Muddo ka dib qorista maqaalka koowaad, Halkaas oo aan si xariif ah u maamulay jsonnet iyo gitlab, waxaan ogaaday in dhuumaha tuubooyinka ay dhab ahaantii wanaagsan yihiin, laakiin aan loo baahnayn oo adag oo aan habooneyn.

Inta badan, hawsha caadiga ah ee loo baahan yahay waa "in la soo saaro YAML oo la geliyo Kubernetes." Argo CD wuxuu qabtaa shaqo cajiib ah tan.

Argo CD wuxuu kuu ogolaanayaa inaad ku xirto kaydka Git oo aad ku dhejiso gobolkiisa Kubernetes. Sida caadiga ah, waxay taageertaa dhowr nooc oo codsi ah: Kustomize, jaantusyada Helm, Ksonnet, Jsonnet cad, ama si fudud hagayaal leh muuqaalada YAML/JSON.

Qalabkan ayaa ku filnaan doona inta badan isticmaalayaasha, laakiin kuma filna qof walba. Si loo daboolo baahiyaha qof walba, Argo CD wuxuu bixiyaa qalabayn gaar ah.

Marka hore, waxaan xiiseynayaa suurtagalnimada inaan taageero ku daro qbec и git-crypto, kuwaas oo si buuxda looga hadlay maqaalkii hore.

Kahor intaadan bilaabin habaynta, marka hore waxaad u baahan tahay inaad fahanto sida Argo CD u shaqeeyo.

Codsi kasta oo lagu daray wuxuu leeyahay laba weji:

• init - diyaarinta bilowga ah ka hor inta aan la dirin, kaas oo ku lug yeelan kara wax kasta: soo dejinta waxyaalaha ku tiirsan, furista siraha, iyo in ka badan.
• dhalin - fulinta amarka jiilka muuqda si toos ah, wax soo saarku waa inuu noqdaa qulqul YAML sax ah, tani waa dhab ahaan waxa lagu dabaqi doono kooxda.

Waxa xusid mudan ayaa ah in Argo uu habkan ku dabaqo nooc kasta oo codsi ah, oo uu ku jiro Helm. Taasi waa, Argo CD, Helm ma daabulayo siidaynta kooxda, laakiin waxa loo isticmaalaa oo keliya jiilka muuqda.

Argo, dhankeeda, asal ahaan waxay xamili kartaa jillaabyada Helm, taas oo u oggolaanaysa macquulka sii deynta joogtada ah.

QBEC

Qbec waxay kuu ogolaanaysaa inaad si ku haboon u sharaxdo codsiyada adoo isticmaalaya jsonnet, sidoo kale waxay awood u leedahay inay sameyso jaantusyada Helm. Maadaama Argo CD uu si sax ah u xamili karo xirmooyinka Helm, isticmaalka sifadan oo leh Argo CD waxay kuu ogolaaneysaa inaad gaarto natiijooyin sax ah oo xitaa ka sii badan.

Si loogu daro taageerada qbec argocd, laba shay ayaa loo baahan yahay:

• Plugin-gaaga gaarka ah iyo amarada soo saarista muujinta waa in lagu qeexaa qaabka Argo CD-ga.
• binaries loo baahan yahay waa in laga heli karaa sawirka argocd-repo-server.

Hawsha koowaad ayaa la go'aaminayaa quruxsan fudud:

# cm.yaml
data:
  configManagementPlugins: |
    - name: qbec
      generate:
        command: [sh, -xc]
        args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"']

(koox init aan la isticmaalin)

$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)"

Si loogu daro binary waa la soo jeediyay soo ururi sawir cusub, ama isticmaal khiyaamada weelka init:

# deploy.yaml
spec:
  template:
    spec:
      # 1. Define an emptyDir volume which will hold the custom binaries
      volumes:
      - name: custom-tools
        emptyDir: {}
      # 2. Use an init container to download/copy custom binaries into the emptyDir
      initContainers:
      - name: download-tools
        image: alpine:3.12
        command: [sh, -c]
        args:
        - wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
        volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
      # 3. Volume mount the custom binary to the bin directory (overriding the existing version)
      containers:
      - name: argocd-repo-server
        volumeMounts:
        - mountPath: /usr/local/bin/qbec
          name: custom-tools
          subPath: qbec
        - mountPath: /usr/local/bin/jsonnet-qbec
          name: custom-tools
          subPath: jsonnet-qbec

$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)"

Hadda aan aragno sida uu u ekaan doono qoraalka codsigayaga:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: qbec-app
  namespace: argocd
spec:
  destination: 
    namespace: default
    server: https://kubernetes.default.svc
  project: default
  source: 
    path: qbec-app
    plugin: 
      env: 
        - name: ENVIRONMENT
          value: default
      name: qbec
    repoURL: https://github.com/kvaps/argocd-play
  syncPolicy: 
    automated: 
      prune: true

Doorsoome MEESHA Waxaan gudbineynaa magaca deegaanka oo ay tahay in jiilka muuqda lagu sameeyo.

Aan ku dabaqno oo aragno waxa aan helayno:

Codsiga waa la geeyay, weyn!

git-crypto

Git-crypt wuxuu kuu ogolaanayaa inaad dejiso sirta kaydinta hufan. Waa hab fudud oo ammaan ah oo si toos ah loogu kaydiyo xogta xasaasiga ah gudaha Git.

Hirgelinta git-crypt waxay noqotay mid aad u adag.

Aragti ahaan waan sameyn karnaa git-crypt unlock Marxaladda bilawga ah ee plugin-keena gaarka ah, laakiin tani maaha mid aad u habboon, maadaama aysan noo ogolaan doonin inaan isticmaalno hababka geynta hooyo. Tusaale ahaan, marka laga hadlayo Helm iyo Jsonnet, waxaan luminay interface GUI dabacsan oo noo oggolaanaysa inaan fududeyno qaabeynta codsiga (faylalka qiimaha, iwm.).

Tani waa sababta saxda ah ee aan u rabay inaan sameeyo xiritaanka kaydinta marxalad hore, inta lagu jiro cloning.

Maaddaama Argo CD uusan hadda bixineynin awoodda lagu qeexayo xirmooyinka isku-dhafka ah ee kaydinta, waa inaan ka shaqeeyaa xaddidan iyada oo la adeegsanayo qoraal-qoraal xariif ah oo beddelaya amarka git:

#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ec

Argo CD ayaa qabta git fetch mar kasta ka hor inta aan hawlgalka la dirin. Waxaan u xilsaari doonaa amarkan si aan u fulino. git-crypt unlock si loo furo kaydka.

imtixaanada aad isticmaali karto sawirkayga docker kaas oo horey u haystay wax kasta oo aad u baahan tahay:

$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3

Hadda waxaan u baahanahay inaan ka fikirno sida Argo uu u furfuri doono kaydkayaga. Gaar ahaan, waxaan u baahanahay inaan u abuurno furaha GPG:

$ kubectl exec -ti deploy/argocd-repo-server -- bash

$ printf "%sn" 
    "%no-protection" 
    "Key-Type: default" 
    "Subkey-Type: default" 
    "Name-Real: YOUR NAME" 
    "Name-Email: YOUR EMAIL@example.com" 
    "Expire-Date: 0" 
    > genkey-batch 

$ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev'

Aynu kaydinno magaca muhiimka ah 8CB8B24F50B4797D Tallaabooyinka dheeriga ah, aan dhoofino furaha laftiisa:

$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2020-09-04 [SC]
      9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid           [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub   rsa3072 2020-09-04 [E]

$ gpg --armor --export-secret-keys 8CB8B24F50B4797D

Aynu ku darno sir gaar ah:

# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: argocd-gpg-keys-secret
  namespace: argocd
stringData:
  8CB8B24F50B4797D: |-
    -----BEGIN PGP PRIVATE KEY BLOCK-----

    lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
    ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
    O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
    =yj11
    -----END PGP PRIVATE KEY BLOCK-----

$ kubectl apply -f argocd-gpg-keys-secret.yaml

Waxa kaliya ee noo haray waa inaan ku tuurno weelka. argocd-repo-server, si aan tan u samayno waxaanu tafatirin doonaa hawlgelinta:

$ kubectl -n argocd edit deploy/argocd-repo-server

Midda jirtana waanu beddeli doonnaa gpg-furayaasha mugga on projected, halkaas oo aan ku muujin doono sirtayada:

   spec:
     template:
       spec:
         volumes:
         - name: gpg-keys
           projected:
             defaultMode: 420
             sources:
             - secret:
                 name: argocd-gpg-keys-secret
             - configMap:
                 name: argocd-gpg-keys-cm

Argo CD wuxuu si toos ah uga soo shubayaa furayaasha gpg tusahaan marka weelku bilaabmo, sidaas darteed waxay sidoo kale ku shubi doontaa furahayaga gaarka ah.

aan hubino:

$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec   rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
      ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid           [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>

sec   rsa3072 2020-09-03 [SC]
      9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid           [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb   rsa3072 2020-09-03 [E]

Way fiicantahay, furaha waa la soo galiyay! Hadda waxaan u baahanahay oo kaliya inaan ku darno Argo CD-ga kaydkayaga iskaashi ahaan, waxayna awood u yeelan doontaa inay si toos ah u furto duulista.

Soo rar furaha kombiyuutarka deegaankaaga:

$ gpg --armor --export-secret 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pem

Aan dejinno heerka kalsoonida:

$ gpg --edit-key 8CB8B24F50B4797D
trust
5

Aynu ku darno argo wada shaqayn ahaan mashruucayaga:

$ git-crypt add-gpg-user 8CB8B24F50B4797D

Xiriirinta laxiriira:

• GitHub: meel kayd ah oo leh sawir wax laga beddelay
• Argo CD: Qalab gaar ah
• Argo CD: Konfig Management Plugins
• GitHub Gist: Abuuritaanka furayaasha GPG la'aanteed furaha sirta ah ee qaabka aan isdhexgalka ahayn

Source: www.habr.com