Feature/argocd (#30)

* Added argocd config

* Added dependencies update

* Disabled ES and Kibana

* Updated docs

.gitignore

@@ -85,3 +85,4 @@ certs.yaml
 site/
 cacerts.yaml
 src/terraform/.terraform.lock.hcl
+charts/

docs/installation-argocd.md

@@ -0,0 +1,38 @@
+# Installation
+
+## Local DNS
+
+Since we running completely locally, we want to add some entries to the hosts file to forward domainnames to our locally running cluster.
+Open `C:\Windows\system32\drivers\etc\hosts` in an editor as `Administrator` and add the following entries
+
+```text
+127.0.0.1 k8s.local infrastructure.k8s.local traefik.infrastructure.k8s.local
+127.0.0.1 jaeger.infrastructure.k8s.local prometheus.infrastructure.k8s.local grafana.infrastructure.k8s.local
+127.0.0.1 seq.infrastructure.k8s.local
+127.0.0.1 consul.infrastructure.k8s.local vault.infrastructure.k8s.local
+127.0.0.1 es.infrastructure.k8s.local kibana.infrastructure.k8s.local
+127.0.0.1 login.k8s.local admin.login.k8s.local api.login.k8s.local
+127.0.0.1 argo.k8s.local
+```
+
+## Generating the CA certificate k8s secret with mkcert
+
+We use self-signed certificates instead of LetsEncrypt as the latter would require either a proper DNS domain which is publically available or an publically accessible HTTP endpoint. Neither might be an option in a local development setup, so we'll go with the self-signed option for now. We could extend it further later on.
+
+To be able to generate the certficates for `k8s.local` and `*.k8s.local`, we'll use `cert-manager` and provide it with the CA certificate from [mkcert](https://github.com/FiloSottile/mkcert) which you can install easily with `choco install mkcert`. The certificates will be created by `cert-manager` and as the CA is available on our local machine through mkcert, those will also be valid in the local browser (only).
+
+```powershell
+# execute under elevated Administrator privileges
+mkcert --install
+copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./src/certs/cacerts.crt
+copy $env:LOCALAPPDATA\mkcert\rootCA-key.pem ./src/certs/cacerts.key
+
+# Create a k8s secret manifest containing the CA Root certificate of mkcert
+kubectl create secret tls ca-key-pair --namespace=cert-manager --cert=./src/certs/cacerts.crt --key=./src/certs/cacerts.key  --dry-run=client -o yaml > ./src/argocd/base/cert-manager/crds/cacerts.yaml
+```
+
+Next run the installer:
+
+```powershell
+./src/argocd/install.ps1
+```

docs/installation.md → docs/installation-skaffold.md

@@ -2,7 +2,7 @@
 
 ## Local DNS
 
-Since we running completely locally, we want to add some entries to the hosts file.
+Since we running completely locally, we want to add some entries to the hosts file to forward domainnames to our locally running cluster.
 Open `C:\Windows\system32\drivers\etc\hosts` in an editor as `Administrator` and add the following entries
 
 ```text
@@ -33,6 +33,7 @@ kubectl create secret tls ca-key-pair --namespace=cert-manager --cert=./src/cert
 ## Adding helm repo's
 
 ```powershell
+helm repo add argo https://argoproj.github.io/argo-helm
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm repo add jaegertracing https://jaegertracing.github.io/helm-charts
 helm repo add bitnami https://charts.bitnami.com/bitnami

docs/preparation/cli.md

@@ -1,5 +1,7 @@
 # Installing commandline tools
 
+## Choco
+
 Install/download the CLIs.
 
 ```powershell
@@ -10,3 +12,13 @@ choco install kubernetes-cli
 choco install kubernetes-helm
 choco install skaffold
 ```
+
+## Installing the argoCD CLI
+
+Follow the [guide](https://argoproj.github.io/argo-cd/cli_installation/)
+
+For 2.0.3 and env variable needs to be set holding the name of the executable. This is missing from the docs.
+
+```powershell
+$env:ARGOCD_BINARY_NAME = 'argocd'
+```

mkdocs.yml

@@ -13,7 +13,9 @@ nav:
           - Minikube: './preparation/minikube.md'
           - Kind: './preparation/kind.md'
         - Testing Ingress: './preparation/test-ingress-controller.md'
-      - Install: './installation.md'
+      - Install:
+        - Skaffold: './installation-skaffold.md'
+        - ArgoCD: './installation-argocd.md'
     - About:
         - 'License': 'license.md'
         - 'Release Notes': 'release-notes.md'

src/argocd/argo/argo-values.yaml

@@ -0,0 +1,160 @@
+global:
+    image:
+      tag: v2.0.3
+server:
+  # resources:
+  #   limits:
+  #     cpu: 200m
+  #     memory: 256Mi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 128Mi
+  ingress:
+    enabled: true
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
+      traefik.ingress.kubernetes.io/router.middlewares: default-redirect-http@kubernetescrd
+    labels: {}
+    hosts:
+      - argo.k8s.local
+    paths:
+      - /
+    extraPaths:
+      - path: /*
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 443
+    tls:
+      - secretName: argocd-tls-certificate
+        hosts:
+          - argo.k8s.local
+    https: true
+  ingressGrpc:
+    enabled: true
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
+      traefik.ingress.kubernetes.io/router.middlewares: default-redirect-http@kubernetescrd
+    labels: {}
+    hosts:
+      - argo.k8s.local
+    paths:
+      - /
+    extraPaths:
+      - path: /*
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 443
+    tls:
+      - secretName: argocd-tls-certificate
+        hosts:
+          - argo.k8s.local
+    https: true
+  extraArgs: []
+    # - --insecure
+  certificate:
+    enabled: true
+    domain: argo.k8s.local
+    issuer:
+      kind: ClusterIssuer
+      name: selfsigned-ca-issuer
+    additionalHosts: []
+    secretName: argocd-tls-certificate
+  config:
+    url: https://argo.k8s.local
+    repositories: |
+      - type: helm
+        name: stable
+        url: https://charts.helm.sh/stable
+      - type: helm
+        name: argo-cd
+        url: https://argoproj.github.io/argo-helm
+      - type: helm
+        name: cert-manager
+        url: https://charts.jetstack.io
+      - type: helm
+        name: traefik
+        url: https://helm.traefik.io/traefik
+    resource.customizations: |
+      argoproj.io/Application:
+        health.lua: |
+          hs = {}
+          hs.status = "Progressing"
+          hs.message = ""
+          if obj.status ~= nil then
+            if obj.status.health ~= nil then
+              hs.status = obj.status.health.status
+              if obj.status.health.message ~= nil then
+                hs.message = obj.status.health.message
+              end
+            end
+          end
+          return hs
+      jaegertracing.io/Jaeger:
+          health.lua: |
+            hs = {}
+            hs.status = "Healthy"
+            return hs
+      admissionregistration.k8s.io/ValidatingWebhookConfiguration:
+        ignoreDifferences: |
+          jsonPointers:
+          - /webhooks/0/clientConfig/caBundle
+          - /webhooks/1/clientConfig/caBundle
+          - /webhooks/2/clientConfig/caBundle
+          - /webhooks/3/clientConfig/caBundle
+          - /webhooks/4/clientConfig/caBundle
+          - /webhooks/5/clientConfig/caBundle
+          - /webhooks/6/clientConfig/caBundle
+          - /webhooks/7/clientConfig/caBundle
+          - /webhooks/8/clientConfig/caBundle
+          - /webhooks/9/clientConfig/caBundle
+      admissionregistration.k8s.io/MutatingWebhookConfiguration:
+        ignoreDifferences: |
+          jsonPointers:
+          - /webhooks/0/clientConfig/caBundle
+          - /webhooks/1/clientConfig/caBundle
+          - /webhooks/2/clientConfig/caBundle
+          - /webhooks/3/clientConfig/caBundle
+          - /webhooks/4/clientConfig/caBundle
+          - /webhooks/5/clientConfig/caBundle
+          - /webhooks/6/clientConfig/caBundle
+          - /webhooks/7/clientConfig/caBundle
+
+# controller:
+  # resources:
+  #   limits:
+  #     cpu: 500m
+  #     memory: 1Gi
+  #   requests:
+  #     cpu: 250m
+  #     memory: 500Mi
+dex:
+  enabled: false
+  # resources:
+  #  limits:
+  #    cpu: 50m
+  #    memory: 64Mi
+  #  requests:
+  #    cpu: 10m
+  #    memory: 32Mi
+# redis:
+  # resources:
+  #  limits:
+  #    cpu: 200m
+  #    memory: 128Mi
+  #  requests:
+  #    cpu: 100m
+  #    memory: 64Mi
+# repoServer:
+  # resources:
+  #   limits:
+  #     cpu: 50m
+  #     memory: 128Mi
+  #   requests:
+  #     cpu: 10m
+  #     memory: 64Mi

src/argocd/argo/cert-manager/crds/cluster-issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-ca-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: ca-key-pair

src/argocd/argo/traefik/crds/cert-store.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: traefik
+
+spec:
+  defaultCertificate:
+    secretName: traefik-cert

src/argocd/argo/traefik/crds/dashboard.yaml

@@ -0,0 +1,17 @@
+# dashboard.yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.infrastructure.k8s.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+          tls:
+            - secretName: traefik-cert

src/argocd/argo/traefik/crds/http-redirect-middleware.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-http
+spec:
+  redirectScheme:
+    scheme: https

src/argocd/argo/traefik/crds/traefik-cert.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-cert
+  namespace: traefik
+spec:
+  secretName: traefik-cert
+  issuerRef:
+    name: selfsigned-ca-issuer
+    kind: ClusterIssuer
+  commonName: traefik-cert
+  dnsNames:
+  - k8s.local
+  - '*.k8s.local'
+  - '*.infrastructure.k8s.local'
+  - '*.login.k8s.local'