GitOps实践之kubernetes部署Argocd

1. 什么是Argocd

1.Argo CD是Kubernetes的一个声明性GitOps持续交付工具。
2.应用程序定义、配置和环境应该是声明性的和版本控制的。应用程序部署和生命周期管理应自动化、可审核且易于理解。
3.Argo CD 是以 Kubernetes 作为基础设施，遵循声明式 GitOps 理念的持续交付（continuous delivery, CD）工具，支持多种配置管理工具，包括 ksonnet/jsonnet、kustomize 和 Helm 等。它的配置和使用非常简单，并且自带一个简单易用的可视化界面。

4.按照官方定义，Argo CD 被实现为一个 Kubernetes 控制器，它会持续监控正在运行的应用，并将当前的实际状态与 Git 仓库中声明的期望状态进行比较，如果实际状态不符合期望状态，就会更新应用的实际状态以匹配期望状态。
5.Argo CD 会被部署在 Kubernetes 集群中，使用的是基于 Pull 的部署模式，它会周期性地监控应用的实际状态，也会周期性地拉取 Git 仓库中的配置清单，并将实际状态与期望状态进行比较，如果实际状态不符合期望状态，就会更新应用的实际状态以匹配期望状态。

官方文档: https://argo-cd.readthedocs.io/en/stable/

2. 安装Argocd

2.1 部署yaml

kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml [root@kn-server-master01-13 argocd]# kubectl apply -n argocd -f  install.yaml  customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io created customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io created customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io created serviceaccount/argocd-application-controller created serviceaccount/argocd-applicationset-controller created serviceaccount/argocd-dex-server created serviceaccount/argocd-notifications-controller created serviceaccount/argocd-redis created serviceaccount/argocd-repo-server created serviceaccount/argocd-server created role.rbac.authorization.k8s.io/argocd-application-controller created role.rbac.authorization.k8s.io/argocd-applicationset-controller created role.rbac.authorization.k8s.io/argocd-dex-server created role.rbac.authorization.k8s.io/argocd-notifications-controller created role.rbac.authorization.k8s.io/argocd-server created clusterrole.rbac.authorization.k8s.io/argocd-application-controller created clusterrole.rbac.authorization.k8s.io/argocd-server created rolebinding.rbac.authorization.k8s.io/argocd-application-controller created rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller created rolebinding.rbac.authorization.k8s.io/argocd-dex-server created rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller created rolebinding.rbac.authorization.k8s.io/argocd-redis created rolebinding.rbac.authorization.k8s.io/argocd-server created clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller created clusterrolebinding.rbac.authorization.k8s.io/argocd-server created configmap/argocd-cm created configmap/argocd-cmd-params-cm created configmap/argocd-gpg-keys-cm created configmap/argocd-notifications-cm created configmap/argocd-rbac-cm created configmap/argocd-ssh-known-hosts-cm created configmap/argocd-tls-certs-cm created secret/argocd-notifications-secret created secret/argocd-secret created service/argocd-applicationset-controller created service/argocd-dex-server created service/argocd-metrics created service/argocd-notifications-controller-metrics created service/argocd-redis created service/argocd-repo-server created service/argocd-server created service/argocd-server-metrics created deployment.apps/argocd-applicationset-controller created deployment.apps/argocd-dex-server created deployment.apps/argocd-notifications-controller created deployment.apps/argocd-redis created deployment.apps/argocd-repo-server created deployment.apps/argocd-server created statefulset.apps/argocd-application-controller created networkpolicy.networking.k8s.io/argocd-application-controller-network-policy created networkpolicy.networking.k8s.io/argocd-applicationset-controller-network-policy created networkpolicy.networking.k8s.io/argocd-dex-server-network-policy created networkpolicy.networking.k8s.io/argocd-notifications-controller-network-policy created networkpolicy.networking.k8s.io/argocd-redis-network-policy created networkpolicy.networking.k8s.io/argocd-repo-server-network-policy created networkpolicy.networking.k8s.io/argocd-server-network-policy created 

Pod都已经running

[root@kn-server-master01-13 argocd]# kubectl get pods -n argocd NAME                                               READY   STATUS    RESTARTS   AGE argocd-application-controller-0                    1/1     Running   0          8m11s argocd-applicationset-controller-fb8d96cb5-l9kxc   1/1     Running   0          8m12s argocd-dex-server-69f8bb9b-79wkz                   1/1     Running   0          8m12s argocd-notifications-controller-85fdd8f7d9-5hfjt   1/1     Running   0          8m12s argocd-redis-6d67ff987b-7rffz                      1/1     Running   0          8m11s argocd-repo-server-67566f5fb4-tvkds                1/1     Running   0          8m11s argocd-server-58dd4685bc-c8wlw                     1/1     Running   0          8m11s 

修改为Nodeport或者loadbalancer亦或者Ingress才可用访问Argocd WEBUI

[root@kn-server-master01-13 argocd]# kubectl get svc -n argocd NAME                                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE argocd-applicationset-controller          ClusterIP   10.96.233.34    <none>        7000/TCP,8080/TCP            8m35s argocd-dex-server                         ClusterIP   10.96.15.14     <none>        5556/TCP,5557/TCP,5558/TCP   8m35s argocd-metrics                            ClusterIP   10.96.99.245    <none>        8082/TCP                     8m35s argocd-notifications-controller-metrics   ClusterIP   10.96.154.168   <none>        9001/TCP                     8m35s argocd-redis                              ClusterIP   10.96.182.219   <none>        6379/TCP                     8m35s argocd-repo-server                        ClusterIP   10.96.108.40    <none>        8081/TCP,8084/TCP            8m35s argocd-server                             ClusterIP   10.96.164.184   <none>        80/TCP,443/TCP               8m35s argocd-server-metrics                     ClusterIP   10.96.83.5      <none>        8083/TCP                     8m35s 

3. 安装Argocd CLI

3.1 下载客户端的安装包

[root@kn-server-master01-13 argocd]# wget  https://github.com/argoproj/argo-cd/releases/download/v2.5.3/argocd-linux-amd64 --2022-12-04 09:56:47--  https://github.com/argoproj/argo-cd/releases/download/v2.5.3/argocd-linux-amd64 正在解析主机 github.com (github.com)... 20.205.243.166 正在连接 github.com (github.com)|20.205.243.166|:443... 已连接。 已发出 HTTP 请求，正在等待回应... 302 Found 位置：https://objects.githubusercontent.com/github-production-release-asset-2e65be/120896210/dc4d761d-ef5d-4f4c-8dc3-a72e134313c1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221204%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221204T015648Z&X-Amz-Expires=300&X-Amz-Signature=ac9daeadb91a0f6b12cab84d5bc3b5d56abb78e960a93a62f68df9de904360bf&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120896210&response-content-disposition=attachment%3B%20filename%3Dargocd-linux-amd64&response-content-type=application%2Foctet-stream [跟随至新的 URL] --2022-12-04 09:56:48--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/120896210/dc4d761d-ef5d-4f4c-8dc3-a72e134313c1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221204%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221204T015648Z&X-Amz-Expires=300&X-Amz-Signature=ac9daeadb91a0f6b12cab84d5bc3b5d56abb78e960a93a62f68df9de904360bf&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120896210&response-content-disposition=attachment%3B%20filename%3Dargocd-linux-amd64&response-content-type=application%2Foctet-stream 正在解析主机 objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ... 正在连接 objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... 已连接。 已发出 HTTP 请求，正在等待回应... 200 OK 长度：133625646 (127M) [application/octet-stream] 正在保存至: “argocd-linux-amd64”  100%[==========================================================================================================================================================>] 133,625,646  595KB/s 用时 4m 18s   2022-12-04 10:01:07 (506 KB/s) - 已保存 “argocd-linux-amd64” [133625646/133625646]) 

3.2 拷贝并赋权

[root@kn-server-master01-13 argocd]# cp argocd-linux-amd64  /usr/local/bin/argocd [root@kn-server-master01-13 argocd]#  chmod +x /usr/local/bin/argocd 

4. 使用Argocd CLI

4.1 Argocd命令帮助

[root@kn-server-master01-13 argocd]# argocd --help argocd controls a Argo CD server  Usage:   argocd [flags]   argocd [command]  Available Commands:   account     Manage account settings   admin       Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access   app         Manage applications   appset      Manage ApplicationSets   cert        Manage repository certificates and SSH known hosts entries   cluster     Manage cluster credentials   completion  output shell completion code for the specified shell (bash or zsh)   context     Switch between contexts   gpg         Manage GPG keys used for signature verification   help        Help about any command   login       Log in to Argo CD   logout      Log out from Argo CD   proj        Manage projects   relogin     Refresh an expired authenticate token   repo        Manage repository connection parameters   repocreds   Manage repository connection parameters   version     Print version information  Flags:       --auth-token string               Authentication token       --client-crt string               Client certificate file       --client-crt-key string           Client certificate key file       --config string                   Path to Argo CD config (default "/root/.config/argocd/config")       --core                            If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server       --grpc-web                        Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.       --grpc-web-root-path string       Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root.   -H, --header strings                  Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)   -h, --help                            help for argocd       --http-retry-max int              Maximum number of retries to establish http connection to Argo CD server       --insecure                        Skip server certificate and domain verification       --kube-context string             Directs the command to the given kube-context       --logformat string                Set the logging format. One of: text|json (default "text")       --loglevel string                 Set the logging level. One of: debug|info|warn|error (default "info")       --plaintext                       Disable TLS       --port-forward                    Connect to a random argocd-server port using port forwarding       --port-forward-namespace string   Namespace name which should be used for port forwarding       --server string                   Argo CD server address       --server-crt string               Server certificate file  Use "argocd [command] --help" for more information about a command. 

4.2 命令行登陆Argocd

Argocd的密码是保存Secret中的，查看Secret并拿到Argocd的登录密码。

[root@kn-server-master01-13 ~]# kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo 56bRDj50k-a1LWpT 

[root@kn-server-master01-13 argocd]# argocd login 10.0.0.14 WARNING: server certificate had error: x509: cannot validate certificate for 10.0.0.14 because it doesn't contain any IP SANs. Proceed insecurely (y/n)? yes Username: admin Password:  'admin:login' logged in successfully Context '10.0.0.14' updated 

4.3 命令行修改Argocd登陆密码

由于Argocd的密码过于复杂，并不易于记住，所以修改Argocd登陆密码。

[root@kn-server-master01-13 argocd]# argocd account update-password *** Enter password of currently logged in user (admin):  输入argocd的原密码 *** Enter new password for user admin:  *** Confirm new password for user admin:  Password updated Context '10.0.0.14' updated   密码修改成功，WEBUI会自动刷新。 

另外Argocd可能在国内无法拖下镜像，需要镜像的可以留言，后续会将Argocd镜像上传至Docker Hub。