可追溯。
•持續部署：自動化的部署流程減少手動錯誤，加快交付速度。
•一致性和標準化：確保環境之間的設置一致性，降低複雜性。
•增強安全：透過 Pull Request 和 Code Review 強化變更的安全性和合規性。
•易於回滾和錯誤恢復：如果部署失敗或是有問題，可以輕鬆回滾 (Rollback)
到先前的穩定版本。
GitOps 的優點

ArgoCD 是一個開源的 Kubernetes 原生持續交付⼯具，專注於 GitOps 自動化
部署。它利用 Git 儲存庫作為應用配置的「單一資訊來源 (Single source of
truth)」，自動檢測配置變更並將其同步到指定的 Kubernetes 集群中。
ArgoCD 援多種配置管理⼯具，包括 Helm、Kustomize 和 Jsonnet，並提
供視覺化界面便於監控應用部署狀態和健康狀況。這使得開發者和
維運團隊能夠有效地實現持續部署和管理。
ArgoCD - 在 K8s 實現 GitOps 的幕後功臣
https://www.opsmx.com/what-is-argocd/

https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/

https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/
是 YAMLs 組態檔
不是程式原始碼

https://devtron.ai/what-is-argo-cd-the-gitops-tool-for-kubernetes

https://picluster.ricsanfre.com/docs/argocd/

Kubernetes (K8s) 的介紹

https://mrdevops.hashnode.dev/kubernetes-architecture

讓我們一起成為⼯程師 (大誤)
yaml file document icon by IYIKON from Noun Project (CC BY 3.0)
https://thenounproject.com/browse/icons/term/yaml-file-document-icon/ 
https://www.reddit.com/r/OnePiece/comments/57k9i0/sh_pirates_said_that_the_xmark_symbolizes_their/

從 docker-compose 轉為
K8s YAMLs
Created by Iqbal Jaya Pangestu
from Noun Project
https://thenounproject.com/icon/whale-7104480/

想想以前 Docker 的時代

Created by hanis tusiyani
from Noun Project
https://thenounproject.com/icon/server-7086299/ 
https://thenounproject.com/icon/data-center-7086329/ 
https://www.pngwing.com/en/free-png-ztqam
docker run -v ./www:/usr/share/nginx/html:ro -p 80:80 -d nginx
docker run 指令
一次起單一服務

Created by hanis tusiyani
from Noun Project
https://thenounproject.com/icon/server-7086299/ 
https://thenounproject.com/icon/data-center-7086329/ 
https://www.pngwing.com/en/free-png-ztqam
docker run -v ./www:/usr/share/nginx/html:ro -p 80:80 -d nginx
version: "3"
services:
nginx:
image: nginx
volumes:
- ./www:/usr/share/nginx/html:ro
ports:
- 80:80
docker run 指令
docker-compose.yml
一次起多組服務
一次起單一服務

Created by hanis tusiyani
from Noun Project
https://thenounproject.com/icon/server-7086299/ 
https://thenounproject.com/icon/data-center-7086329/ 
https://www.pngwing.com/en/free-png-ztqam
Created by hanis tusiyani
from Noun Project
docker run -v ./www:/usr/share/nginx/html:ro -p 80:80 -d nginx
version: "3"
services:
nginx:
image: nginx
volumes:
- ./www:/usr/share/nginx/html:ro
ports:
- 80:80
docker run 指令
docker-compose.yml
•deployment.yml
•services.yml
•rbac.yml
•config-map.yml
•….
一次起多組服務
Kubernetes
多組服務部署在多台主機上
一次起單一服務

docker-compose
version: "3"
services:
nginx:
image: nginx
volumes:
- ./www:/usr/share/nginx/html:ro
ports:
- 80:80
•服務部署
•磁碟
•網路

對應 Kubernetes 的元件
•服務部署 → Deployment / Pod
•磁碟 → PersistentVolumeClaim (PVC) / ConfigMap / Secret
•網路 → Service / Ingress 永久磁碟儲存需求
會自動 1:1 對應
PersistentVolume (PV)
地端 K8s 預設沒有
LoadBalancer 可用

打岔介紹一個好東西
不是⼯商

Kustomize
Kustomize?是一個?Kubernetes?的配置管理⼯具，可以透過定制資源的配置來
簡化?Kubernetes?的部署。它專注於以聲明式方式修改和管理?Kubernetes?
manifest?檔案，不需要動態生成配置。使用者可以建立基礎配置的?"基底"，
然後在不同環境（如開發、測試和生產）中進行客製化覆蓋。 Kustomize?允許
合併或替換?YAML?檔案的部分，使得配置更加模組化和可重用。它現在是?
Kubernetes?的一部分，可以直接透過?kubectl?命令行⼯具使用。
https://zlaval.medium.com/kustomize-template-free-kubernetes-application-management-3d70ca9d2e05

Kustomize?檔案架構
https://thenounproject.com/icon/file-6897025/
https://thenounproject.com/icon/puzzle-6850847/
deployment.yml
services.yml
config-map.yml
…
kustomization.yaml

一個網站服務的基本元件

Pod
Container
https://thenounproject.com/icon/ram-7094983/
https://thenounproject.com/icon/hard-disk-7094988/
https://thenounproject.com/icon/network-5355161/
https://thenounproject.com/icon/history-5019532/
https://thenounproject.com/icon/central-processing-unit-7095000/
https://thenounproject.com/icon/form-6622708/ 
https://thenounproject.com/icon/approval-6293848/
網站服務的基本元件

Pod
Container
https://thenounproject.com/icon/ram-7094983/
https://thenounproject.com/icon/hard-disk-7094988/
https://thenounproject.com/icon/network-5355161/
https://thenounproject.com/icon/history-5019532/
https://thenounproject.com/icon/central-processing-unit-7095000/
https://thenounproject.com/icon/form-6622708/ 
https://thenounproject.com/icon/approval-6293848/
Service
Created by Mada Creative
網站服務的基本元件

Pod
Container
Deployment
ReplicaSet
https://thenounproject.com/icon/ram-7094983/
https://thenounproject.com/icon/hard-disk-7094988/
https://thenounproject.com/icon/network-5355161/
https://thenounproject.com/icon/history-5019532/
https://thenounproject.com/icon/central-processing-unit-7095000/
https://thenounproject.com/icon/form-6622708/ 
https://thenounproject.com/icon/approval-6293848/
by Muhammad Naufal Subhiansyah
from Noun Projectby Muhammad Naufal Subhiansyah
from Noun Project
Service
Created by Mada Creative
網站服務的基本元件

Pod
Container
Deployment
ReplicaSet
https://thenounproject.com/icon/ram-7094983/
https://thenounproject.com/icon/hard-disk-7094988/
https://thenounproject.com/icon/network-5355161/
https://thenounproject.com/icon/history-5019532/
https://thenounproject.com/icon/central-processing-unit-7095000/
https://thenounproject.com/icon/form-6622708/ 
https://thenounproject.com/icon/approval-6293848/
by Muhammad Naufal Subhiansyah
from Noun Projectby Muhammad Naufal Subhiansyah
from Noun Project
Service
Created by Mada Creative
PVC
PersistentVolumeClaimPersistentVolume
PV 1:1
網站服務的基本元件

Pod
Container
Deployment
ReplicaSet
https://thenounproject.com/icon/ram-7094983/
https://thenounproject.com/icon/hard-disk-7094988/
https://thenounproject.com/icon/network-5355161/
https://thenounproject.com/icon/history-5019532/
https://thenounproject.com/icon/central-processing-unit-7095000/
https://thenounproject.com/icon/form-6622708/ 
https://thenounproject.com/icon/approval-6293848/
by Muhammad Naufal Subhiansyah
from Noun Projectby Muhammad Naufal Subhiansyah
from Noun Project
Service
Created by Mada Creative
PVC
PersistentVolumeClaimPersistentVolume
PV
Created by Andika Cahya Fitriani
from the Noun Project
Provisioner
StorageClass
1:1
網站服務的基本元件
還有更多 ...

https://medium.com/devops-mojo/kubernetes-storage-options-overview-persistent-volumes-pv-claims-pvc-and-storageclass-sc-k8s-storage-df71ca0fccc3
關於磁碟的部分

當 YAMLs 越來越多...
你需要請更多 YAML ⼯程師#

當 YAMLs 越來越多...
你需要 Helm

Helm
Helm?是一個用於?Kubernetes?的套件管理⼯具，允許開發者和運維團隊打包、
配置和部署服務。 Helm?使用稱為?"Charts"?的配置文件來描述一組相關的?
Kubernetes?資源，這些資源可以預先配置並重複使用。透過?Helm，用戶可以輕
鬆地安裝、升級和管理?Kubernetes?應用，並援版本控制和回滾?(Rollback)?功
能，使得部署和維護變得更加方便和有效。
https://helm.sh/

Helmet
https://www.kansascitysteaks.com/product/hickory-smoked-spiral-sliced-ham
Ham
https://www.hondacengkareng.com/produk/honda-luxury-helmet-white/

https://www.istockphoto.com/photo/boat-helm-on-the-sea-gm465845362-60024972
Helm

Created by Mas Mirza
from Noun Project
values.yml
•deployment.yml
•services.yml
•rbac.yml
•config-map.yml
•….
Helm 檔案架構
https://thenounproject.com/icon/file-6897025/
https://thenounproject.com/icon/puzzle-6850847/
Charts

可是我對 Helm 指令不太熟耶...
$

https://github.com/JohnnyWorks-TW/vue-helm-cli-helper
可以服用我寫的
Helm Chart 小助手
%

安裝 ArgoCD 有點雷（？）
https://thenounproject.com/icon/terminal-4601577/

ArgoCD 的安裝方式
•YAML 下載並安裝
•Kustomize 安裝
•Helm 安裝

根據網站說明，下載 yaml 然後 apply
ArgoCD 安裝
真的只有這麼簡單嗎？
我們只需要改一點點
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/
stable/manifests/install.yaml
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/
stable/manifests/ha/install.yaml
Non-HA
HA

install.yml
如果使用 private registry 需改掉 image 片段（搜尋關鍵字 image: 就對了）
ArgoCD 安裝前設定
apiVersion: apiextensions.k8s.io/v1
spec:
template:
spec:
- name: argocd-applicationset-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: dex
image: ghcr.io/dexidp/dex:v2.38.0
imagePullPolicy: Always
- name: copyutil
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-notifications-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: secret-init
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: IfNotPresent
- name: argocd-repo-server
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-server
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-application-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: redis
image: public.ecr.aws/docker/library/redis:7.0.15-alpine
imagePullPolicy: IfNotPresent
apiVersion: apiextensions.k8s.io/v1
spec:
template:
spec:
- name: argocd-applicationset-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: dex
image: ghcr.io/dexidp/dex:v2.38.0
imagePullPolicy: Always
- name: copyutil
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-notifications-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: haproxy
image: public.ecr.aws/docker/library/haproxy:2.6.17-alpine
imagePullPolicy: IfNotPresent
- name: secret-init
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: IfNotPresent
- name: config-init
image: public.ecr.aws/docker/library/haproxy:2.6.17-alpine
imagePullPolicy: IfNotPresent
- name: argocd-repo-server
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-server
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: argocd-application-controller
image: quay.io/argoproj/argocd:v2.12.0
imagePullPolicy: Always
- name: redis
image: public.ecr.aws/docker/library/redis:7.0.15-alpine
imagePullPolicy: IfNotPresent
- name: sentinel
image: public.ecr.aws/docker/library/redis:7.0.15-alpine
imagePullPolicy: IfNotPresent
- name: split-brain-fix
image: public.ecr.aws/docker/library/redis:7.0.15-alpine
imagePullPolicy: IfNotPresent
Non-HA HA

API?Server
Argo?CD?的?API?Server?提供了?REST?和?gRPC?API，用於與?Argo?CD?
CLI?與使用者介面進行互動。
Application?Controller
這是?Argo?CD?的核心元件之一，負責與管理?Kubernetes?集群中的
應用程式的狀態。它持續地監控目標?app?的當前狀態和期望狀態之
間的差異，並且根據計畫的期望值進行同步。
Repository?Server
Repository?Server?負責與?Git?儲存存庫進行互動，它檢查設定文件
的更改並觸發相應的部署。這個元件確保了?Kubernetes?集群中的應
用與?Git?儲存庫中的設定文件保持一致。
ArgoCD?的主要元件
https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/

apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component : server
app.kubernetes.io/name : argocd-server
app.kubernetes.io/part-of : argocd
name: argocd-server
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8080
selector:
app.kubernetes.io/name : argocd-server
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component : server
app.kubernetes.io/name : argocd-server
app.kubernetes.io/part-of : argocd
name: argocd-server
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
nodePort: 32000
type: NodePort
install.yml
依照需要設定 NodePort 或其他開放連線方式
ArgoCD 安裝前設定

用指令安裝修改後的 ArgoCD
ArgoCD 安裝前設定
kubectl create namespace argocd
kubectl apply -n argocd -f argocd-install.yaml
https://www.lawlessfrench.com/vocabulary/yes/

裝 CLI 也有雷（？）
https://thenounproject.com/icon/terminal-4601577/

https://argo-workflows.readthedocs.io/en/latest/walk-through/argo-cli/ 
https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd/

https://github.com/argoproj/argo-cd/releases
https://github.com/argoproj/argo-workflows/releases

設定 SSH Key
https://thenounproject.com/icon/terminal-4601577/
&

設定 ssh 金鑰，未來登入比較方便
&
請在 git bash 執行該指令，金鑰密碼設定空白即可
會產生 id_ed25519（私鑰）與 id_ed25519.pub（公鑰）二個檔案
產生 SSH 金鑰
ssh-keygen -t ed25519 -f id_ed25519

設定 SSH 公鑰至 Gitea
將 id_ed25519.pub（公鑰）之內容填入 Gitea
'

設定 SSH 私鑰至 ArgoCD
•UI 設定畫面（基本上可以當成）裝飾用

設定 SSH 私鑰至 ArgoCD
測試
設定 key
登入
argocd login 192.168.1.11:32000
argocd repo add ssh://[email protected]:30322/john/repo.git
--ssh-private-key-path id_ed25519_k8gitea --insecure-ignore-host-key
ssh -i id_ed25519 -p 30322 [email protected] '

終於要來設定應用程式了
https://thenounproject.com/icon/terminal-4601577/
(

argocd application
•為 argocd 的一個 CRD
(CustomResourceDefinition)
•定義 Git Repo 來源
•定義部署位置
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]/kustomize.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml

常見寫法大約有三種
⓵ 指向一個 Git Repo，Repo 裡面用 kustomization.yaml 來定義資源
⓶ 指向一個 Git Repo，Repo 裡面使用自訂 Helm chart (Chart.yaml)，
並指定其 values.yaml
⓷ 指向一個 Helm Chart，另外定義一個 Git Repo 路徑指向
values.yaml

因為最近有研究 Kong API Gateway…
所以用 Kong 來舉例
攝影師： Cats Coming: https://www.pexels.com/zh-tw/photo/1444321/

常見寫法大約有三種
⓵ 指向一個 Git Repo，Repo 裡面用 kustomization.yaml 來定義資源
deployment.yml
services.yml
config-map.yml
…
kustomization.yamlapplication.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
kong-config-dbless
├── kong.yml
└── kustomization.yaml
資料夾結構
ArgoCD 設定 Kong 設定檔專案
（自動抓取）

kong.yml
_format_version: "3.0"
services:
- name: my-web-service
enabled: true
host: my-web-service.myapp.svc.cluster.local
path: /
port: 80
protocol: http
connect_timeout: 60000
read_timeout: 60000
write_timeout: 60000
retries: 5
routes:
- name: my-web-route
https_redirect_status_code : 426
path_handling: v0
paths:
- /my-web
preserve_host: true
protocols:
- http
- https
regex_priority: 0
request_buffering: false
response_buffering: false
strip_path: true
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configMapGenerator:
- name: kong-config
files:
- kong.yml
generatorOptions:
disableNameSuffixHash : true
kustomization.yaml
使用 configMapGenerator
收納 kong.yml 到 ConfigMap

常見寫法大約有三種
⓶ 指向一個 Git Repo，Repo 裡面使用自訂 Helm chart (Chart.yaml)，
並指定其 values.yaml
Chart.yaml
https://thenounproject.com/icon/package-5679564/
values.yaml
application.yaml
dependencies
helm.valueFiles
Helm Chart

helm-kong
├── Chart.yaml
└── kong-values.yml
資料夾結構
ArgoCD 設定 Kong helm 專案
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: helm-kong
targetRevision: HEAD
helm:
valueFiles:
- kong-values.yml
destination:
name: ''
namespace: kong-dbless
server: 'https://kubernetes.default.svc'
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
（自動抓取）

這邊使用 dependency charts
使用一個自訂的名字把 values 給包起來
https://akuity.io/blog/argo-cd-helm-values-files/
apiVersion: v2
name: kong
description: kong
type: application
version: 1.0.0
appVersion: '1.0'
dependencies:
- name: kong
repository: https://charts.konghq.com
version: 2.40.0
Chart.yaml kong-values.yml
kong:
# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
# Sections:
# - Deployment parameters
# - Kong parameters
# - Ingress Controller parameters
# - Postgres sub-chart parameters
# - Miscellaneous parameters
# - Kong Enterprise parameters
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
# Setting this to false with ingressController.enabled=true will create a
# controller-only release.
enabled: true
## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
## for it to be considered available.
# minReadySeconds: 60
## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
serviceAccount:
create: true
# Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
# container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
# Lua code, increasing potential attack surface.
automountServiceAccountToken : false
## Optionally specify the name of the service account to create and the annotations to add.
# name:
# annotations: {}
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# initContainers:
# - name: initcon
# image: initcon:latest
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
…(略)
⚠ 注意縮排
values.yml
指向線上的 Helm chart

常見寫法大約有三種
⓶ 指向一個 Git Repo，Repo 裡面使用自訂 Helm chart (Chart.yaml)，
並指定其 values.yaml
Chart.yaml
https://thenounproject.com/icon/package-5679564/
values.yaml
application.yaml
dependencies
helm.valueFiles
Helm Chart
(.tgz file)

資料夾結構
ArgoCD?設定?Kong?helm?專案
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: helm-kong
targetRevision: HEAD
helm:
valueFiles:
- kong-values.yml
destination:
name: ''
namespace: kong-dbless
server: 'https://kubernetes.default.svc'
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
helm-kong
├── Chart.yaml
├── charts
│ └── kong-2.40.0.tgz
└── kong-values.yaml
（自動抓取）

這邊使用 dependency charts
使用一個自訂的名字把 values 給包起來
https://akuity.io/blog/argo-cd-helm-values-files/
Chart.yaml kong-values.yml
kong:
# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
# Sections:
# - Deployment parameters
# - Kong parameters
# - Ingress Controller parameters
# - Postgres sub-chart parameters
# - Miscellaneous parameters
# - Kong Enterprise parameters
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
# Setting this to false with ingressController.enabled=true will create a
# controller-only release.
enabled: true
## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
## for it to be considered available.
# minReadySeconds: 60
## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
serviceAccount:
create: true
# Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
# container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
# Lua code, increasing potential attack surface.
automountServiceAccountToken : false
## Optionally specify the name of the service account to create and the annotations to add.
# name:
# annotations: {}
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# initContainers:
# - name: initcon
# image: initcon:latest
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
…(略)
⚠ 注意縮排
values.yml
指向離線的 Helm chart 也可以！
apiVersion: v2
name: kong
description: kong
type: application
version: 1.0.0
appVersion: '1.0'
dependencies:
- name: kong
repository: charts/kong-2.40.0.tgz
version: 2.40.0

常見寫法大約有三種
⓷ 指向一個 Helm Chart，另外定義一個 Git Repo 路徑指向 values.yaml
values.yaml
application.yaml
ref
Helm Chart

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless
namespace: argocd
spec:
project: default
sources:
# Chart from Helm Repository
- chart: kong
repoURL: https://charts.konghq.com
targetRevision: 2.40.0
helm:
valueFiles:
- $values/helm-kong/kong-values.yaml
# Values from Git
- repoURL: 'ssh://[email protected]:30022/john/repo.git'
targetRevision: HEAD
ref: values
destination:
name: ''
namespace: kong-dbless
server: 'https://kubernetes.default.svc'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
helm-kong
└── kong-values.yml
資料夾結構
ArgoCD 設定 Kong helm 專案
argocd-application.yaml
指向線上的 Helm chart

重點1：要有 namespace
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/
（通常情況） namespace 都是 argocd

重點1：要有 namespace
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/
?? ??

重點2：yaml 檔名要注意
•檔名有要求，一定要指定檔名
•kustomization.yaml
•Chart.yaml
⚠ 不可縮略成 yml
⚠ 檔名要一模一樣

重點3：RepoURL 也有講究
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
•指定 Port 號請必須加上 ssh:// 開頭 
格式如下
ssh://git@主機名:連接埠/使用者名或團隊名 /專案名.git
ssh://[email protected]:30022/john/repo.git

重點4：使用指令添加 git repo
•請用指令添加 git repo，不要用 Web GUI
•GitRepo 必須要是非空的（一定要有內容）
•指定 Port 號請必須加上 ssh:// 開頭，格式如下
argocd repo add ssh://[email protected]:30022/john/repo.git
--ssh-private-key-path id_ed25519_k8git
--insecure-ignore-host-key
--name k8sgitea
ssh://git@主機名:連接埠/使用者名或團隊名 /專案名.git
添加指令

現在有一個問題
如何監控 Config 變動
當 Config 一有變動，就更新部署 Kong？

https://github.com/stakater/Reloader

kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto : "true"
spec:
template:
metadata:
照著文件將它 Deploy
使用 annotations 指定 configMap 名稱就可以做到監聽！
接下來就是把它塞入 Kong 的 helm chart values 中，加入
Custom Annotations
部署 Reloader

https://artifacthub.io/packages/helm/kong/kong?modal=template&template=deployment.yaml
---
# Source: kong/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong-dbless-kong
namespace: default
labels:
app.kubernetes.io/name : kong
helm.sh/chart: kong-2.35.1
app.kubernetes.io/instance : "kong-dbless"
app.kubernetes.io/managed-by : "Helm"
app.kubernetes.io/version : "3.5"
app.kubernetes.io/component : app
annotations:
configmap.reloader.stakater.com/reload : "kong-config"
# Annotations to be added to Kong deployment
deploymentAnnotations :
configmap.reloader.stakater.com/reload : "kong-config"
加入 reloader 的 Custom Annotations，綁定重啟條件
測試 yaml 輸出結果

當?Config?一有變動，就更新部署?Kong

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml
刪除資源
•很直覺。使用 kubectl delete 指令
https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/
kubectl delete -f argocd-application.yaml
https://thenounproject.com/icon/trash-7104850/

刪除資源
•kubectl delete 刪除不會連動刪掉整組資源  
請改用
argocd app delete argocd/kong-dbless -y
https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/
https://thenounproject.com/icon/trash-7104850/

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kong-dbless-config
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: 'ssh://[email protected]:30022/john/repo.git'
path: kong-config-dbless
targetRevision: HEAD
destination:
name: ''
server: 'https://kubernetes.default.svc'
namespace: kong-dbless
sources: []
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
argocd-application.yaml刪除資源
https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/
kubectl delete -f argocd-application.yaml
https://thenounproject.com/icon/trash-7104850/
•或者，加上 finalizers
•就可以開心使用 kubectl delete 指令*

使用者與權限管理
https://thenounproject.com/icon/terminal-4601577/
+

https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm-yaml/
使用者管理
•修改 argocd-cm 的 ConfigMap
•調整使用者（新增 / 刪除）
https://thenounproject.com/icon/trash-7104850/
https://thenounproject.com/icon/gear-7102375/
kubectl edit cm argocd-cm -n argocd
kubectl rollout restart deploy argocd-server
-n argocd
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name : argocd-cm
app.kubernetes.io/part-of : argocd
data:
accounts.john: login,apiKey
accounts.amy: login,apiKey
accounts.sam: login,apiKey
policy.csv: |
g, john, role:admin
g, amy, role:readonly
g, sam, role:readonly
•重啟 argocd-server
Created by Mawar Haluna
from Noun Project
這裡的 policy.csv 只適用第一次
以 argocd-rbac-cm 的權限為主

•修改 argocd-cm 的 ConfigMap （另一種方式）
kubectl patch configmap argocd-cm -n argocd --type merge -p '{
"data": {
"accounts.john": "login,apiKey",
"policy.csv": "g, john, role:readonly"
}
}'
https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm-yaml/
使用者管理
https://thenounproject.com/icon/trash-7104850/
kubectl rollout restart deploy argocd-server
-n argocd
•重啟 argocd-server

apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name : argocd-cm
app.kubernetes.io/part-of : argocd
name: argocd-cm
data:
url: https://argocd.awesomecompany.com.tw:32000
dex.config: |
connectors:
- type: ldap
name: ActiveDirectory
id: ad
config:
host: 192.168.2.1:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: awesomecompany\myaccount
bindPW: mypassword
usernamePrompt: Username
userSearch:
baseDN: ou=mygroup,dc=awesomecompany,dc=com,dc=tw
filter: "(objectClass=person)"
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: mail
nameAttr: givenName
groupSearch:
baseDN: ou=mygroup,dc=awesomecompany,dc=com,dc=tw
filter: "(objectClass=group)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
串接 LDAP
•透過 Dex 服務串接 LDAP 
（以 Microsoft ActiveDirectory 為例）
https://thenounproject.com/icon/trash-7104850/
https://medium.com/@attilio.gualandi/how-to-set-ldap-on-argocd-b09b40dfcdf9
https://dexidp.io/docs/connectors/ldap/
https://argo-workflows.readthedocs.io/en/latest/argo-server-sso-argocd/
kubectl edit cm argocd-rbac-cm -n argocd
kubectl rollout restart deploy argocd-server
-n argocd
•重啟 argocd-server
Created by Mawar Haluna
from Noun Project

權限調整
•修改 argocd-rbac-cm 的 ConfigMap
•掛上適當權限
https://thenounproject.com/icon/trash-7104850/
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
app.kubernetes.io/name : argocd-rbac-cm
app.kubernetes.io/part-of : argocd
data:
policy.default: role:readonly
policy.csv: |
p, role:qa, applications, get, */*, allow
p, role:qa, applicationsets, get, */*, allow
p, role:qa, projects, get, *, allow
p, role:qa, clusters, get, *, allow
p, role:qa, repositories, get, *, allow
kubectl edit cm argocd-rbac-cm -n argocd
kubectl rollout restart deploy argocd-server
-n argocd
•重啟 argocd-server
Created by Mawar Haluna
from Noun Project

權限格式
https://thenounproject.com/icon/trash-7104850/ https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, <role/user/group>, <resource>, <action>, <project>/<object>, <allow/deny>
Policy: Allows to assign permissions to an entity.

Group: Allows to assign authenticated users/groups to internal roles.
權限格式
https://thenounproject.com/icon/trash-7104850/ https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
g, role:admin, role:readonly
g, johnny, role:admin
g, role:mike, role:readonly
g, <user/group>, <role>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow
g, role:admin, role:readonly
g, admin, role:admin
權限格式
https://thenounproject.com/icon/trash-7104850/ https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
•預設內建權限
•role:readonly
•role:admin

權限調整
•修改 argocd-rbac-cm 的 ConfigMap
https://thenounproject.com/icon/trash-7104850/
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
kubectl patch configmap argocd-rbac-cm -n argocd --type=json -p='[{"op": "add",
"path": "/data", "value": {"policy.csv": "p, role:qa, applications, get, */*,
allowp, role:qa, applicationsets, get, */*, allowp, role:qa, projects, get, *,
allowp, role:qa, clusters, get, *, allowp, role:qa, repositories, get, *,
allow", "policy.default": "role:readonly"}}]'
kubectl patch configmap argocd-rbac-cm -n argocd --type='merge' -p '
data:
policy.csv: |
p, role:qa, applications, get, */*, allow
p, role:qa, applicationsets, get, */*, allow
p, role:qa, projects, get, *, allow
p, role:qa, clusters, get, *, allow
p, role:qa, repositories, get, *, allow
policy.default: role:readonly
'
可以這樣
也可以這樣

Recap
•ArgoCD 的運作原理
•Kubernetes 的運作原理
•Kubernetes YAMLs 的各種寫法
•CLI 要裝對
•（操作比較特殊的）帳號與權限控管方式

Q & A
https://sunrisemart.com/products/tako-octopus

ArgoCD 的雷碰過的人就知道 @TSMC IT Community Meetup #4

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

ArgoCD 的雷 碰過的人就知道 @TSMC IT Community Meetup #4

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 51

Slide 53

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Slide 78

Slide 79

Slide 80

Slide 81

Slide 82

Slide 83

Slide 84

Slide 86

ArgoCD 的雷碰過的人就知道 @TSMC IT Community Meetup #4