Skip to main content

Argo CD


Installation

wget https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 \
&& sudo mv argocd-linux-amd64 /usr/local/bin/argocd \
&& sudo chmod +x /usr/local/bin/argocd
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update argo \
&& helm search repo argo/argo-cd -l | head -n 10
helm show values argo/argo-cd \
--version 4.10.5 \
> values.yaml
values.yaml
server:
extraArgs:
- --insecure # https://github.com/argoproj/argo-cd/issues/2953

server:
config:
# 2.5 버전을 위한 준비
server.rbac.log.enforce.enable: "true"
# Web UI에서 터미널 접속
exec.enabled: "true"

applicationSet:
enabled: false
kubectl create namespace workflow
helm upgrade argo-cd argo/argo-cd \
--install \
--version 4.10.5 \
-n workflow \
--values values.yaml

Service

VirtualService

workflow/argo/cd/base/virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argo-cd
namespace: workflow
spec:
hosts:
- <host>
gateways:
- <gateway>
http:
- match:
- uri:
prefix: "/"
route:
- destination:
host: argo-cd-argocd-server.workflow.svc.cluster.local
port:
number: 80

argocd command

login

argocd context

ID

kubectl -n workflow get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo

admin의 초기 암호를 알 수 있습니다.

argocd login <server>
argocd account update-password [--account <user>]

암호 업데이트 후 argocd-initial-admin-secret은 삭제해 줍니다.

danger

적절한 RBAC가 적용된 유저를 생성한 경우 admin을 비활성화 하는 것이 좋습니다. values.yaml.server.config(argocd-cm ConfigMap의 .data)에 admin.enabled: "false"를 추가하면 됩니다.

Kubectl

kubectl config set-context --current --namespace workflow
argocd login --core
danger

--core를 사용하면 암호 업데이트 시 실패하는데, 아직 원인을 찾지 못했습니다.

User

ConfigMap

values.yaml
server:
# ConfigMap.data, name: argocd-cm
config:
# add an additional local user with apiKey and login capabilities
# apiKey - allows generating API keys
# login - allows to login using UI
accounts.<user>: apiKey, login
# disables user. User is enabled by default
admin.enabled: "false"
accounts.<user>.enabled: "true"
argocd account list

Dex

Example connectors

redirectURI은 argocd-cm의 <.data.url>/api/dex/callback으로 자동 설정 되기 때문에 따로 설정하지 않아도 됩니다.

values.yaml
server:
# ConfigMap.data, name: argocd-cm
config:
url: <uri>

Github

  • (User or Organization)Settings - Developer settings - OAuth Apps - New Oauth App
  • Homepage URL:
  • Authorization callback URL: https://<host>/api/dex/callback

argocd-secret .datadex.github.clientSecret: <base64 encoded>를 추가 합니다.

values.yaml
server:
# ConfigMap.data, name: argocd-cm
config:
dex.config: |
connectors:
- type: github
id: github
name: GitHub
config:
clientID: <clientID>
clientSecret: $dex.github.clientSecret
# 소문자와 `-`만 사용된 필드로 변환된 값을 사용할 수 있음
# ex) R&D -> r-d
teamNameField: both
orgs:
- name: <orgName>
# team: # 없으면 모든 팀을 포함
# - <teamName>
info

다른 Secret을 쓰고 싶으면 아래와 같이 추가하고, config에 $github-client-secret:dex.gtihub.clientSecret를 사용하면 됩니다.

apiVersion: v1
kind: Secret
metadata:
name: github-client-secret
namespace: workflow
labels:
app.kubernetes.io/part-of: argocd # 이 label이 있어야 설정이 적용됩니다.
type: Opaque
stringData:
dex.github.clientSecret: <secret>

OIDC

values.yaml
dex:
enabled: false

server:
# ConfigMap.data, name: argocd-cm
config:
url: <uri>

Keycloak


  • Client
    • argo client 추가
      • Settings
        • Enabled: on
        • Client Protocol: openid-connect
        • Access Type: confidential
        • Valid Redirect URIs
          • <url>/auth/callback
      • Credentials
        • Client Authenticator: Client ID and Secret
        • Secret: <argo-client-secret>
  • Client Scopes
    • groups client scope 추가
      • Settings
        • Protocol: openid-connect
        • Include in Token Scope: on
      • Mappers
        • groups mapper 추가
          • Mapper Type: Group Membership
          • Token Claim Name: groups
          • Full group path: off
  • Client
    • argo client
      • Client Scopes
        • Default Client scopes
          • groups 추가
  • Groups
    • argo-admin 추가
    • argo-dev 추가
  • Users
    • 유저 추가
      • Email: <email>
      • Groups: <group>

argocd-secret .dataoidc.keycloak.clientSecret: <base64 encoded>를 추가 합니다.

values.yaml
server:
# ConfigMap.data, name: argocd-cm
config:
oidc.config: |
name: Keycloak
issuer: <keycloak-url>/auth/realms/<realm>
clientID: argo
clientSecret: $oidc.keycloak.clientSecret # or `$<secret-name>:oidc.keycloak.clientSecret`
requestedScopes: ["openid", "profile", "email", "groups"]

RBAC

values.yaml
server:
# ConfigMap.data, name: argocd-rbac-cm
rbacConfig:
# https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
policy.csv: |
g, <role/user/group>, role:<role>

# role:readonly, role:admin
# https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
policy.default: "role:readonly"

# "sub" 외에 추가로 인식할 수 있는 값을 추가합니다. 기본 값은 "[groups]"입니다.
scopes: "[groups, preferred_username, email]"

# glob or regex
policy.matchMode: "glob"

Notification

values.yaml
notifications:
enabled: true

secret:
items:
slack-token: <auth-token>

notifiers:
service.slack: |
token: <auth-token>

resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

subscriptions:

templates:
triggers:

Reference