SundayHK
Argo安装
https://argo-cd.readthedocs.io/en/stable/
kubectl create namespace argocd
wget https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.0/manifests/install.yaml修改取消HTTPS
# vim install.yaml
- args:
- /usr/local/bin/argocd-server
- --insecure # 添加此行
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
- name: ARGOCD_SERVER_INSECUREkubectl apply -n argocd -f install.yamlArgocd Ingress
argocd-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd
namespace: argocd
spec:
ingressClassName: nginx
rules:
- host: argocd.sundayhk.com
http:
paths:
- pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
path: /获取admin密码
root@k8s-master01:~# kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -dargocd 客户端
wget -O /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.13.0/argocd-linux-amd64
chmod +x /usr/local/bin/argocdroot@k8s-master01:~# argocd login argocd.sundayhk.com
2024/11/10 11:59:56 maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined
WARNING: server certificate had error: tls: failed to verify certificate: x509: certificate is valid for ingress.local, not argocd.sundayhk.com. Proceed insecurely (y/n)? y
WARN[0001] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Username: admin
Password:
'admin:login' logged in successfully
Context 'argocd.sundayhk.com' updated修改密码
root@k8s-master01:~# argocd account update-password
2024/11/10 12:04:50 maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined
WARN[0000] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
*** Enter password of currently logged in user (admin): # 贴入原密码
*** Enter new password for user admin: # 新密码,密码长度 8-32位
*** Confirm new password for user admin:
Password updated
Context 'argocd.sundayhk.com' updated修改密码后 新密码会以bcrypt 哈希值存储 argocd-secret中,无法反向解密,若忘记密码只能重置
root@k8s-master01:~# kubectl -n argocd get secret argocd-secret -o jsonpath="{.data.admin\.password}"
JDJhJDEwJGRDaDNEd0l2TmNPS2RGbmxWYmNSSGVCU2JHQmpqOWJtOTJMekdiVGVtVGx5MTl0QWJRU3ptr
root@k8s-master01:~# kubectl -n argocd get secret argocd-secret -o jsonpath="{.data.admin\.password}" | base64 -d
$2a$10$dCh3DwIvNcOKdFnlVbcRHeBSbGBjj9bm92LzGbTemTly19tAbQSzm # bcrypt哈希值忘记密码,重置密码方法
清空 admin.password 和 admin.passwordMtime 字段,删除并重启 ArgoCD 服务器 Pod,
这将使 ArgoCD 强制重新生成一个新的 admin 密码。
kubectl patch secret argocd-secret -n argocd -p '{"data": {"admin.password": null, "admin.passwordMtime": null}}'
kubectl delete pods -n argocd -l app.kubernetes.io/name=argocd-server
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d Gitlab配置
https://github.com/sundayhk/argocd-demo-project
配置项目变量
- ci_gitlab_username : gitlab用户名
- ci_gitlab_password :gitlab密码
- ci_registry : harbor地址
- ci_registry_username :harbor用户名
- ci_registry_password :harbor密码
注:保护变量默认启用,这里要取消,不然会导致非master分支 获取变量为空值
Argocd项目配置
Project配置
先创建项目
Repositories配置
Application 配置
这里先使用手动模式,后面再调整为自动模式
分支选择 .gitlab-ci.yml 的dev分支 路径: base
集群和名称空间
使用KUSTOMIZE
手动模式,这里需要点击下同步
dev分支 提交代码后会触发gitlab-ci
webhook 触发成功
Argocd dashboard 等待3分钟后 可以到已经新版本信息,显示 OutOfSync 不同步
因为之前配置的是手动同步,所以Argocd不会自动同步,需要手动点击SYNC
root@k8s-master01:~# kubectl get deployment -n dev -o jsonpath="{.items[*].spec.template.spec.containers[0].image}"
root@k8s-master01:~# kubectl get deployment -n dev -o yaml | grep image:
- image: harbor.sundayhk.com/demo-project/demo-project:321992dc解析域名host为ingress ip
root@k8s-master01:~# kubectl get pod -n ingress-nginx -owide | grep ingress
ingress-nginx-controller-b5xxz 1/1 Running 2 (7h38m ago) 268d 192.168.77.141 k8s-master01 <none> <none>Mac:~ zsp$ cat /etc/hosts | grep demo-project
192.168.77.141 demo-project.sundayhk.com
Mac:~ zsp$ curl demo-project.sundayhk.com
{"message":"Hello, Demo!"}
调整自动同步
也可以再次 配置为自动同步
再次提交代码 间隔3分钟就会自动同步
root@k8s-master01:~# kubectl get deployment demo-project -n dev -o yaml | grep image:
- image: harbor.sundayhk.com/demo-project/demo-project:dc3894b1配置Webhook更新
配置Gitlab 项目webhook
argocd 自动同步 默认间隔3分钟,这里配置代码推送时触发argocd同步
这里会触发两次 后续可以调整为 构建完成才触发
第一次:开发人员提交代码Push 触发一次
第二次:gitlab-ci.yml 操作 kustomize 提交 也会触发一次
root@k8s-master01:~# kubectl edit secret argocd-secret -n argocd
apiVersion: v1
data:
admin.password: JDJhJDEwJHovRG9jYnJmRFA1UVVMcDdrNnZVVk85d3RGc3JYVFIwaFhNMk5DWGU2WTVBeG1PeDdpYklh
admin.passwordMtime: MjAyNC0xMS0yNVQwNTo1NToxNVo=
server.secretkey: dG1ybnB4NjNJNVR0NEMyb0t3WnlEU1V2TTR1bVd2eENsMlVEVGlBTkJhbz0=
stringData:
webhook.gitlab.secret: argocdgitlab789注:保存后 base64加密
配置出站IP段 即argocd.sundayhk.com 对应的IP或IP段
Hook execution failed: URL is blocked: Requests to the local network are not allowed
URL: http://argocd.sundayhk.com/api/webhook
Secret令牌 填入 argocdgitlab789
若遇上认证随机成功,请重启下服务
https://github.com/argoproj/argo-cd/issues/15291
kubectl -n argocd deployment rollout restart argocd-server可以看到
提交代码会触发一次自动同步
下面还在构建中
构建完成时触发一次自动同步
