Devops git for Stocktrader app.
Each branch in the repo matches one of the environments:
- test - test environment in the local argo cluster
- qa - qa environment in the local cluster
- production - prod environmet in the remote cluster
Steps:
- install ArgoCD via operator, use the following yaml:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: argocd
namespace: argocd
spec:
dex:
image: quay.io/ablock/dex
openShiftOAuth: true
version: openshift-connector
rbac:
defaultPolicy: 'role:admin'
policy: |
g, argocd-admins, role:admin
scopes: '[groups]'
server:
insecure: false
route:
enabled: true
tls:
termination: passthrough
wildcardPolicy: None
In some cases, when self sign certs are not acceptable, you may need to switch security configuration to edge termination and use OCP cert instead of default ArgoCD one. Change to: insecure: true
and termination: edge
-
solve configuration issues - see argo-issues.md
-
login to argocd via cmd (add : --grpc-web if using tls edge termination not passthrough):
argocd login --sso argocd-server-argocd.mycluster
- Login to target remote ocp cluster using oc
- List all authenticated contexts in oc, amd find yours:
oc config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* stocktrader-preprod/c109-e-us-east-containers-cloud-ibm-com:32310/IAM#grzegorz.smolko@pl.ibm.com c109-e-us-east-containers-cloud-ibm-com:32310 IAM#grzegorz.smolko@pl.ibm.com/c109-e-us-east-containers-cloud-ibm-com:32310 stocktrader-preprod
- add remote cluster to argo
argocd cluster add stocktrader/clustername:port/YOURUSER --name clusterNameForArgo
e.g. argocd cluster add stocktrader-preprod/c109-e-us-east-containers-cloud-ibm-com:32310/IAM#grzegorz.smolko@pl.ibm.com --name devops-preprod2
This will add some settings to remote cluster:
time="2021-03-10T14:06:59+01:00" level=info msg="ServiceAccount \"argocd-manager\" created in namespace \"kube-system\""
time="2021-03-10T14:06:59+01:00" level=info msg="ClusterRole \"argocd-manager-role\" created"
time="2021-03-10T14:06:59+01:00" level=info msg="ClusterRoleBinding \"argocd-manager-role-binding\" created"
Cluster 'https://c109-e.us-east.containers.cloud.ibm.com:32310' added
Your cluster should be visible now in Argo CD UI, in Settings > Clusters
- in repositories add gitops repo
argocd repo add https://github.com/stocktrader-ops/stocktrader-argocd-gitops
repository 'https://github.com/stocktrader-ops/stocktrader-argocd-gitops' added
- configure project
argocd proj create stocktrader --description "All stocktrader apps" -d https://kubernetes.default.svc,stocktrader-test -d https://kubernetes.default.svc,stocktrader-qa -s https://github.com/stocktrader-ops/stocktrader-argocd-gitops
- configure applications; repeat same command for diff envs (test, qa, prod) changing
revision
and-dest-xxx
params
argocd app create test-trader --repo https://github.com/stocktrader-ops/stocktrader-argocd-gitops --revision test --path trader --dest-server https://kubernetes.default.svc --dest-namespace stocktrader-test --directory-recurse --project stocktrader --sync-policy auto
application 'test-trader' created
If you use Quay as image registry perform the following steps: Go to the robot account:
Click account and Kubernetes secret
.
Copy secret to all target namespaces in all clusters that should have access to that registry
Expose registry to outside world:
oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
You can also change it via console via Custom Resource Definitions > Config (imageregistry.operator.openshift.io) > Instances > cluster
Verify that route was created:
Create service account in source cluster in source project
oc create serviceaccount img-puller
Add pull role:
oc policy add-role-to-user system:image-puller system:serviceaccount:stock-quote-quarkus:img-puller
Find sa tokens:
oc describe sa img-puller
Name: img-puller
Namespace: stock-quote-quarkus
Labels: <none>
Annotations: <none>
Image pull secrets: img-puller-dockercfg-sz9jt
Mountable secrets: img-puller-token-b597z
img-puller-dockercfg-sz9jt
Tokens: img-puller-token-b597z
img-puller-token-mllk4
Events: <none>
Get token from serviceaccount.
On target cluster: In the target namespace create pull secret with souce cluster hostname, username=serviceaccount, and password=copied_token
link created secret to default account
oc secrets link default dev-cluster-pull --for=pull
oc policy add-role-to-user system:image-puller system:serviceaccount:stocktrader-test:default --namespace=stock-quote-quarkus
oc policy add-role-to-user system:image-puller system:serviceaccount:stocktrader-qa:default --namespace=stock-quote-quarkus
oc policy add-role-to-user system:image-puller system:serviceaccount:stocktrader-prod:default --namespace=stock-quote-quarkus
Simple pipeline configuration is described in the README.