-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathprovision-argocd.sh
204 lines (192 loc) · 6.37 KB
/
provision-argocd.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/bin/bash
set -euxo pipefail
argocd_cli_version="${1:-2.12.0}"; shift || true
argocd_chart_version="${1:-7.4.3}"; shift || true
argocd_fqdn="argocd.$(hostname --domain)"
# create the argocd-server tls secret.
# NB argocd-server will automatically reload this secret.
# NB alternatively we could set the server.certificate.enabled helm value. but
# that does not allow us to fully customize the certificate (e.g. subject).
# see https://github.com/argoproj/argo-helm/blob/argo-cd-7.4.3/charts/argo-cd/templates/argocd-server/certificate.yaml
# see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
kubectl create namespace argocd
kubectl apply -n argocd -f - <<EOF
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-server
spec:
subject:
organizations:
- k3s-vagrant
organizationalUnits:
- Kubernetes
commonName: Argo CD Server
dnsNames:
- $argocd_fqdn
duration: 1h # NB this is so low for testing purposes.
privateKey:
algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
size: 256
secretName: argocd-server-tls
issuerRef:
kind: ClusterIssuer
name: ingress
EOF
kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-server
# create the argocd-repo-server tls secret.
# NB argocd-repo-server will NOT automatically reload this secret. instead, the
# argocd-repo-server is configured to be automatically restarted by the
# reloader controller.
# see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
kubectl apply -n argocd -f - <<EOF
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-repo-server
spec:
subject:
organizations:
- k3s-vagrant
organizationalUnits:
- Kubernetes
commonName: Argo CD Repo Server
dnsNames:
- argocd-repo-server
- argocd-repo-server.argocd.svc
duration: 1h # NB this is so low for testing purposes.
privateKey:
algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
size: 256
secretName: argocd-repo-server-tls
issuerRef:
kind: ClusterIssuer
name: ingress
EOF
kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-repo-server
# create the argocd-dex-server tls secret.
# NB argocd-dex-server will NOT automatically reload this secret. instead, the
# argocd-dex-server is configured to be automatically restarted by the
# reloader controller.
# see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
kubectl apply -n argocd -f - <<EOF
# see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-dex-server
spec:
subject:
organizations:
- k3s-vagrant
organizationalUnits:
- Kubernetes
commonName: Argo CD Dex Server
dnsNames:
- argocd-dex-server
- argocd-dex-server.argocd.svc
duration: 1h # NB this is so low for testing purposes.
privateKey:
algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
size: 256
secretName: argocd-dex-server-tls
issuerRef:
kind: ClusterIssuer
name: ingress
EOF
kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-dex-server
# install the argocd cli.
argocd_url="https://github.com/argoproj/argo-cd/releases/download/v$argocd_cli_version/argocd-linux-amd64"
t="$(mktemp -q -d --suffix=.argocd)"
wget -qO "$t/argocd" "$argocd_url"
install -m 755 "$t/argocd" /usr/local/bin/
rm -rf "$t"
# add the argo helm charts repository.
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
# search the chart and app versions, e.g.: in this case we are using:
# NAME CHART VERSION APP VERSION DESCRIPTION
# argo/argo-cd 7.4.3 v2.12.0 A Helm chart for Argo CD, a declarative, GitOps...
helm search repo argo/argo-cd --versions | head -10
# set the configuration.
# NB the default values are described at:
# https://github.com/argoproj/argo-helm/blob/argo-cd-7.4.3/charts/argo-cd/values.yaml
# NB make sure you are seeing the same version of the chart that you are installing.
cat >argocd-values.yml <<EOF
global:
domain: $argocd_fqdn
server:
ingress:
enabled: true
tls: true
extraArgs:
- --repo-server-strict-tls
- --dex-server-strict-tls
controller:
extraArgs:
- --repo-server-strict-tls
repoServer:
deploymentAnnotations:
secret.reloader.stakater.com/reload: argocd-repo-server-tls
dex:
deploymentAnnotations:
secret.reloader.stakater.com/reload: argocd-dex-server-tls
EOF
# install.
helm upgrade --install \
argocd \
argo/argo-cd \
--version "$argocd_chart_version" \
--create-namespace \
--namespace argocd \
--values argocd-values.yml \
--wait
# save the admin password.
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" \
| base64 --decode \
> /vagrant/tmp/argocd-admin-password.txt
# verify the certificates.
# NB to further troubleshoot, add the -debug -tlsextdebug cli arguments.
endpoints=(
'argocd.example.test:443'
'argocd-repo-server.argocd.svc:8081'
# NB dex verification is commented because we have not configured dex, as
# such, there is not endpoint listening, so we cannot verify the
# certificate.
#'argocd-dex-server.argocd.svc:5556'
)
for endpoint in "${endpoints[@]}"; do
h="${endpoint%:*}"
kubectl -n argocd exec --stdin deployment/argocd-server -- bash -eux <<EOF
# dump certificate.
openssl s_client \
-connect "$endpoint" \
-servername "$h" \
</dev/null \
2>/dev/null \
| openssl x509 -noout -text
# verify certificate.
openssl s_client \
-connect "$endpoint" \
-servername "$h" \
-showcerts \
-verify 100 \
-verify_return_error \
-CAfile <(echo "$(cat /vagrant/tmp/ingress-ca-crt.pem)")
EOF
done
# configure argocd.
export ARGOCD_SERVER="$argocd_fqdn"
export ARGOCD_AUTH_USERNAME="admin"
export ARGOCD_AUTH_PASSWORD="$(cat /vagrant/tmp/argocd-admin-password.txt)"
export CHECKPOINT_DISABLE=1
export TF_LOG=DEBUG # TF_LOG can be one of: ERROR, WARN, INFO, DEBUG, TRACE.
export TF_LOG_PATH=terraform.log
pushd /vagrant/argocd
rm -f terraform.tfstate* terraform*.log
terraform init
terraform apply -auto-approve \
| tee terraform-apply.log
popd