O sina taimi ina ua uma ona tusitusi mataupu muamua, lea na ou pulea lelei ai le jsonnet ma le gitlab, na ou iloa ai o paipa e mautinoa lava e lelei, ae e le tatau ona faigata ma le talafeagai.

I le tele o tulaga, e manaʻomia se galuega masani: "fausia YAML ma tuʻu i Kubernetes." O le mea moni, o le mea lea e sili ona lelei e le Argo CD.

Argo CD e faʻatagaina oe e faʻafesoʻotaʻi se faleoloa Git ma lafo lona setete i Kubernetes. Ona o le faaletonu, o loʻo i ai le lagolago mo le tele o ituaiga o talosaga: Kustomize, Helm siata, Ksonnet, Jsonnet leai se mea, pe naʻo faʻamaumauga faʻatasi ma YAML/JSON faʻaaliga.

O lenei seti o le a lava mo le tele o tagata faʻaoga, ae le mo tagata uma. Ina ia faʻamalieina manaʻoga o tagata uma, o le Argo CD o loʻo i ai le malosi e faʻaaoga ai meafaigaluega faʻapitoa.

Muamua lava, ou te fiafia i le avanoa e faaopoopo ai le lagolago qbec и git-crypt, lea na talanoaina atoatoa i le mataupu ua mavae.

Ae e te leʻi amataina le faʻatulagaga, e tatau ona e malamalama lelei i le auala e galue ai Argo CD.

Mo talosaga faaopoopo taitasi, e lua vaega:

• init - muamua sauniuniga aʻo leʻi faʻapipiʻiina, soʻo se mea e mafai ona tupu iinei: faʻapipiʻiina o faʻalagolago, tatalaina o mealilo, ma isi mea.
• gaosi - fa'atino sa'o le fa'atonuga fa'atupu fa'aaliga, o le gaioiga e tatau ona fa'amaonia YAML vaitafe, o le mea tonu lea o le a fa'aoga i le fuifui.

O le mea e mataʻina ai o le faʻaogaina e Argo lenei auala i soʻo se ituaiga o talosaga, e aofia ai Helm. O lona uiga, i le Argo CD Helm e le faʻapipiʻiina faʻasalalauga i le fuifui, ae faʻaaogaina naʻo le gaosia o faʻaaliga.

Mo lana vaega, e mafai e Argo ona faʻaogaina faʻamau Helm faʻapitoa, lea e mafai ai ona le solia le manatu o le faʻaogaina o faʻasalalauga.

QBEC

Qbec e fa'atagaina oe e fa'amatala lelei talosaga e fa'aaoga ai le jsonnet, ma i le fa'aopoopoga o lo'o i ai le tomai e tu'uina atu ai siata Helm, ma talu ai e mafai e le Argo CD ona masani ona fa'agaoioia matau Helm, o le fa'aaogaina o lenei fa'aoga ma le Argo CD e mafai ai ona e ausia ni fa'ai'uga sa'o.

Ina ia faʻaopoopo le lagolago qbec i argocd e te manaʻomia ni mea se lua:

• I le Argo CD config, e tatau ona faʻamalamalamaina lau faʻapipiʻi masani ma faʻatonuga mo le gaosia o faʻaaliga.
• e tatau ona maua le binaries talafeagai i le ata argocd-repo-server.

Muamua galuega o lo'o faia le faaiuga faigofie tele:

# cm.yaml
data:
  configManagementPlugins: |
    - name: qbec
      generate:
        command: [sh, -xc]
        args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"']

(au init le fa'aaogaina)

$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)"

E fa'aopoopoina binaries e fautuaina aoina se ata fou, poʻo le faʻaaogaina init container togafiti:

# deploy.yaml
spec:
  template:
    spec:
      # 1. Define an emptyDir volume which will hold the custom binaries
      volumes:
      - name: custom-tools
        emptyDir: {}
      # 2. Use an init container to download/copy custom binaries into the emptyDir
      initContainers:
      - name: download-tools
        image: alpine:3.12
        command: [sh, -c]
        args:
        - wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
        volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
      # 3. Volume mount the custom binary to the bin directory (overriding the existing version)
      containers:
      - name: argocd-repo-server
        volumeMounts:
        - mountPath: /usr/local/bin/qbec
          name: custom-tools
          subPath: qbec
        - mountPath: /usr/local/bin/jsonnet-qbec
          name: custom-tools
          subPath: jsonnet-qbec

$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)"

Se'i o tatou va'ai po'o le a le foliga o la tatou fa'aaliga:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: qbec-app
  namespace: argocd
spec:
  destination: 
    namespace: default
    server: https://kubernetes.default.svc
  project: default
  source: 
    path: qbec-app
    plugin: 
      env: 
        - name: ENVIRONMENT
          value: default
      name: qbec
    repoURL: https://github.com/kvaps/argocd-play
  syncPolicy: 
    automated: 
      prune: true

E fesuia'i SIOSIOMAGA matou te pasia le igoa o le siosiomaga lea matou te manaʻomia e faʻatupu ai faʻaaliga.

sei o tatou faaaogaina ma vaai po o le a le mea tatou te maua:

O le talosaga ua faʻapipiʻiina, sili!

git-crypt

Git-crypt e mafai ai ona e setiina faʻamatalaga manino mo lau fale teu oloa. Ose auala faigofie ma saogalemu e teu sa'o ai fa'amatalaga ma'ale'ale ile git.

O le faʻatinoga o le git-crypt na sili atu ona faigata.

I le talitonuga e mafai ona matou faia git-crypt unlock i le amataga o la tatou faʻapipiʻi masani, ae e le faigofie tele, talu ai e le faʻatagaina le faʻaogaina o auala faʻapipiʻi masani. Mo se faʻataʻitaʻiga, i le tulaga o Helm ma Jsonnet, matou te leiloa se fesoʻotaʻiga GUI fetuutuunai e mafai ai ona matou faʻafaigofie le faʻatulagaina o talosaga (faila faila, ma isi).

O le mea lea na ou manaʻo ai e lolomi le fale teu oloa i se taimi muamua, i le taimi o le cloning.

Talu ai o le taimi nei e le maua e le Argo CD le tomai e faʻamatala ai soʻo se matau mo le faʻamaopoopoina o le fale teu oloa, e tatau ona matou faʻaogaina lenei tapulaʻa ma se faʻataʻitaʻiga faʻamalosi atigi e sui ai le git command:

#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ec

Argo CD fa'afiafia git fetch taimi uma a'o le'i fa'atinoina le fa'atinoina o galuega. O le poloaiga lenei o le a tatou tofia i ai le faatinoga git-crypt unlock e tatala le faleteuoloa.

mo su'ega e mafai ona e fa'aogaina la'u ata faufale lea ua uma ona i ai mea uma e te manaʻomia:

$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3

Ole taimi nei e tatau ona tatou mafaufau pe faʻafefea ona faʻamalo e Argo a tatou faleoloa. O lona uiga, faia se ki gpg mo ia:

$ kubectl exec -ti deploy/argocd-repo-server -- bash

$ printf "%sn" 
    "%no-protection" 
    "Key-Type: default" 
    "Subkey-Type: default" 
    "Name-Real: YOUR NAME" 
    "Name-Email: YOUR EMAIL@example.com" 
    "Expire-Date: 0" 
    > genkey-batch 

$ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev'

Tatou sefe le igoa autu 8CB8B24F50B4797D mo nisi laasaga. Lafo i fafo le ki lava ia:

$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2020-09-04 [SC]
      9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid           [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub   rsa3072 2020-09-04 [E]

$ gpg --armor --export-secret-keys 8CB8B24F50B4797D

Ma faʻaopoopo o se mealilo ese:

# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: argocd-gpg-keys-secret
  namespace: argocd
stringData:
  8CB8B24F50B4797D: |-
    -----BEGIN PGP PRIVATE KEY BLOCK-----

    lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
    ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
    O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
    =yj11
    -----END PGP PRIVATE KEY BLOCK-----

$ kubectl apply -f argocd-gpg-keys-secret.yaml

Pau lava le mea o totoe mo i tatou o le togi i totonu o le koneteina argocd-repo-server, ina ia faia lenei mea, faʻasaʻo le faʻapipiʻiina:

$ kubectl -n argocd edit deploy/argocd-repo-server

Ma o le a tatou suia le mea o iai gpg-ki luga le leo projected, lea matou te faailoa atu ai la matou mealilo:

   spec:
     template:
       spec:
         volumes:
         - name: gpg-keys
           projected:
             defaultMode: 420
             sources:
             - secret:
                 name: argocd-gpg-keys-secret
             - configMap:
                 name: argocd-gpg-keys-cm

Argo CD e otometi lava ona uta ki gpg mai le lisi lea pe a amata le koneteina, o lea o le a faʻapipiʻiina ai foi a tatou ki patino.

tatou siaki:

$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec   rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
      ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid           [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>

sec   rsa3072 2020-09-03 [SC]
      9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid           [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb   rsa3072 2020-09-03 [E]

Manaia, ua uta le ki! Ole taimi nei e manaʻomia le faʻaopoopoina o le CD Argo i la tatou fale teu oloa o se tagata galulue faʻatasi ma o le a mafai ona otometi ona faʻasese i luga ole lele.

Fa'aulufale mai le ki i le komepiuta fa'apitonu'u:

$ gpg --armor --export-secret 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pem

Sei o tatou seti le tulaga faatuatuaina:

$ gpg --edit-key 8CB8B24F50B4797D
trust
5

Se'i o tatou fa'aopoopo le argo o se tagata faigaluega i la tatou galuega faatino:

$ git-crypt add-gpg-user 8CB8B24F50B4797D

So'oga fa'atatau:

• GitHub: fale teu oloa ma ata ua suia
• Argo CD: Meafaigaluega Fa'apitoa
• Argo CD: Config Management Plugins
• GitHub Gist: fa'atupu gpg ki e aunoa ma le fa'aupuga i le tulaga e le o feso'ota'i

puna: www.habr.com