Imwe nguva mushure mekunyora , kwandakanyatso gadzirisa jsonnet uye gitlab, ndakaona kuti mapaipi akanaka zvechokwadi, asi asina kuoma uye anonetsa.
Kazhinji, basa rakajairika rinodiwa: "gadzira YAML woiisa muKubernetes." Chaizvoizvo, izvi ndizvo zvinoitwa neArgo CD zvinoshamisa.
Argo CD inokutendera kuti ubatanidze Git repository uye kutumira nyika yayo kuKubernetes. Nekusagadzikana, kune rutsigiro rwemhando dzinoverengeka dzekushandisa: Kustomize, Helm machati, Ksonnet, isina Jsonnet, kana madhairekitori ane YAML/JSON inoratidza.
Iyi seti ichave yakakwana kune vazhinji vashandisi, asi kwete kune wese munhu. Kuti isangane nezvinodiwa nemunhu wese, Argo CD ine kugona kushandisa tsika midziyo.
Chekutanga, ndinofarira mukana wekuwedzera rutsigiro и , idzo dzakakurukurwa zvizere munyaya yapfuura.
Usati watanga kurongeka, iwe unofanirwa kutanga wanyatsonzwisisa kuti Argo CD inoshanda sei.
Kune yega yega application yakawedzerwa, ine zvikamu zviviri:
- kutanga - kugadzirira kwekutanga kusati kwatumirwa, chero chinhu chinogona kuitika pano: kurodha zvinotsamira, kuburitsa zvakavanzika, nezvimwe.
- tanga -ichiita zvakananga chizvarwa chekuratidzira, chinobuda chinofanira kunge chiri rwizi rweYAML, izvi ndizvo chaizvo zvichaiswa kusumbu.
Chinoshamisa ndechekuti Argo inoshandisa nzira iyi kune chero mhando yekushandisa, kusanganisira Helm. Ndokunge, muArgo CD Helm haitumire kuburitswa kune sumbu, asi inoshandiswa chete kugadzira manifesheni.
Kune chikamu chayo, Argo inogona kugadzirisa Helm hooks natively, iyo inobvumira kuti irege kutyora pfungwa yekushandisa kuburitswa.
QBEC
Qbec inokutendera kuti utsanangure zviri nyore maapplication uchishandisa jsonnet, uye nekuwedzera inokwanisa kupa Helm machati, uye sezvo Argo CD ichiwanzo gadzira Helm hoko, uchishandisa iyi ficha neArgo CD inokutendera iwe kuti uwane zvakatowanda mhedzisiro.
Kuti uwedzere qbec rutsigiro kune argocd unoda zvinhu zviviri:
- MuArgo CD config, yako tsika plugin uye mirairo yekugadzira mamanifesiti inofanira kutsanangurwa.
- mabhinari anodiwa anofanira kunge aripo mumufananidzo argocd-repo-server.
Chekutanga basa zviri nyore:
# cm.yaml
data:
configManagementPlugins: |
- name: qbec
generate:
command: [sh, -xc]
args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"'](timu kutanga haina kushandiswa)
$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)"Kuwedzera mabhinari zvinokurudzirwa , kana kushandisa :
# deploy.yaml
spec:
template:
spec:
# 1. Define an emptyDir volume which will hold the custom binaries
volumes:
- name: custom-tools
emptyDir: {}
# 2. Use an init container to download/copy custom binaries into the emptyDir
initContainers:
- name: download-tools
image: alpine:3.12
command: [sh, -c]
args:
- wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# 3. Volume mount the custom binary to the bin directory (overriding the existing version)
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /usr/local/bin/qbec
name: custom-tools
subPath: qbec
- mountPath: /usr/local/bin/jsonnet-qbec
name: custom-tools
subPath: jsonnet-qbec$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)"Zvino ngationei kuti application yedu manifest ichataridzika sei:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: qbec-app
namespace: argocd
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
project: default
source:
path: qbec-app
plugin:
env:
- name: ENVIRONMENT
value: default
name: qbec
repoURL: https://github.com/kvaps/argocd-play
syncPolicy:
automated:
prune: trueIn variable ENVIRONMENT tinopfuudza zita renzvimbo yatinofanira kugadzira mamanifesiti.
ngatishandisei uye tione zvatinowana:
Iyo application yaiswa, yakanaka!
git-crypt
Git-crypt inobvumidza iwe kumisikidza pachena encryption kune yako repository. Iyo inzira yakapusa uye yakachengeteka yekuchengetedza data rakadzama zvakananga mugit.
Kuitwa kwegit-crypt kwakazonyanya kuoma.
Nepfungwa taigona kuita git-crypt unlock panguva yeinit nhanho yetsika yedu plugin, asi izvi hazvisi nyore, sezvo zvisingabvumire kushandiswa kwemaitiro ekutumira ekuzvarwa. Semuenzaniso, munyaya yeHelm neJsonnet, tinorasikirwa neshanduko yeGUI interface iyo inotibvumira kurerutsa kushandiswa kwekugadzirisa (mafaira mafaira, nezvimwewo).
Ichi ndicho chikonzero ndaida kudhinda repository panguva yekutanga, panguva yekugadzira.
Sezvo panguva ino Argo CD isingapi kugona kutsanangura chero zvikorekedzo zvekuyananisa iyo repository, isu taifanira kutenderera ichi chinogumira neinonyengera shell script inotsiva iyo git command:
#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ecArgo CD inoita git fetch nguva dzose pamberi pekushanda kwekutumira. Uyu ndiwo murairo watichagovera kuurayiwa git-crypt unlock kuvhura repository.
kune bvunzo dzaunogona kushandisa iyo yatova nezvose zvaunoda:
$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3Iye zvino isu tinofanirwa kufunga nezvekuti Argo achabvisa sei zvinyorwa zvedu. Sezvineiwo, ita gpg kiyi yayo:
$ kubectl exec -ti deploy/argocd-repo-server -- bash
$ printf "%sn"
"%no-protection"
"Key-Type: default"
"Subkey-Type: default"
"Name-Real: YOUR NAME"
"Name-Email: YOUR EMAIL@example.com"
"Expire-Date: 0"
> genkey-batch
$ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev'Ngatichengetei zita rakakosha 8CB8B24F50B4797D kune mamwe matanho. Export kiyi pachayo:
$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2020-09-04 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub rsa3072 2020-09-04 [E]
$ gpg --armor --export-secret-keys 8CB8B24F50B4797DUye wedzera sechakavanzika chakasiyana:
# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: argocd-gpg-keys-secret
namespace: argocd
stringData:
8CB8B24F50B4797D: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
=yj11
-----END PGP PRIVATE KEY BLOCK-----$ kubectl apply -f argocd-gpg-keys-secret.yamlChasara kuti tiikande mugaba argocd-repo-server, kuita izvi, gadzirisa kutumirwa:
$ kubectl -n argocd edit deploy/argocd-repo-serverUye isu tichatsiva iripo gpg-kiyi volume on projected, kwatinoratidza zvakavanzika zvedu:
spec:
template:
spec:
volumes:
- name: gpg-keys
projected:
defaultMode: 420
sources:
- secret:
name: argocd-gpg-keys-secret
- configMap:
name: argocd-gpg-keys-cmArgo CD inotakura otomatiki gpg makiyi kubva pane ino dhairekitori kana mudziyo watanga, saka ichaisawo yedu yakavanzika kiyi.
ngatitarisei:
$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>
sec rsa3072 2020-09-03 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb rsa3072 2020-09-03 [E]Hongu, kiyi yakatakurwa! Ikozvino isu tinongoda kuwedzera Argo CD kune yedu repository semubatsiri uye inozokwanisa kuibvisa otomatiki panhunzi.
Tumira kiyi pakombuta yemuno:
$ gpg --armor --export-secret 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pemNgatiisei trust level:
$ gpg --edit-key 8CB8B24F50B4797D
trust
5Ngatiwedzerei argo semubatsiri kuchirongwa chedu:
$ git-crypt add-gpg-user 8CB8B24F50B4797DRelated links:
Source: www.habr.com
