Switch to kustomize2 as default. Add argocd-ha install manifests (arg…

…oproj#1169)

.argo-ci/ci.yaml

@@ -44,7 +44,8 @@ spec:
           repo: "{{workflow.parameters.repo}}"
           revision: "{{workflow.parameters.revision}}"
     container:
-      image: argoproj/argo-cd-ci-builder:latest
+      image: argoproj/argo-cd-ci-builder:v0.12.0
+      imagePullPolicy: Always
       command: [bash, -c]
       args: ["{{inputs.parameters.cmd}}"]
       workingDir: /go/src/github.com/argoproj/argo-cd
@@ -72,7 +73,8 @@ spec:
           repo: "{{workflow.parameters.repo}}"
           revision: "{{workflow.parameters.revision}}"
     container:
-      image: argoproj/argo-cd-ci-builder:latest
+      image: argoproj/argo-cd-ci-builder:v0.12.0
+      imagePullPolicy: Always
       command: [sh, -c]
       args: ["until docker ps; do sleep 3; done && {{inputs.parameters.cmd}}"]
       workingDir: /go/src/github.com/argoproj/argo-cd

Dockerfile

@@ -45,31 +45,34 @@ RUN wget https://github.com/gobuffalo/packr/releases/download/v${PACKR_VERSION}/
 # Keep version at 1.12.X until https://github.com/argoproj/argo-cd/issues/1012 is resolved
 ENV KUBECTL_VERSION=1.12.4
 RUN curl -L -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
-    chmod +x /usr/local/bin/kubectl
+    chmod +x /usr/local/bin/kubectl && \
+    kubectl version --client
 
 # Install ksonnet
 ENV KSONNET_VERSION=0.13.1
 RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
     tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks
-# NOTE: we occasionally switch between tip of master ksonnet vs. official builds. Run the following
-# to use tip instead of official release:
-#RUN go get -v -u github.com/ksonnet/ksonnet && mv ${GOPATH}/bin/ksonnet /usr/local/bin/ks
+    mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks && \
+    ks version
 
 # Install helm
 ENV HELM_VERSION=2.12.1
 RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
     tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv /tmp/linux-amd64/helm /usr/local/bin/helm
+    mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
+    helm version --client
 
 # Install kustomize
-ENV KUSTOMIZE_VERSION=1.0.11
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize
+ENV KUSTOMIZE1_VERSION=1.0.11
+RUN curl -L -o /usr/local/bin/kustomize1 https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE1_VERSION}/kustomize_${KUSTOMIZE1_VERSION}_linux_amd64 && \
+    chmod +x /usr/local/bin/kustomize1 && \
+    kustomize1 version
+
 
-ENV KUSTOMIZE2_VERSION=2.0.1
-RUN curl -L -o /usr/local/bin/kustomize2 https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE2_VERSION}/kustomize_${KUSTOMIZE2_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize2
+ENV KUSTOMIZE_VERSION=2.0.1
+RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
+    chmod +x /usr/local/bin/kustomize && \
+    kustomize version
 
 # Install AWS IAM Authenticator
 ENV AWS_IAM_AUTHENTICATOR_VERSION=0.4.0-alpha.1
@@ -94,8 +97,8 @@ RUN groupadd -g 999 argocd && \
 COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
+COPY --from=builder /usr/local/bin/kustomize1 /usr/local/bin/kustomize1
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-COPY --from=builder /usr/local/bin/kustomize2 /usr/local/bin/kustomize2
 COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
 
 # workaround ksonnet issue https://github.com/ksonnet/ksonnet/issues/298

docs/README.md

@@ -6,6 +6,15 @@
 * [Architecture](architecture.md)
 * [Tracking Strategies](tracking_strategies.md)
 
+## Quick Reference
+| Name | Kind | Description |
+|------|------|-------------|
+| [`argocd-cm.yaml`](argocd-cm.yaml) | ConfigMap | General Argo CD configuration |
+| [`argocd-secret.yaml`](argocd-secret.yaml) | Secret | Password, Certificates, Signing Key |
+| [`argocd-rbac-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | RBAC Configuration |
+| [`application.yaml`](application.yaml) | Application | Example application spec |
+| [`project.yaml`](argocd-rbac-cm.yaml) | AppProject | Example project spec |
+
 ## Features
 * [Application Sources](application_sources.md)
 * [Application Parameters](parameters.md)
@@ -19,11 +28,11 @@
 * [RBAC](rbac.md)
 * [Declarative Setup](declarative-setup.md)
 * [Prometheus Metrics](metrics.md)
+* [Custom Tooling](custom_tools.md)
 
 ## Other
 * [Security](security.md)
 * [Best Practices](best_practices.md)
 * [Configuring Ingress](ingress.md)
 * [Integration with CI Pipelines](ci_automation.md)
-* [Custom Tooling](custom_tools.md)
 * [F.A.Q.](faq.md)

docs/application.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: guestbook
+spec:
+  # The project the application belongs to.
+  project: default
+
+  # Source of the application manifests
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+
+    # helm specific config
+    helm:
+      valueFiles:
+      - values-prod.yaml
+
+    # kustomize specific config
+    kustomize:
+      namePrefix: prod-
+
+    # directory
+    directory:
+      recurse: true
+
+    # plugin specific config
+    plugin:
+    - name: mypluginname
+
+  # Destination cluster and namespace to deploy the application
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook
+
+  # Sync policy
+  syncPolicy:
+    automated:
+      prune: true
+
+  # Ignore differences at the specified json pointers
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jsonPointers:
+    - /spec/replicas

docs/argocd-cm.yaml

@@ -0,0 +1,104 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  # Argo CD's externally facing base URL (optional). Required when configuring SSO
+  url: https://argo-cd-demo.argoproj.io
+
+  # A dex connector configuration (optional). See SSO configuration documentation:
+  # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md
+  # https://github.com/dexidp/dex/tree/master/Documentation/connectors
+  dex.config: |
+    connectors:
+      # GitHub example
+      - type: github
+        id: github
+        name: GitHub
+        config:
+          clientID: aabbccddeeff00112233
+          clientSecret: $dex.github.clientSecret
+          orgs:
+          - name: your-github-org
+            teams:
+            - red-team
+
+  # OIDC configuration as an alternative to dex (optional).
+  oidc.config: |
+    name: Okta
+    issuer: https://dev-123456.oktapreview.com
+    clientID: aaaabbbbccccddddeee
+    clientSecret: $oidc.okta.clientSecret
+
+  # Git repositories configure Argo CD with (optional).
+  # This list is updated when configuring/removing repos from the UI/CLI
+  repositories: |
+    - url: https://github.com/argoproj/my-private-repository
+      passwordSecret:
+        name: my-secret
+        key: password
+      usernameSecret:
+        name: my-secret
+        key: username
+      sshPrivateKeySecret:
+        name: my-secret
+        key: sshPrivateKey
+
+  # Non-standard and private Helm repositories (optional).
+  helm.repositories: |
+    - url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+      name: istio.io
+    - url: https://my-private-chart-repo.internal
+      name: private-repo
+      usernameSecret:
+        name: my-secret
+        key: username
+      passwordSecret:
+        name: my-secret
+        key: password
+
+  # Configuration to customize resource behavior (optional). Keys are in the form: group/Kind.
+  resource.customizations: |
+    admissionregistration.k8s.io/MutatingWebhookConfiguration:
+      # List of json pointers in the object to ignore differences
+      ignoreDifferences:
+        jsonPointers:
+        - webhooks/0/clientConfig/caBundle
+    certmanager.k8s.io/Certificate:
+      # Lua script for customizing the health status assessment
+      health.lua: |
+        hs = {}
+        if obj.status ~= nil then
+          if obj.status.conditions ~= nil then
+            for i, condition in ipairs(obj.status.conditions) do
+              if condition.type == "Ready" and condition.status == "False" then
+                hs.status = "Degraded"
+                hs.message = condition.message
+                return hs
+              end
+              if condition.type == "Ready" and condition.status == "True" then
+                hs.status = "Healthy"
+                hs.message = condition.message
+                return hs
+              end
+            end
+          end
+        end
+        hs.status = "Progressing"
+        hs.message = "Waiting for certificate"
+        return hs
+
+  # Configuration to completely ignore entire classes of resource group/kinds (optional).
+  # Excluding high-volume resources improves performance and memory usage, and reduces load and 
+  # bandwidth to the Kubernetes API server.
+  # NOTE: events.k8s.io and metrics.k8s.io are excluded by default
+  excludedResources: |
+    - apiGroups:
+      - repositories.stash.appscode.com
+      kinds:
+      - Snapshot
+
+  # The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
+  # Tracking labels are used to determine which resources need to be deleted when pruning.
+  # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
+  application.instanceLabelKey: mycompany.com/appname

docs/argocd-rbac-cm.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  # policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
+  # Policy rules are in the form:
+  #   p, subject, resource, action, object, effect
+  # Role definitions and bindings are in the form:
+  #   g, subject, inherited-subject
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md for additional information.
+  policy.csv: |
+    # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project'
+    p, my-org:team-alpha, applications, sync, my-project/*, allow
+    # Grant all members of 'my-org:team-beta' admins
+    g, my-org:team-beta, role:admin
+
+  # policy.default is the name of the default role which Argo CD will falls back to, when
+  # authorizing API requests (optional). If omitted or empty, users may be still be able to login,
+  # but will see no apps, projects, etc...
+  policy.default: role:readonly

docs/argocd-secret.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+type: Opaque
+data:
+  # TLS certificate and private key for API server (required).
+  # Autogenerated with a self-signed ceritificate when keys are missing or invalid.
+  tls.crt:
+  tls.key:
+
+  # bcrypt hash of the admin password and its last modified time (required).
+  # Autogenerated to be the name of the argocd-server pod when missing.
+  admin.password:
+  admin.passwordMtime:
+
+  # random server signature key for session validation (required).
+  # Autogenerated when missing.
+  server.secretkey:
+
+  # Shared secrets for authenticating GitHub, GitLab, BitBucket webhook events (optional).
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/webhook.md for additional details.
+  github.webhook.secret:
+  gitlab.webhook.secret:
+  bitbucket.webhook.uuid:

docs/declarative-setup.md

@@ -2,14 +2,23 @@
 
 Argo CD applications, projects and settings can be defined declaratively using Kubernetes manifests.
 
+## Quick Reference
+| Name | Kind | Description |
+|------|------|-------------|
+| [`argocd-cm.yaml`](argocd-cm.yaml) | ConfigMap | General Argo CD configuration |
+| [`argocd-secret.yaml`](argocd-secret.yaml) | Secret | Password, Certificates, Signing Key |
+| [`argocd-rbac-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | RBAC Configuration |
+| [`application.yaml`](application.yaml) | Application | Example application spec |
+| [`project.yaml`](argocd-rbac-cm.yaml) | AppProject | Example project spec |
+
 ## Applications
 
 The Application CRD is the Kubernetes resource object representing a deployed application instance
 in an environment. It is defined by two key pieces of information:
 * `source` reference to the desired state in git (repository, revision, path, environment)
 * `destination` reference to the target cluster and namespace.
 
-An example Application spec is as follows:
+A minimal Application spec is as follows:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -27,6 +36,8 @@ spec:
     namespace: guestbook
 ```
 
+See [application.yaml](application.yaml) for additional fields
+
 ## Projects
 The AppProject CRD is the Kubernetes resource object representing a logical grouping of applications.
 It is defined by the following key pieces of information:
@@ -95,27 +106,21 @@ Example:
 
 ```yaml
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
 data:
-  dex.config: |
-    connectors:
-    - type: github
-      id: github
-      name: GitHub
-      config:
-        clientID: e8f597564a82e99ba9aa
-        clientSecret: e551007c6c6dbc666bdade281ff095caec150159
   repositories: |
-    - passwordSecret:
-        key: password
+    - url: https://github.com/argoproj/my-private-repository
+      passwordSecret:
         name: my-secret
-      url: https://github.com/argoproj/my-private-repository
+        key: password
       usernameSecret:
+        name: my-secret
         key: username
+      sshPrivateKeySecret:
         name: my-secret
-  url: http://localhost:4000
-kind: ConfigMap
-metadata:
-  name: argocd-cm
+        key: sshPrivateKey
 ```
 
 ## Clusters
@@ -198,10 +203,10 @@ data:
       name: istio.io
     - url: https://argoproj.github.io/argo-helm
       name: argo
-      caUsername:
+      usernameSecret:
         name: my-secret
         key: username
-      caPassword:
+      passwordSecret:
         name: my-secret
         key: password
       caSecret: