Yesterday I got request from developer team for using argocd-notifications
from https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd/templates/argocd-notifications this argocd-notifications will be bundle from argo-cd chart. so I have find in latest value from https://github.com/argoproj/argo-helm/tree/argo-cd-5.19.12/charts/argo-cd/templates/argocd-notifications it found.
after I check from current chart version of our argo-cd then it only 3.24.0 and ArgoCD version 2.2.5
in chart no bundle argocd-notifications
https://github.com/argoproj/argo-helm/blob/argo-cd-3.24.0/charts/argo-cd/values.yaml
so I have 2 choice
- install another argocd-notifications application from ArgoCD
helm install my-argocd-notifications argo/argocd-notifications --version 1.8.12. or update argo-cd chart with all upgrade
so I choose 2 because I will fix other issue too
let check new chart and have change a lot of value.yaml some place have deprecated
step to change
- test on non production first
- back up old extend value file
fullnameOverride: argocd
argo-cd:
global:
image:
tag: v2.2.5
additionalLabels:
app: argocd
server:
configEnabled : true
extraArgs:
- --insecure
config:
url: https://domain.local
configManagementPlugins: |-
- name: avp-vault-params
init:
command: ["/bin/sh", "-c"]
args: ["$INIT_ARGS"]
generate:
command: [sh, -c]
args: ["$ARG_PARAMETERS | argocd-vault-plugin generate - "]
- name: avp-vault
generate:
command: [sh, -c]
args: [" argocd-vault-plugin generate ./ "]
dex.config: |
connectors:
- type: ldap
name: LOCAL-LDAP
id: ldap
config:
host: 10.10.10.10:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: $dex.ldap.userdn
bindPW: $dex.ldap.password
usernamePrompt: User Name
userSearch:
baseDN: "OU=Users,OU=Digital,DC=local,DC=group"
filter: ""
username: sAMAccountName
idAttr: DN
emailAttr: SAMACCOUNTNAME
nameAttr: name
groupSearch:
baseDN: "OU=Groups,OU=Digital,DC=local,DC=group"
filter: "(objectClass=group)"
userAttr: DN
groupAttr: member
nameAttr: name
rbacConfig:
policy.csv: |
# Global Role
p, role:org-nosync, applications, sync, */*, deny
p, role:org-admin, *, *, *, allow
p, role:org-read, *, get, *, allow
# Role Binding
g, LOCAL-BU-TECH-OPERATIONS, role:org-admin
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 300m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 60
repoServer:
volumes:
- name: custom-tools-avp
emptyDir: {}
initContainers:
- name: download-tools-avp
image: alpine:3.8
command: [sh, -c]
args:
- >-
wget -O argocd-vault-plugin
https://github.com/IBM/argocd-vault-plugin/releases/download/v1.12.0/argocd-vault-plugin_1.12.0_linux_amd64 &&
chmod +x argocd-vault-plugin &&
mv argocd-vault-plugin /custom-tools-avp/
volumeMounts:
- mountPath: /custom-tools-avp
name: custom-tools-avp
volumeMounts:
- name: custom-tools-avp
mountPath: /usr/local/bin/argocd-vault-plugin
subPath: argocd-vault-plugin
envFrom:
- secretRef:
name: argo-admin-settings
env:
- name: "GODEBUG"
value: "x509ignoreCN=0"
- name: "VAULT_ADDR"
value: "https://vault.local.com"
- name: "AVP_TYPE"
value: "vault"
- name: "AVP_AUTH_TYPE"
value: "approle"
- name: "VAULT_NAMESPACE"
value: "platform"
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 300m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 60
redis:
securityContext: false
redis-ha:
enabled: true
controller:
enableStatefulSet: true
configs:
secret:
extra:
dex.ldap.userdn: <path:/secret/data/common/local_ldap#userdn>
dex.ldap.password: <path:/secret/data/common/local_ldap#password>
tlsCerts:
data:
https://harbor.domain.local: <path:/secret/data/common/harbor#harbor-aaa.pem>
credentialTemplates:
bitbucket-truedmp:
url: https://bitbucket.org/abc
username: <path:/secret/data/common/bitbucket#username>
password: <path:/secret/data/common/bitbucket#password>
harbor-helm-repo:
url: https://harbor.domain.local/chartrepo/library
username: <path:/secret/data/common/harbor#username>
password: <path:/secret/data/common/harbor#password>
repositories: {}
vaultProfiles:
create: true
profiles:
- name: argo-admin-settings
data:
- key: AVP_ROLE_ID
value: <path:/secret/data/common/argocd#vault-role-id | base64encode>
- key: AVP_SECRET_ID
value: <path:/secret/data/common/argocd#vault-secret-id | base64encode>
istio:
create: true
hosts:
- "domain.local"
gateway:
name: local-int-net-gw
namespace: istio-system
projects:
- projectName: root-applications
description: Manage ArgoCD Project and Applications
- projectName: argocd
description: ArgoCD Project
applications:
- applicationName: app-of-apps-global
settings:
project: root-applications
source:
repoURL: 'https://bitbucket.org/abc/helm-argocd.git'
path: 'root-applications-np'
targetRevision: master
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true- change extend vaule.yaml
fullnameOverride: argocd
argo-cd:
global:
image:
tag: v2.5.5 # fix version
# additionalLabels:
# app: argocd
configs:
params:
server.insecure: true
cm:
url: https://domain.local
configManagementPlugins: |-
- name: avp-vault-params
init:
command: ["/bin/sh", "-c"]
args: ["$ARGOCD_ENV_INIT_ARGS"]
generate:
command: [sh, -c]
args: ["$ARGOCD_ENV_ARG_PARAMETERS | argocd-vault-plugin generate - "]
- name: avp-vault
generate:
command: [sh, -c]
args: ["argocd-vault-plugin generate . "]
dex.config: |
connectors:
- type: ldap
name: LOCAL-LDAP
id: ldap
config:
host: 10.10.10.10:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: $dex.ldap.userdn
bindPW: $dex.ldap.password
usernamePrompt: User Name
userSearch:
baseDN: "OU=Users,OU=Digital,DC=local,DC=group"
filter: ""
username: sAMAccountName
idAttr: DN
emailAttr: SAMACCOUNTNAME
nameAttr: name
groupSearch:
baseDN: "OU=Groups,OU=Digital,DC=local,DC=group"
filter: "(objectClass=group)"
userAttr: DN
groupAttr: member
nameAttr: name
rbac:
policy.csv: |
# Global Role
p, role:org-nosync, applications, sync, */*, deny
p, role:org-admin, *, *, *, allow
p, role:org-read, *, get, *, allow
# Role Binding
g, LOCAL-BU-TECH-OPERATIONS, role:org-admin
credentialTemplates:
bitbucket-truedmp:
url: https://bitbucket.org/abc
username: <path:/secret/data/common/bitbucket#username>
password: <path:/secret/data/common/bitbucket#password>
harbor-helm-repo:
url: https://harbor.domain.local/chartrepo/library
username: <path:/secret/data/common/harbor#username>
password: <path:/secret/data/common/harbor#password>
repositories: {}
secret:
extra:
dex.ldap.userdn: <path:/secret/data/common/local_ldap#userdn>
dex.ldap.password: <path:/secret/data/common/local_ldap#password>
tls:
certificates:
https://harbor.domain.local: <path:/secret/data/common/harbor#harbor-aaa.pem>
server:
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 300m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 60
repoServer:
volumes:
- name: custom-tools-avp
emptyDir: {}
initContainers:
- name: download-tools-avp
image: alpine:3.8
command: [sh, -c]
args:
- >-
wget -O argocd-vault-plugin
https://github.com/IBM/argocd-vault-plugin/releases/download/v1.12.0/argocd-vault-plugin_1.12.0_linux_amd64 &&
chmod +x argocd-vault-plugin &&
mv argocd-vault-plugin /custom-tools-avp/
volumeMounts:
- mountPath: /custom-tools-avp
name: custom-tools-avp
volumeMounts:
- name: custom-tools-avp
mountPath: /usr/local/bin/argocd-vault-plugin
subPath: argocd-vault-plugin
envFrom:
- secretRef:
name: argo-admin-settings
env:
- name: "GODEBUG"
value: "x509ignoreCN=0"
- name: "VAULT_ADDR"
value: "https://vault-gcp.truedigital.com"
- name: "AVP_TYPE"
value: "vault"
- name: "AVP_AUTH_TYPE"
value: "approle"
- name: "VAULT_NAMESPACE"
value: "platform"
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 300m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 60
redis:
securityContext: false
redis-ha:
enabled: true
controller:
enableStatefulSet: true
vaultProfiles:
create: true
profiles:
- name: argo-admin-settings
data:
- key: AVP_ROLE_ID
value: <path:/secret/data/common/argocd#vault-role-id | base64encode>
- key: AVP_SECRET_ID
value: <path:/secret/data/common/argocd#vault-secret-id | base64encode>
istio:
create: true
hosts:
- "domain.local"
gateway:
name: local-int-net-gw
namespace: istio-system
projects:
- projectName: root-applications
description: Manage ArgoCD Project and Applications
- projectName: argocd
description: ArgoCD Project
applications:
- applicationName: app-of-apps-global
settings:
project: root-applications
source:
repoURL: 'https://bitbucket.org/abc/helm-argocd.git'
path: 'root-applications-np'
targetRevision: master
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true- most of change
- configuration in server: change to configs:
- user env need to have start with ARGOCD_ENV_
example from INIT_ARGS to ARGOCD_ENV_INIT_ARGS
3. new chart have argocd-applicationset
4. include crd (custom resource definision)
- change chart version : 3.24.0 → 5.16.12
- helm dep update
- test render with (no need — include-crds)
helm template argocd -n argocd . -f values/values-argocd.yaml | argocd-vault-plugin generate -
- if rendor is well then git to git repo
- use ArgoCD render itself
after sync it need to relogin
- test on other application
- change same value and step to ArgoCD for production
note: I have upgrade on another few cluster but have error on autoscaling
well after I check it because some cluster that have problem still be version 1.22.16-gke.2000 that support only autoscaling/v2beta2 but this chart have default be autoscaling/v2 . so let over Overrides Api version
fullnameOverride: argocd
argo-cd:
apiVersionOverrides:
autoscaling: "autoscaling/v2beta2" # default autoscaling/v2 (use v2beta2 because v2 still not support by 1.22.16-gke.2000 and support on 1.23.14-gke.1800)
global:
image:
tag: v2.5.5 # fix version
# additionalLabels:
# app: argocd
so everything work well now
about upgrade to sidecar see: https://medium.com/@dounpct/argocd-argocd-vault-plugin-20d28f03316c
more references:
- https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.2-2.3/
- https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.3-2.4/
- https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.4-2.5/
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Credit : TrueDigitalGroup
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
