ArgoCD Install (Manual)¶
Only master 1
1. Prepare certificate¶
1.1 Create CSR file¶
- 1.1.1 Create private key, and CSR (Certificate Signing Request) file
mkdir ~/ssl_key && cd ~/ssl_key
openssl genrsa -out ~/ssl_key/tls.key
openssl req -new -key ~/ssl_key/tls.key -out ~/ssl_key/tls.csr
Common Name: *.wzs-sat-poc-01.k8s.wistron.com
1.2 Create SSL certificate¶
- 1.2.1 Open wistron ADCA, and click
Request a certificate
- 1.2.2 Click
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- 1.2.3 View and copy master1 CSR file content
- 1.2.4 Paste master1 CSR file content to
Save Request, selectCertificate TemplatetoWistron Client and Server Authentication, and entryAdditional Attributes: san:dns=*.wzs-sat-poc-01.k8s.wistron.com, then clickSubmit
- 1.2.5 Download certificate, and rename to
wzs-sat-poc-01.k8s.wistron.com.cer
- 1.2.6 Upload SSL certificate to master1
1.3 Create sealsecure key¶
- 1.3.1 Prepare init-keypair
Add below content
#!/bin/bash
set -euo pipefail
export ORGNAME="Wistron"
export SITENAME="$1"
export ENVNAME="$2"
export KEYNAME="$SITENAME"-"$ENVNAME"
export PRIVATEKEY="$KEYNAME.key"
export PUBLICKEY="$KEYNAME.crt"
export SECRETNAME="sealed-secrets-master-$KEYNAME"
if [ ! -f "$KEYNAME.key" ]; then
echo "Generating new key pair for: $KEYNAME"
openssl req -x509 -days 36000 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=$SECRETNAME/O=$ORGNAME"
else
echo "Using existing key pair: $KEYNAME"
fi
echo "Applying key pair to k8s..."
kubectl -n kube-system create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY"
kubectl -n kube-system label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active
- 1.3.2 Genera secret
- 1.3.3 Install kubeseal
curl -LO https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/kubeseal-0.28.0-linux-amd64.tar.gz
tar xzf kubeseal-0.28.0-linux-amd64.tar.gz kubeseal # Only unzip kubeseal
- 1.3.4 Export encrypted domain certificate as
default-ingress-cert.yamlfile
kubectl -n kube-system create secret tls default-ingress-cert \
--cert=./wzs-sat-poc-01.k8s.wistron.com.cer \
--key=./tls.key --dry-run=client -o yaml | \
./kubeseal --cert=./sealed-wzs-poc-01.crt -o yaml > default-ingress-cert.yaml
2. Prepare config file¶
2.1 default-ingress-cert.yaml¶
mkdir -p /etc/argocd/gitlab/{config,namespace,plugins} && cd /etc/argocd
cp ~/ssl_key/default-ingress-cert.yaml ./gitlab/config/
2.2 argo.yaml¶
Add below content, and change
sourceRepos
# See https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: tenant-apps
namespace: argocd
spec:
sourceRepos:
- 'https://wzs-sat-poc-gitlab.wistron.com/ccoe/releasemanagement.git' # to-do change
destinations:
- namespace: '*'
server: '*'
clusterResourceBlacklist:
- group: '*'
kind: '*'
namespaceResourceBlacklist:
- group: ''
kind: ResourceQuota
- group: ''
kind: LimitRange
- group: ''
kind: NetworkPolicy
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: argocd-metrics
labels:
release: prometheus-operator
namespace: argocd
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-metrics
endpoints:
- port: metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: argocd-server-metrics
labels:
release: prometheus-operator
namespace: argocd
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-server-metrics
endpoints:
- port: metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: argocd-repo-server-metrics
labels:
release: prometheus-operator
namespace: argocd
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
endpoints:
- port: metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: argocd-applicationset-controller-metrics
labels:
release: prometheus-operator
namespace: argocd
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
endpoints:
- port: metrics
2.3 argocd-rbac-cm.yaml¶
Add below content
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly
policy.csv: |
g, argocdadmins, role:admin
2.4 ingress-patch.yaml¶
Add below content
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
admissionWebhooks:
enabled: false
extraArgs:
default-ssl-certificate: "kube-system/default-ingress-cert"
config:
proxy-body-size: 1024m
proxy-read-timeout: "300"
ssl-protocols: 'TLSv1.2 TLSv1.3'
allow-snippet-annotations: false
2.5 logging-operator-config.yaml¶
Add below content
# Feed all container logs to the local Loki instance
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
name: loki-output
namespace: cattle-logging-system
spec:
loki:
url: http://loki.loki-system:3100
configure_kubernetes_labels: true
buffer:
timekey: 1m
timekey_wait: 30s
timekey_use_utc: true
flush_mode: immediate
flush_thread_count: 12
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterFlow
metadata:
name: loki-flow
namespace: cattle-logging-system
spec:
filters:
- grep:
regexp:
- key: message
pattern: /error/i
match:
- select: {}
globalOutputRefs:
- loki-output
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
name: system-output
namespace: cattle-logging-system
spec:
loki:
url: http://loki.loki-system:3100
configure_kubernetes_labels: true
buffer:
timekey: 1m
timekey_wait: 30s
timekey_use_utc: true
flush_mode: immediate
flush_thread_count: 12
---
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterFlow
metadata:
name: system-flow
namespace: cattle-logging-system
spec:
filters:
match:
- select:
namespaces:
- kube-system
globalOutputRefs:
- system-output
2.6 metallb-config.yaml¶
Add below content, and assign
Business IP,example: 10.41.243.201 ( same with worker node IP segment )
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: ip-pool
namespace: metallb-system
spec:
addresses:
- 10.41.243.201/32 # to-do change
autoAssign: false
avoidBuggyIPs: true
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2advertise
namespace: metallb-system
spec:
ipAddressPools:
- ip-pool
2.7 otel-collector.yaml¶
Add below content
apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
metadata:
name: otel
namespace: otel-system
spec:
mode: deployment # This configuration is omittable.
config: |
receivers:
otlp:
protocols:
grpc: # endpoint = 0.0.0.0:4317 (default)
http: # endpoint = 0.0.0.0:4318 (default)
jaeger:
protocols:
grpc:
thrift_binary:
thrift_compact:
thrift_http:
zipkin:
opencensus:
endpoint: 0.0.0.0:55678
processors:
batch:
exporters:
otlp:
# otlp grpc protocol
endpoint: "tempo.cattle-monitoring-system:4317"
tls:
insecure: true
logging:
loglevel: debug
service:
pipelines:
traces:
receivers: [otlp, jaeger, zipkin]
processors: []
exporters: [otlp]
- Check config file
3. Prepare plugins¶
3.1 cert-manager.yam¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
source:
repoURL: harbor.wistron.com/k8sprdwhqcog # todo
chart: cert-manager
targetRevision: v1.11.0
helm:
values: |
installCRDs: true
3.2 csi-driver.yaml¶
Add below content
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: csi-driver
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: default
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: secrets-store-csi-driver
targetRevision: 1.2.4
helm:
values: |
linux:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: type
operator: NotIn
values:
- virtual-kubelet
- key: agentpool
operator: NotIn
values:
- system
crds:
image:
pullPolicy: Always
repository: harbor.wistron.com/k8sprdwhqcog/csi-secrets-store/driver-crds
tag: v1.2.4
image:
pullPolicy: Always
repository: harbor.wistron.com/k8sprdwhqcog/csi-secrets-store/driver
tag: v1.2.4
registrarImage:
pullPolicy: Always
repository: harbor.wistron.com/k8sprdwhqcog/csi-node-driver-registrar
tag: v2.5.1
livenessProbeImage:
pullPolicy: Always
repository: harbor.wistron.com/k8sprdwhqcog/livenessprobe
tag: v2.7.0
syncSecret:
enabled: true
3.3 csi-providor.yaml¶
Add below content
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault-csi-exporter
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: default
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: vault
targetRevision: 0.22.1
helm:
values: |
injector:
enabled: "false"
server:
dev:
enabled: true
csi:
enabled: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: default
---
apiVersion: v1
kind: Secret
metadata:
name: vault-auth
namespace: default
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding-all
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
3.4 goldilocks.yaml¶
Add below content, and change vpa host:
vpa.wzs-sat-poc-01.k8s.wistron.com
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: goldilocks
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: goldilocks
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: goldilocks
targetRevision: 7.2.0
helm:
values: |
uninstallVPA: false
vpa:
enabled: true
recommender:
enabled: true
image:
repository: harbor.wistron.com/k8sprdwhqcog/vpa-recommender
tag: 0.14.0
extraArgs:
prometheus-address: |
http://prometheus-operated.cattle-monitoring-system:9090
storage: prometheus
replicaCount: 1
resources:
limits:
cpu: 2000m
memory: 8192Mi
requests:
cpu: 500m
memory: 2048Mi
updater:
enabled: true
image:
repository: harbor.wistron.com/k8sprdwhqcog/vpa-updater
tag: 0.14.0
replicaCount: 1
resources:
limits:
cpu: 200m
memory: 4096Mi
requests:
cpu: 50m
memory: 500Mi
admissionController:
enabled: true
replicaCount: 1
generateCertificate: true
certGen:
image:
repository: harbor.wistron.com/k8sprdwhqcog/kube-webhook-certgen
tag: v20230312-helm-chart-4.5.2-28-g66a760794
#env:
#http_proxy: http://whqproxys.wistron.com:8080
#https_proxy: http://whqproxys.wistron.com:8080
#no_proxy: 10.0.0.0/8,127.0.0.1,localhost
image:
repository: harbor.wistron.com/k8sprdwhqcog/vpa-admission-controller
tag: 0.14.0
resources:
limits:
cpu: 200m
memory: 500Mi
requests:
cpu: 50m
memory: 200Mi
metrics-server:
enabled: false
apiService:
create: true
image:
repository: harbor.wistron.com/k8sprdwhqcog/goldilocks
tag: v4.6.3
pullPolicy: Always
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
controller:
enabled: true
rbac:
create: true
enableArgoproj: true
extraRules: []
extraClusterRoleBindings: []
serviceAccount:
create: true
name:
flags: {}
logVerbosity: "2"
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 25m
memory: 32Mi
podSecurityContext: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 10324
capabilities:
drop:
- ALL
deployment:
extraVolumeMounts: []
extraVolumes: []
annotations: {}
additionalLabels: {}
podAnnotations: {}
dashboard:
basePath: null
enabled: true
replicaCount: 2
service:
type: ClusterIP
annotations: {}
flags: {}
logVerbosity: "2"
rbac:
create: true
enableArgoproj: true
serviceAccount:
create: true
name:
deployment:
annotations: {}
additionalLabels: {}
extraVolumeMounts: []
extraVolumes: []
podAnnotations: {}
ingress:
enabled: true
ingressClassName:
annotations: {}
hosts:
- host: vpa.wzs-sat-poc-01.k8s.wistron.com # to-do change
paths:
- path: /
type: ImplementationSpecific
tls: []
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 25m
memory: 32Mi
podSecurityContext: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 10324
capabilities:
drop:
- ALL
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
3.5 kubernetes-dashboard.yaml¶
Add below content, and change
Cluster ID,hosts
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubernetes-dashboard
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: kube-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: kubernetes-dashboard
targetRevision: 6.0.0
helm:
values: |
extraArgs:
- --enable-skip-login
- --enable-insecure-login
- --system-banner=Cluster ID [ wzs-sat-poc-01 ] # to-do change
# Start in ReadOnly mode.
# Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created
# Only dashboard-related Secrets and ConfigMaps will still be available for writing.
#
# The basic idea of the clusterReadOnlyRole
# is not to hide all the secrets and sensitive data but more
# to avoid accidental changes in the cluster outside the standard CI/CD.
#
rbac:
clusterReadOnlyRole: true
clusterReadOnlyRoleAdditionalRules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- prometheuses
- podmonitors
- servicemonitors
- prometheusrules
- alertmanagerconfigs
- probes
verbs:
- get
- list
- watch
- apiGroups:
- logging.banzaicloud.io
resources:
- clusterflows
verbs:
- get
- list
- watch
## Metrics Scraper
## Container to scrape, store, and retrieve a window of time from the Metrics Server.
metricsScraper:
enabled: true
## Serve application over HTTP without TLS
protocolHttp: true
service:
type: ClusterIP
# Dashboard service port
externalPort: 9090
serviceMonitor:
# Whether or not to create a Prometheus Operator service monitor.
enabled: true
## Here labels can be added to the serviceMonitor
labels: {}
## Here annotations can be added to the serviceMonitor
annotations: {}
ingress:
## If true, Kubernetes Dashboard Ingress will be created.
enabled: true
hosts:
- kubernetes-dashboard.wzs-sat-poc-01.k8s.wistron.com # to-do change
## Pinned CRDs that will be displayed in dashboard's menu
pinnedCRDs:
- kind: customresourcedefinition
name: prometheuses.monitoring.coreos.com
displayName: Prometheus
namespaced: true
- kind: customresourcedefinition
name: podmonitors.monitoring.coreos.com
displayName: PodMonitors
namespaced: true
- kind: customresourcedefinition
name: servicemonitors.monitoring.coreos.com
displayName: ServiceMonitors
namespaced: true
- kind: customresourcedefinition
name: prometheusrules.monitoring.coreos.com
displayName: PrometheusRules
namespaced: true
3.6 loki.yaml¶
Add below content and change loki size
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: loki-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: loki
targetRevision: 2.13.3
helm:
values: |
rbac:
pspEnabled: false
config:
compactor:
retention_enabled: true
limits_config:
retention_period: 7d
memberlist:
bind_addr:
- ${MY_POD_IP}
persistence:
enabled: True
storageClassName: longhorn
size: 20Gi # to-do change
containerSecurityContext:
readOnlyRootFilesystem: true
env:
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
extraArgs:
config.expand-env: true
3.7 metallb.yaml¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: metallb
targetRevision: 0.13.12
helm:
values: |
# put helm chart setting here
3.8 open-telemetry-operator.yaml¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: opentelemetry-operator
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: otel-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: opentelemetry-operator
targetRevision: 0.43.0
helm:
values: |
manager:
resources:
limits:
cpu: 2048m
memory: 4Gi
requests:
cpu: 1024m
memory: 2Gi
3.9 pyrra.yaml¶
Add below content, and change
prometheusExternalUrl,hosts
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: pyrra
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
labels:
"value": {"goldilocks.fairwinds.com/enabled": "true"}
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: pyrra
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: pyrra
targetRevision: 0.8.0
helm:
values: |
image:
repository: ghcr.io/pyrra-dev/pyrra
tag: "v0.6.4"
prometheusUrl: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090/"
prometheusExternalUrl: "https://prometheus.wzs-sat-poc-01.k8s.wistron.com"
ingress:
enabled: true
hosts:
- host: pyrra.wzs-sat-poc-01.k8s.wistron.com
paths:
- path: /
pathType: ImplementationSpecific
serviceMonitor:
enabled: true
3.10 rancher-logging-crd.yaml¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rancher-logging-crd
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
annotations:
argocd.argoproj.io/sync-wave: "-2"
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 2
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: cattle-logging-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: rancher-logging-crd
targetRevision: 102.0.1+up3.17.10
# helm:
# values: |
# auth:
# enabled: false
3.11 rancher-logging.yaml¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rancher-logging
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: cattle-logging-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: rancher-logging
targetRevision: 102.0.1+up3.17.10
helm:
values: |
fluentd:
resources:
limits:
cpu: 4000m
memory: 5Gi
requests:
cpu: 2000m
memory: 3Gi
replicas: 3
3.12 rancher-monitory-crd.yaml¶
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rancher-monitoring-crd
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
annotations:
argocd.argoproj.io/sync-wave: "-2"
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 2
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: rancher-monitoring-crd
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: rancher-monitoring-crd
targetRevision: 102.0.2+up40.1.2
3.13 rancher-monitoring.yaml¶
Add below content
change grafana, prometheus, alertmanager
hostto cluster FQDN, and change clusterid
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rancher-monitoring
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: cattle-monitoring-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: rancher-monitoring
targetRevision: 102.0.2+up40.1.2
helm:
values: |
defaultRules:
create: true
rules:
alertmanager: true
etcd: true
general: true
k8s: true
kubeApiserver: true
kubeApiserverAvailability: true
kubeApiserverError: true
kubeApiserverSlos: true
kubePrometheusGeneral: true
kubePrometheusNodeAlerting: true
kubePrometheusNodeRecording: true
kubeScheduler: true
kubeStateMetrics: true
kubelet: true
kubernetesAbsent: true
kubernetesApps: false
kubernetesResources: false
kubernetesStorage: true
kubernetesSystem: true
network: true
node: true
prometheus: true
prometheusOperator: true
time: true
additionalRuleLabels:
team: wzs-cog
# setup runbookURL to wistron runbook portal
runbookUrl: "https://cloud-guidebook.wistron.com/runbooks"
grafana:
# upgrade grafana version
image:
#repository: grafana/grafana
#tag: 9.3.6
# change timezone setting base on browser
defaultDashboardsTimezone: browser
grafana.ini:
feature_toggles:
enable: traceqlEditor
# enable viewers to edit (but not save) dashboards and use Explore
users:
viewers_can_edit: "True"
sidecar:
# upgrade sidecar version
image:
repository: quay.io/kiwigrid/k8s-sidecar
#tag: 1.21.0
datasources:
logLevel: "DEBUG"
enabled: true
searchNamespace: "ALL"
dashboards:
logLevel: "DEBUG"
# enable the cluster wide search for dashbaords and adds/updates/deletes them in grafana
enabled: true
searchNamespace: "ALL"
label: grafana_dashboard
labelValue: "1"
additionalDataSources:
- name: Tempo
type: tempo
url: http://tempo.tempo-system:3100
access: proxy
# create loki datasource for logging data store
- name: Loki
type: loki
url: http://loki.loki-system:3100/
access: proxy
ingress:
enabled: true
hosts:
- grafana.wzs-sat-poc-01.k8s.wistron.com # to-do change
resources:
limits:
cpu: '2'
memory: 3200Mi
requests:
cpu: '1'
memory: 300Mi
prometheus:
ingress:
enabled: true
hosts:
- prometheus.wzs-sat-poc-01.k8s.wistron.com # to-do change
prometheusSpec:
# upgrade prometheus version
#image:
#repository: quay.io/prometheus/prometheus
#tag: v2.39.1
# make prometheus-operator to load CRDs from all namespaces
ruleSelectorNilUsesHelmValues: false
serviceMonitorSelectorNilUsesHelmValues: false
podMonitorSelectorNilUsesHelmValues: false
probeSelectorNilUsesHelmValues: false
# force each namespace to monitor and alert on their own resources only
ignoreNamespaceSelectors: true
#enforcedNamespaceLabel: "namespace"
# add to any time series or alerts when communicating with external systems
externalLabels:
# add cluster id on alerts which enable opsgenie to dispatch alerts
clusterid: "wzs.sat-poc-01" # to-do change
resources:
limits:
cpu: 5000m
memory: 500Mi
requests:
cpu: 50m
memory: 200Mi
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: longhorn
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi # to-do change
prometheus-node-exporter:
resources:
limits:
cpu: 300m
memory: 200Mi
requests:
cpu: 50m
memory: 100Mi
kube-state-metrics:
collectors:
- certificatesigningrequests
- configmaps
- cronjobs
- daemonsets
- deployments
- endpoints
- horizontalpodautoscalers
- ingresses
- jobs
- limitranges
- mutatingwebhookconfigurations
- namespaces
- networkpolicies
- nodes
- persistentvolumeclaims
- persistentvolumes
- poddisruptionbudgets
- pods
- replicasets
- replicationcontrollers
- resourcequotas
- secrets
- services
- statefulsets
- storageclasses
- validatingwebhookconfigurations
- volumeattachments
- verticalpodautoscalers
alertmanager:
alertmanagerSpec:
# upgrade alertmanager version
image:
repository: quay.io/prometheus/alertmanager
tag: v0.24.0
ingress:
enabled: true
hosts:
- alertmanager.wzs-sat-poc-01.k8s.wistron.com # to-do change
config:
global:
resolve_timeout: 5m
route:
group_by: ['alertname', 'namespace', 'env']
group_wait: 30s
group_interval: 1m
repeat_interval: 5m
receiver: 'opsgenie'
routes:
- match:
alertname: Watchdog
receiver: og_heartbeat
receivers:
- name: opsgenie
opsgenie_configs:
- api_key: fe7f519e-6416-4db5-b221-c1dac801c651
source: '{{ template "opsgenie.default.source" . }}'
# make sure priority will be set on opsgenie
priority: '{{ if .CommonLabels.priority }}{{ .CommonLabels.priority}}{{ else }}P3{{ end }}'
# set up opsgenie heartbeat and api key first
- name: og_heartbeat
webhook_configs:
- url: https://api.opsgenie.com/v2/heartbeats/heartbeat-wzs-sat-trs-01/ping # to-do change
http_config:
basic_auth:
username: ":"
password: c140ec87-21be-42a0-ba1a-29987ed0d65c
3.14 sealedsecrets-controller.yaml¶
Add below content
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- sealed-secrets-controller
resources:
- services
verbs:
- get
- apiGroups:
- ""
resourceNames:
- 'http:sealed-secrets-controller:'
- http:sealed-secrets-controller:http
- sealed-secrets-controller
resources:
- services/proxy
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: {}
labels:
name: secrets-unsealer
name: secrets-unsealer
rules:
- apiGroups:
- bitnami.com
resources:
- sealedsecrets
verbs:
- get
- list
- watch
- apiGroups:
- bitnami.com
resources:
- sealedsecrets/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
spec:
minReadySeconds: 30
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: sealed-secrets-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
spec:
containers:
- args: []
command:
- controller
env: []
image: docker.io/bitnami/sealed-secrets-controller:v0.18.1
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: http
name: sealed-secrets-controller
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /healthz
port: http
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
stdin: false
tty: false
volumeMounts:
- mountPath: /tmp
name: tmp
imagePullSecrets: []
initContainers: []
securityContext:
fsGroup: 65534
serviceAccountName: sealed-secrets-controller
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: tmp
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: sealedsecrets.bitnami.com
spec:
group: bitnami.com
names:
kind: SealedSecret
listKind: SealedSecretList
plural: sealedsecrets
singular: sealedsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: Service
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
spec:
ports:
- port: 8080
targetPort: 8080
selector:
name: sealed-secrets-controller
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-key-admin
name: sealed-secrets-key-admin
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-unsealer
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-service-proxier
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-key-admin
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: kube-system
- Check plugins file
3.15 istio¶
- istio-ingressgateway-certs.yaml
Add below content
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUg1RENDQnN5Z0F3SUJBZ0lUUGdEdzNVOFF6ckl0akNRZndRQUJBUERkVHpBTkJna3Foa2lHOXcwQkFRc0YKQURCVE1SY3dGUVlLQ1pJbWlaUHlMR1FCR1JZSGQybHpkSEp2YmpFNE1EWUdBMVVFQXhNdlYybHpkSEp2YmlCRgpiblJsY25CeWFYTmxJRkp2YjNRZ1EyVnlkR2xtYVdOaGRHbHZiaUJCZFhSb2IzSnBkSGt3SGhjTk1qTXdOVEF4Ck1ETXdNekkzV2hjTk1qUXdORE13TURNd016STNXakNCaGpFTE1Ba0dBMVVFQmhNQ1EwNHhFakFRQmdOVkJBZ1QKQ1VkMVlXNW5aRzl1WnpFU01CQUdBMVVFQnhNSldtaHZibWR6YUdGdU1SQXdEZ1lEVlFRS0V3ZFhhWE4wY205dQpNUXd3Q2dZRFZRUUxFd05OU1ZNeEx6QXRCZ05WQkFNTUppb3VhWE4wYVc4dGQzcHpMWE5oZEMxd2NtUXRjRE11CmF6aHpMbmRwYzNSeWIyNHVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEKNjBSYUY3cHNLc0haaG05V0k1M2VzaXBoK2hnSHR2MWppTDRuODFNSkFRYmZwWFFxSGtINWFpWlpqa2hlejduOQpqRVprWjF6SUJmaFZKLzdHNFB0WDBQanZuODJiSTl3ZHZZNkMyUjQyVzhlcG5rdW51b0QzNEZMSlh4bkVrQS9XCmszT1RnWDlpaXBkWFZidHMvYUkxbFIvM2Y4N2IyRm8xTjJhNFRpVmRQUDZDQWRHY1ZsallpWGdHTXFWd24zbXEKK01BRm01S1Y3bEcva2EzZTF1N0J4alpiczRPMklKTXpwbDg1dGtwVitYN0FzTGhqdTdCOHFhRzk3dWlkeVpDZApRaExrRXYzOUF0bHZJTEVCNkFQcE5sVE9wUmtoYkNVcHhwQ0xseUxrQlBLQTR6SXlJNkhwZW95MzJzeG9RcklyCjQ5Y2NkVjNmeUZFQTRjdC9sWmI5S1FJREFRQUJvNElFZXpDQ0JIY3dIUVlEVlIwT0JCWUVGT1B6VVNZblJucUIKanJzL01KQUU1MzVKelFyVU1COEdBMVVkSXdRWU1CYUFGRHlwb0w2YmlnMmFtbWZXUUpHZDh4VGVnMlVTTUlJQwpHUVlEVlIwZkJJSUNFRENDQWd3d2dnSUlvSUlDQktDQ0FnQ0dnZGxzWkdGd09pOHZMME5PUFZkcGMzUnliMjRsCk1qQkZiblJsY25CeWFYTmxKVEl3VW05dmRDVXlNRU5sY25ScFptbGpZWFJwYjI0bE1qQkJkWFJvYjNKcGRIa3MKUTA0OVZGZFVVRVZTUkVNeExFTk9QVU5FVUN4RFRqMVFkV0pzYVdNbE1qQkxaWGtsTWpCVFpYSjJhV05sY3l4RApUajFUWlhKMmFXTmxjeXhEVGoxRGIyNW1hV2QxY21GMGFXOXVMRVJEUFhkcGMzUnliMjQvWTJWeWRHbG1hV05oCmRHVlNaWFp2WTJGMGFXOXVUR2x6ZEQ5aVlYTmxQMjlpYW1WamRFTnNZWE56UFdOU1RFUnBjM1J5YVdKMWRHbHYKYmxCdmFXNTBobDlvZEhSd09pOHZWRmRVVUVWU1JFTXhMbmRwYzNSeWIyNHZRMlZ5ZEVWdWNtOXNiQzlYYVhOMApjbTl1SlRJd1JXNTBaWEp3Y21selpTVXlNRkp2YjNRbE1qQkRaWEowYVdacFkyRjBhVzl1SlRJd1FYVjBhRzl5CmFYUjVMbU55YklaaFptbHNaVG92THk4dlZGZFVVRVZTUkVNeExuZHBjM1J5YjI0dlEyVnlkRVZ1Y205c2JDOVgKYVhOMGNtOXVKVEl3Ulc1MFpYSndjbWx6WlNVeU1GSnZiM1FsTWpCRFpYSjBhV1pwWTJGMGFXOXVKVEl3UVhWMAphRzl5YVhSNUxtTnliSVplYUhSMGNEb3ZMMkZrWTJFdWQybHpkSEp2Ymk1amIyMHZRMlZ5ZEVWdWNtOXNiQzlYCmFYTjBjbTl1SlRJd1JXNTBaWEp3Y21selpTVXlNRkp2YjNRbE1qQkRaWEowYVdacFkyRjBhVzl1SlRJd1FYVjAKYUc5eWFYUjVMbU55YkRDQ0FXY0dDQ3NHQVFVRkJ3RUJCSUlCV1RDQ0FWVXdnYzhHQ0NzR0FRVUZCekFDaG9IQwpiR1JoY0Rvdkx5OURUajFYYVhOMGNtOXVKVEl3Ulc1MFpYSndjbWx6WlNVeU1GSnZiM1FsTWpCRFpYSjBhV1pwClkyRjBhVzl1SlRJd1FYVjBhRzl5YVhSNUxFTk9QVUZKUVN4RFRqMVFkV0pzYVdNbE1qQkxaWGtsTWpCVFpYSjIKYVdObGN5eERUajFUWlhKMmFXTmxjeXhEVGoxRGIyNW1hV2QxY21GMGFXOXVMRVJEUFhkcGMzUnliMjQvWTBGRApaWEowYVdacFkyRjBaVDlpWVhObFAyOWlhbVZqZEVOc1lYTnpQV05sY25ScFptbGpZWFJwYjI1QmRYUm9iM0pwCmRIa3dnWUFHQ0NzR0FRVUZCekFDaG5Sb2RIUndPaTh2VkZkVVVFVlNSRU14TG5kcGMzUnliMjR2UTJWeWRFVnUKY205c2JDOVVWMVJRUlZKRVF6RXVkMmx6ZEhKdmJsOVhhWE4wY205dUpUSXdSVzUwWlhKd2NtbHpaU1V5TUZKdgpiM1FsTWpCRFpYSjBhV1pwWTJGMGFXOXVKVEl3UVhWMGFHOXlhWFI1S0RFcExtTnlkREFMQmdOVkhROEVCQU1DCkJhQXdPd1lKS3dZQkJBR0NOeFVIQkM0d0xBWWtLd1lCQkFHQ054VUlnWi9NQjRTTjIyZUd1Wjg1ZzdEREpvU00KOVR4MGxyQlN5YzhrQWdGa0FnRVFNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUJzR0NTc0dBUVFCZ2pjVgpDZ1FPTUF3d0NnWUlLd1lCQlFVSEF3RXdNUVlEVlIwUkJDb3dLSUltS2k1cGMzUnBieTEzZW5NdGMyRjBMWEJ5ClpDMXdNeTVyT0hNdWQybHpkSEp2Ymk1amIyMHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSHlSRndYY0NXMXQKeG1UWDdoMnY3OEdXcUNDU1dIMlNIVkh5SWFNTGM3eXVUb0xRTGFZT1ZFZCtzYjBsNmovc2hZS3gzY2ZWWUxXQwpwaVMybVY2UVp1MFVXcTBEMUVTUExlQTNaSHBmRnlxUXNKN1ZNaUlRcTBhYlN2clgvb3ZrMHUweDloOFovVkIwCkprbnp2c1g2ZDdabXcvTmxHSUFUS2E1V0xSSlJaSkNtRVpzbTFVL0xxbHRuVVhDZ3BWQTZRc2gxZ0JmV0RCM1kKR0lkZ0pQclJJeGpCamNKWWo4aElNdkVLSkVHcWU2a09GZ1UwU29aRFlsbnZ2R1NxS3VTUndjNFovYVBxNVVvUwpjSXU3eWR1ZERDWlYwRzNFelVQQ0JpdkFzS2d5UERJNDNzMXp3czVRVUxtemd1WmVQcmx3Wnptd0Q3ZnR3TGNJCk9ETy9RWFNpQkVJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNjBSYUY3cHNLc0haaG05V0k1M2VzaXBoK2hnSHR2MWppTDRuODFNSkFRYmZwWFFxCkhrSDVhaVpaamtoZXo3bjlqRVprWjF6SUJmaFZKLzdHNFB0WDBQanZuODJiSTl3ZHZZNkMyUjQyVzhlcG5rdW4KdW9EMzRGTEpYeG5Fa0EvV2szT1RnWDlpaXBkWFZidHMvYUkxbFIvM2Y4N2IyRm8xTjJhNFRpVmRQUDZDQWRHYwpWbGpZaVhnR01xVnduM21xK01BRm01S1Y3bEcva2EzZTF1N0J4alpiczRPMklKTXpwbDg1dGtwVitYN0FzTGhqCnU3QjhxYUc5N3VpZHlaQ2RRaExrRXYzOUF0bHZJTEVCNkFQcE5sVE9wUmtoYkNVcHhwQ0xseUxrQlBLQTR6SXkKSTZIcGVveTMyc3hvUXJJcjQ5Y2NkVjNmeUZFQTRjdC9sWmI5S1FJREFRQUJBb0lCQURHSGFVUVhqaEFPVVdJWQo3RlNCTnRIaFZGRVhZQUJwSmR3eTFDeElyZHVXZTl6VU1NMi82K2NwL2E2VGs4bzlpS0JRYlhESk9wN3ZJZFpTCnI4SExpRGhKUUFFdmd0cXd5MTROczRSTDlQdXJkQTBNTmxwd0xqNytqc0JEcDNzQXFwYk9QUjZGRjlTL2ViWmwKeDlNNW8vZ3FDNnZQZTc3M2RyNmNGRzczTk1MVEZtbGgvY0JwbERuNG14T0NaSnFQTThBbklXTEs4SDFJcE56QQoxSUNQd2NvMzR1STVveHNrdG81RnlreVpRZGhZMjd1VnJJNHZicFQyZElQR2xnT3pONE5MSSs4RTZSd2hROXdPClZsSE1VeDRhTkt2NnRUelFxOU1PQ29tWWNZdWRRcUkwUDJhL1poT3VXM2dFOWtMN3lzUmFiUGsrWWtMVG9mZWEKUUdpbDJsVUNnWUVBK1VEZXJYRzRRVVI0b0dRK29CNFZsYzYxUDdKRlE5Q250bmJkVy9uSnhWdnIybnZoUDhuOApKU2dBWW9qM2N6ZGhOKzFseS9HUnFmM2pDOEpmc2MwQWovUVpuSEtLU1NCYWJMa3hwRDV6K3QrK0oxTUc1ZlNFClJnellQWVBSNEdpZk1TMmk2djRiRHZsYTArSTRjM1ZXcGhiY1JheTZISzJDb0hNaVV2YzB6UE1DZ1lFQThhS1IKUFdqSlprWldNaXFON1FHbElVRmVIRzhBWi9OZ0hGYXlSOTc2QWJRcDNYTnlDL2ZIVXJoQlFPNlVibmJobnBNOQpYUnA3TmgzM29iWXNFK1IrTGdhVTIzTVdwZTVLUFdjSHJrTC9oVmoxSHJ4UENEOFlCSTNOcG9oZzkvVUtFalhMCk41UklxVWNFaFhieVNJOHl0UElWOWNIOWpzdUJUZFlHZkdmd1pITUNnWUFRdnVYMit5UG81cVBBQ3R3V1A4OHQKY0dURzhjQXJqVEluVlJjTUhkMExjR0NKSGplRTVKb1hHUGZscHRRUkhwQmVoSW1KU1NLRExEWjd6TVJIR3NIRgo2aDFxWUZ1Z0RCZG5KSTRNUGRIbThlOUJqeGR3alp2eFpOMkdUSHZtT3NFdk9hU3Zhd0VBWVlwVG4rZ3hBWm9mCnNIdCtCdHUrSDM0ZUwzNEgydW5tTndLQmdISVZUUGx2WmRjeDBqUnhQdnp0VCtkNWsxTmRYUlczSkdOODAwTjMKbFJZRTE5ZEVVRTR5T0J0bi92Y0hMWEZTRTRmcEFJbmFuTjJhSEhadktqUmlKdWpZRnFQZG5JM1BDYUlmNk5KdgpzM0JqNWFjVFJVVWhkTmVCazl6U2V1WFcvV0JIb2FDbUZBQklGV3htRWxJTHVlY1FmU25BNDFQdDVTaTRxZXRHCnI0cmRBb0dCQU8veDZvSkZtWmtGdnM4OFFBd2Zpemp2UlRZR3F1SUZlODJxSUprdmUydTNKb0E1M2laKytVV3QKS0lNYlVPeXVpN3dtYkx3bWNTSGZHSjkvdUJib2F3ZE5oVGFGTHJSVnVtMDNidnF2cEdpdXQ1cWo5OHdTZVhteAppUzlDcGNKSUQrL1BmTWFLdDh2cTNzRU5wKzA3anFmT1hvc1lTNTMzUUxwTk1QRmlJUFk3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: null
name: istio-ingressgateway-certs
namespace: istio-system
type: kubernetes.io/tls
- istio.yaml
Add below content, and change
loadBalancerIP
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-base
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: istio-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: base
targetRevision: 1.17.1
helm:
values: |
# put helm chart setting here
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istiod
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: istio-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: istiod
targetRevision: 1.17.1
helm:
values: |
meshConfig:
enableTracing: true
accessLogFile: /dev/stdout
defaultConfig:
tracing:
zipkin:
address: otel-collector.otel-system.svc.cluster.local:9411
# address=<jaeger-collector-address>:9411
global:
proxy:
resources:
limits:
cpu: 500m
memory: 512Mi
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-ingressgateway
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: istio-system
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: gateway
targetRevision: 1.17.1
helm:
values: |
# add annotations to get specific ip from metallb
service:
annotations:
metallb.universe.tf/address-pool: ip-pool
loadBalancerIP: "10.41.243.201" # to-do change
3.16 kiali¶
- kiali-cr.yaml
Add below content, and change kiali url:
kiali.wzs-sat-poc-01.k8s.wistron.com
---
apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
name: kiali
namespace: kiali-operator
spec:
istio_namespace: "istio-system"
auth:
strategy: anonymous
deployment:
view_only_mode: true
ingress:
class_name: "nginx"
# default: enabled is undefined
enabled: true
# default: override_yaml is undefined
override_yaml:
spec:
rules:
- host: "kiali.wzs-sat-poc-01.k8s.wistron.com" # to-do change
http:
paths:
- path: "/kiali"
pathType: Prefix
backend:
service:
name: "kiali"
port:
number: 20001
external_services:
custom_dashboards:
enabled: false
prometheus:
enabled: true
# Prometheus service name is "metrics" and is in the "telemetry" namespace
url: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090/" # todo
grfana:
# dashboards:
# - name: "Istio Service Dashboard"
# variables:
# namespace: "var-namespace"
# service: "var-service"
# - name: "Istio Workload Dashboard"
# variables:
# namespace: "var-namespace"
# workload: "var-workload"
# - name: "Istio Mesh Dashboard"
# - name: "Istio Control Plane Dashboard"
# - name: "Istio Performance Dashboard"
# - name: "Istio Wasm Extension Dashboard"
enabled: false
# health_check_url: "http://rancher-monitoring-grafana.monitoring.svc:80/api/health"
# # default: in_cluster_url is undefined
# in_cluster_url: "http://rancher-monitoring-grafana.monitoring.svc:80"
# is_core: false
# url: "http://grafana.sandbox-dev-0.k8s.wistron.com"
istio:
component_status:
components:
- app_label: "istiod"
is_core: true
is_proxy: false
namespace: istio-system
enabled: true
tracing:
enabled: false
- kiali-operator.yaml
Add below content
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kiali-operator
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 5
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: kiali-operator
source:
repoURL: harbor.wistron.com/k8sprdwhqcog
chart: kiali-operator
targetRevision: 1.64.0 # todo
helm:
values: |
# cr:
# create: true
# namespace: istio-system
4. Gitlab config¶
4.1 Upload file to gitlab¶
- Download gitlab folder from master1 to local PC
- Upload gitlab file to HQ gitlab
Create site wimes cluster id folder on HQ gitlab
Upload folder {config, istio, kiali, namespace, plugins} to HQ gitlab argo/wzs/sat-trs-01
5. Install argocd¶
Only master1
5.1 Prepare argocd files¶
cd /etc/argocd
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/1.install.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/2.argocd-ing.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/3.argocd-tls-certs-cm.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/4.argocd-applicationset-install.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/5.argocd-cm.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/6.argocd-rbac-cm.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/7.tenant-apps.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/8.harbor-oci-registry.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/argocd-repo-server.yaml
wget https://gitlab.wistron.com/ccoe/releasemanagement/-/raw/master/argocd/2.6.15/argocd-server.yaml
ll
5.2 Modify argocd yaml¶
- 5.2.1 Modify 2.argocd-ing.yaml
Change host to your site argocd url:
argocd.wzs-sat-poc-01.k8s.wistron.com
- 5.2.2 Modify 3.argocd-tls-certs-cm.yaml
Add site gitlab dns certificate
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
gitlab.wistron.com: |
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIQH8cZJU/GSqNHHP8O/Kac4zANBgkqhkiG9w0BAQsFADBT
MRcwFQYKCZImiZPyLGQBGRYHd2lzdHJvbjE4MDYGA1UEAxMvV2lzdHJvbiBFbnRl
cnByaXNlIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMDYwOTE1MDU0
MTM0WhgPMjA1MDAzMTgwNTM4MjRaMFMxFzAVBgoJkiaJk/IsZAEZFgd3aXN0cm9u
MTgwNgYDVQQDEy9XaXN0cm9uIEVudGVycHJpc2UgUm9vdCBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOB8UHki
YZyAThPmaagVxdQvm1mZhE+DzIv3eorZHEd87S2GkoMpqncUTqL9aT0/gCU9Jvxk
+VtcX1KKpOzkhBYDYypKbzpcCfudjiVdUsrjUFUPcSKv+OEYrCDReESLOTE/XBMU
vqPrAjxNlwTBWlXq2hDW5vh7YArd50gsCO6fHrmFY3Mn5hv0ksaaLBzKIetpQrS3
vMDLNavs5sOR5PKjo6MIYQObF5mur3O//6Sf2Jih72HJwWDBCZBoAQsA+Hx8tNBa
uFVlPQbHZhiOo4csZ5xhP9vB5Ktwi62GhqSKKFSnd4deLywpNGektWvx+1Tvl6Vd
GI83G2XwyIqJ2dUCAwEAAaOCAecwggHjMBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsG
A1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ8qaC+m4oNmppn
1kCRnfMU3oNlEjCCAVYGA1UdHwSCAU0wggFJMIIBRaCCAUGgggE9hoHZbGRhcDov
Ly9DTj1XaXN0cm9uJTIwRW50ZXJwcmlzZSUyMFJvb3QlMjBDZXJ0aWZpY2F0aW9u
JTIwQXV0aG9yaXR5LENOPXR3dHBlcmRjMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz13aXN0
cm9uP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1j
UkxEaXN0cmlidXRpb25Qb2ludIZfaHR0cDovL3R3dHBlcmRjMS53aXN0cm9uL0Nl
cnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJpc2UlMjBSb290JTIwQ2VydGlmaWNh
dGlvbiUyMEF1dGhvcml0eS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwIwYJKwYBBAGC
NxUCBBYEFMJyShq8FJC/uWCNeHuC4tNt4KzRMA0GCSqGSIb3DQEBCwUAA4IBAQB9
djnEdSVQY/4uNRSdJgGXtXLispJABnIZSjuUHT1RA5n5ZKoNX8v1xDxAsEuEBU8H
SZBiypHt0DkI+Tr3WLWfQ3cFYK/WPKybEGvzhGIQQk1CHdedYkLvu8wG2aoHCMXI
H0VBRhZevZmj0kAadLq39cDygtWAzKxDn5il6z9RQWShQRsq7x5bAnECnyEsbl5J
zWrYnAzJMuHZilJ95gN8JrPK/6wAj/VIIBIo3pLhllUJfHVEBgf6ls7klAze181U
ObgNIZbmOkvAf+r7VQXOCc9sC99sT/MWNPCgCMld9PN4B3rCNERQC44n5r2Ug+2D
JKfHDcBhNL0LkuaamHTo
-----END CERTIFICATE-----
keycloak.wistron.com: |
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----
harbor.wistron.com: |
-----BEGIN CERTIFICATE-----
MIIH0DCCBrigAwIBAgITPgDuLmbmXzgOjk3z2wABAO4uZjANBgkqhkiG9w0BAQsF
ADBTMRcwFQYKCZImiZPyLGQBGRYHd2lzdHJvbjE4MDYGA1UEAxMvV2lzdHJvbiBF
bnRlcnByaXNlIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjIwNjE1
MDc1MDQzWhcNMjcwNjE0MDc1MDQzWjB0MQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpd2FuMRAwDgYDVQQHEwdIc2luY2h1MRwwGgYDVQQKExNXaXN0cm9uIENvcnBv
cmF0aW9uMQwwCgYDVQQLEwNNSVMxFjAUBgNVBAMMDSoud2lzdHJvbi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4zriatr15ka+hMe/iNx/3VFx4
NI8f28o2YOX3d3vdGemAFBp12LzWQkI1NlkUnyKNr+sHBkzIy+KDUbPbuBeZUfrB
+is3SdSDzQ8IGyJbPiv86HFEHSGhKshFIzLsCYtszAPC8FulqmTNtxntM6bHecB7
qt36zy3ZBIOr88B/9PIN5S5GEIrw3NAZohdnUTHhsPzewKqX77iNdXOy7m2Mofc9
ivTVMqbrXoWh9EtsMR35tGLybA9TrwNUcgktW76wCE/uzTE0uQS5qh4wiHOlKsCc
Z/cTaPW6v2wRzZ116LPLj6iavtARVTOTghzvPuqbdQtg0cieH55Gev0vLmunAgMB
AAGjggR6MIIEdjAdBgNVHQ4EFgQUde0lZpkWyGJ5EpscFcpcyWcaKC0wHwYDVR0j
BBgwFoAUPKmgvpuKDZqaZ9ZAkZ3zFN6DZRIwggIZBgNVHR8EggIQMIICDDCCAgig
ggIEoIICAIaB2WxkYXA6Ly8vQ049V2lzdHJvbiUyMEVudGVycHJpc2UlMjBSb290
JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1UV1RQRVJEQzEsQ049Q0RQ
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9d2lzdHJvbj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jh
c2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGX2h0dHA6Ly9UV1RQ
RVJEQzEud2lzdHJvbi9DZXJ0RW5yb2xsL1dpc3Ryb24lMjBFbnRlcnByaXNlJTIw
Um9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHkuY3JshmFmaWxlOi8vLy9U
V1RQRVJEQzEud2lzdHJvbi9DZXJ0RW5yb2xsL1dpc3Ryb24lMjBFbnRlcnByaXNl
JTIwUm9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHkuY3Jshl5odHRwOi8v
YWRjYS53aXN0cm9uLmNvbS9DZXJ0RW5yb2xsL1dpc3Ryb24lMjBFbnRlcnByaXNl
JTIwUm9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHkuY3JsMIIBZwYIKwYB
BQUHAQEEggFZMIIBVTCBzwYIKwYBBQUHMAKGgcJsZGFwOi8vL0NOPVdpc3Ryb24l
MjBFbnRlcnByaXNlJTIwUm9vdCUyMENlcnRpZmljYXRpb24lMjBBdXRob3JpdHks
Q049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9d2lzdHJvbj9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTCBgAYIKwYBBQUHMAKGdGh0
dHA6Ly9UV1RQRVJEQzEud2lzdHJvbi9DZXJ0RW5yb2xsL1RXVFBFUkRDMS53aXN0
cm9uX1dpc3Ryb24lMjBFbnRlcnByaXNlJTIwUm9vdCUyMENlcnRpZmljYXRpb24l
MjBBdXRob3JpdHkoMSkuY3J0MAsGA1UdDwQEAwIFoDA9BgkrBgEEAYI3FQcEMDAu
BiYrBgEEAYI3FQiBn8wHhI3bZ4a5nzmDsMMmhIz1PHSHj9Nqg7L5IAIBZAIBDzAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYJKwYBBAGCNxUKBBowGDAK
BggrBgEFBQcDATAKBggrBgEFBQcDAjAYBgNVHREEETAPgg0qLndpc3Ryb24uY29t
MA0GCSqGSIb3DQEBCwUAA4IBAQA/UNc0AqUR6BJSUxBnggAWy2rukpj2Ca2d4UFO
JT7OweoY8bT9FY10mZNoMCBVkW11XnBUDM6Bkjqe7p4s21XjfcSCxA6ARPOhky+l
N/HxUPR1AqhQS0VfHjesxkOrjRpl1Kc6DFSEjioZVwcKxtOJ4h/eQlefOyLWKsMq
U3ndrUXiJRS+ejtks/ZRWgQ0Q1aj+m+AQEW5t9leL7wzgPKjyhzjPxMCYdeZwhWr
JpLlN7t9NUzD3PsVddsB+x7y6RBk5S7Uca7PsrSJPgpVPfW7Si2llbi0CGH9Lnn/
42w0W0jFEUPbMA6+fR9ZKsZLtTnhnZoX6JZHyzdID9VaFzca
-----END CERTIFICATE-----
wzs-sat-poc-gitlab.wistron.com: |
-----BEGIN CERTIFICATE-----
MIIIEzCCBvugAwIBAgITPgD2X4FbA834VqKJPwABAPZfgTANBgkqhkiG9w0BAQsF
ADBTMRcwFQYKCZImiZPyLGQBGRYHd2lzdHJvbjE4MDYGA1UEAxMvV2lzdHJvbiBF
bnRlcnByaXNlIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjUwNDI2
MDIwODAyWhcNMzAwNDI1MDIwODAyWjCBpTELMAkGA1UEBhMCQ04xEjAQBgNVBAgT
CUd1YW5nRG9uZzESMBAGA1UEBxMJWmhvbmdTaGFuMRAwDgYDVQQKEwdXaXN0cm9u
MQwwCgYDVQQLEwNNSVMxJzAlBgNVBAMTHnd6cy1zYXQtcG9jLWdpdGxhYi53aXN0
cm9uLmNvbTElMCMGCSqGSIb3DQEJARYWTVpMMzIwLnd6cy53aXN0cm9uLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAfazMjElpN/3UVpAwZTT6J
alfjvfwANzD04vpz7/4x7kSzNVHxgpNR1Yd4Af5G3XutFvoBi9R4P6Idh+1m8lhe
9vQ3lXsTUMrbfJBUbF5Z3D308Wu9hkbK5FC7WbZ++YvaerVP1b+ncsncGqLwsqkZ
ow8A2ZpCu5NdVU+K4lBnHLc9189Gm9FzdNSuVTaIKVYmJZrqPb/eE4KZJn3QyFnn
emYX7DJY+f//jmfANbJS7APVhmpHt02BgkrLqKCX5G32EGy/emODtvKtVi0rl6eV
HhsCLb0F5zCzlVvGbIUraWL8Cp8oyA8ZtP+rgtYxKIhIy+HuLCm47WDlIVE9U90C
AwEAAaOCBIswggSHMB0GA1UdDgQWBBT+CtweXGN0LbUuOxzx5lgdietpRzAfBgNV
HSMEGDAWgBQ8qaC+m4oNmppn1kCRnfMU3oNlEjCCAhkGA1UdHwSCAhAwggIMMIIC
CKCCAgSgggIAhoHZbGRhcDovLy9DTj1XaXN0cm9uJTIwRW50ZXJwcmlzZSUyMFJv
b3QlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXR5LENOPVRXVFBFUkRDMSxDTj1D
RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
ZmlndXJhdGlvbixEQz13aXN0cm9uP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZfaHR0cDovL1RX
VFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJpc2Ul
MjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmyGYWZpbGU6Ly8v
L1RXVFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJp
c2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmyGXmh0dHA6
Ly9hZGNhLndpc3Ryb24uY29tL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJp
c2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmwwggFnBggr
BgEFBQcBAQSCAVkwggFVMIHPBggrBgEFBQcwAoaBwmxkYXA6Ly8vQ049V2lzdHJv
biUyMEVudGVycHJpc2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0
eSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
Q049Q29uZmlndXJhdGlvbixEQz13aXN0cm9uP2NBQ2VydGlmaWNhdGU/YmFzZT9v
YmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MIGABggrBgEFBQcwAoZ0
aHR0cDovL1RXVFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvVFdUUEVSREMxLndp
c3Ryb25fV2lzdHJvbiUyMEVudGVycHJpc2UlMjBSb290JTIwQ2VydGlmaWNhdGlv
biUyMEF1dGhvcml0eSgxKS5jcnQwCwYDVR0PBAQDAgWgMD0GCSsGAQQBgjcVBwQw
MC4GJisGAQQBgjcVCIGfzAeEjdtnhrmfOYOwwyaEjPU8dIeP02qDsvkgAgFkAgER
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAY
MAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMCkGA1UdEQQiMCCCHnd6cy1zYXQtcG9j
LWdpdGxhYi53aXN0cm9uLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAbyqzBP4RYrgP
REwOR4Ivqwb88T7p/v6b0Rj/jp9/FgFWOCP8RemUexMzqopYWecmtCZxaHyxj7k5
I8piJT6TwnG42ZlIEfYAzuaezBTA/V3h65qGMyilHVvwhoPaxqCWCTtnrcuuu1eM
lbGuuo+MlXYYak4FtRfNcKhxZ5LdomJKtryviT6RhwrLKhbb72F/8YGJoMF1vk10
DljPnzmCuIDVLa+xtBU1flyC9oE/ZNWIdFBmjhvVpoL1ZEQjECR035y18WOqj41Q
imATmu/7Pu0lwcD+Hu3jqm0R9y3C/Yn+mc1eHtuJIGtB5KBT2iBViKM8yZtmPHwD
oKu1r5+Bag==
-----END CERTIFICATE-----
- 5.2.3 Modify 5.argocd-cm.yaml
Modify url:
https://argocd.wzs-sat-poc-01.k8s.wistron.com/And add site gitlab dns certificate
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
url: https://argocd.wzs-sat-poc-01.k8s.wistron.com/ # to-do change
exec.enabled: "true"
exec.shells: bash,sh,powershell,cmd
oidc.config: |
name: Keycloak
issuer: https://keycloak.wistron.com/realms/k8sprdwhqk8swhqccoe
clientID: argocd
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid", "profile", "email","groups"]
rootCA: |
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
-----END CERTIFICATE-----
wzs-sat-poc-gitlab.wistron.com: |
-----BEGIN CERTIFICATE-----
MIIIEzCCBvugAwIBAgITPgD2X4FbA834VqKJPwABAPZfgTANBgkqhkiG9w0BAQsF
ADBTMRcwFQYKCZImiZPyLGQBGRYHd2lzdHJvbjE4MDYGA1UEAxMvV2lzdHJvbiBF
bnRlcnByaXNlIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjUwNDI2
MDIwODAyWhcNMzAwNDI1MDIwODAyWjCBpTELMAkGA1UEBhMCQ04xEjAQBgNVBAgT
CUd1YW5nRG9uZzESMBAGA1UEBxMJWmhvbmdTaGFuMRAwDgYDVQQKEwdXaXN0cm9u
MQwwCgYDVQQLEwNNSVMxJzAlBgNVBAMTHnd6cy1zYXQtcG9jLWdpdGxhYi53aXN0
cm9uLmNvbTElMCMGCSqGSIb3DQEJARYWTVpMMzIwLnd6cy53aXN0cm9uLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAfazMjElpN/3UVpAwZTT6J
alfjvfwANzD04vpz7/4x7kSzNVHxgpNR1Yd4Af5G3XutFvoBi9R4P6Idh+1m8lhe
9vQ3lXsTUMrbfJBUbF5Z3D308Wu9hkbK5FC7WbZ++YvaerVP1b+ncsncGqLwsqkZ
ow8A2ZpCu5NdVU+K4lBnHLc9189Gm9FzdNSuVTaIKVYmJZrqPb/eE4KZJn3QyFnn
emYX7DJY+f//jmfANbJS7APVhmpHt02BgkrLqKCX5G32EGy/emODtvKtVi0rl6eV
HhsCLb0F5zCzlVvGbIUraWL8Cp8oyA8ZtP+rgtYxKIhIy+HuLCm47WDlIVE9U90C
AwEAAaOCBIswggSHMB0GA1UdDgQWBBT+CtweXGN0LbUuOxzx5lgdietpRzAfBgNV
HSMEGDAWgBQ8qaC+m4oNmppn1kCRnfMU3oNlEjCCAhkGA1UdHwSCAhAwggIMMIIC
CKCCAgSgggIAhoHZbGRhcDovLy9DTj1XaXN0cm9uJTIwRW50ZXJwcmlzZSUyMFJv
b3QlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXR5LENOPVRXVFBFUkRDMSxDTj1D
RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
ZmlndXJhdGlvbixEQz13aXN0cm9uP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZfaHR0cDovL1RX
VFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJpc2Ul
MjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmyGYWZpbGU6Ly8v
L1RXVFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJp
c2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmyGXmh0dHA6
Ly9hZGNhLndpc3Ryb24uY29tL0NlcnRFbnJvbGwvV2lzdHJvbiUyMEVudGVycHJp
c2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eS5jcmwwggFnBggr
BgEFBQcBAQSCAVkwggFVMIHPBggrBgEFBQcwAoaBwmxkYXA6Ly8vQ049V2lzdHJv
biUyMEVudGVycHJpc2UlMjBSb290JTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0
eSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
Q049Q29uZmlndXJhdGlvbixEQz13aXN0cm9uP2NBQ2VydGlmaWNhdGU/YmFzZT9v
YmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MIGABggrBgEFBQcwAoZ0
aHR0cDovL1RXVFBFUkRDMS53aXN0cm9uL0NlcnRFbnJvbGwvVFdUUEVSREMxLndp
c3Ryb25fV2lzdHJvbiUyMEVudGVycHJpc2UlMjBSb290JTIwQ2VydGlmaWNhdGlv
biUyMEF1dGhvcml0eSgxKS5jcnQwCwYDVR0PBAQDAgWgMD0GCSsGAQQBgjcVBwQw
MC4GJisGAQQBgjcVCIGfzAeEjdtnhrmfOYOwwyaEjPU8dIeP02qDsvkgAgFkAgER
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAY
MAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMCkGA1UdEQQiMCCCHnd6cy1zYXQtcG9j
LWdpdGxhYi53aXN0cm9uLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAbyqzBP4RYrgP
REwOR4Ivqwb88T7p/v6b0Rj/jp9/FgFWOCP8RemUexMzqopYWecmtCZxaHyxj7k5
I8piJT6TwnG42ZlIEfYAzuaezBTA/V3h65qGMyilHVvwhoPaxqCWCTtnrcuuu1eM
lbGuuo+MlXYYak4FtRfNcKhxZ5LdomJKtryviT6RhwrLKhbb72F/8YGJoMF1vk10
DljPnzmCuIDVLa+xtBU1flyC9oE/ZNWIdFBmjhvVpoL1ZEQjECR035y18WOqj41Q
imATmu/7Pu0lwcD+Hu3jqm0R9y3C/Yn+mc1eHtuJIGtB5KBT2iBViKM8yZtmPHwD
oKu1r5+Bag==
-----END CERTIFICATE-----
---
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
oidc.keycloak.clientSecret: YTlhZGVmZDEtZDI2NS00NmQxLTk3N2QtMjUzYjBkOWVkMjA2
- 5.2.4 Modify 7.tenant-apps.yaml
Modify repoURL:
https://wzs-sat-poc-gitlab.wistron.com/ccoe/releasemanagement.gitAnd path:
argo/wzs/sat-poc-01/*
5.3 Install argocd¶
- 5.3.1 Apply yaml file to install argocd
cd /etc/argocd
kubectl create namespace argocd
kubectl apply -n argocd -f 1.install.yaml
kubectl apply -n argocd -f 2.argocd-ing.yaml
kubectl apply -n argocd -f 3.argocd-tls-certs-cm.yaml
kubectl apply -n argocd -f 4.argocd-applicationset-install.yaml
kubectl apply -n argocd -f 5.argocd-cm.yaml
kubectl apply -n argocd -f 6.argocd-rbac-cm.yaml
kubectl apply -n argocd -f 7.tenant-apps.yaml
kubectl apply -n argocd -f 8.harbor-oci-registry.yaml
- 5.3.2 Edit argocd clusterrole
Add below content at the end
- 5.3.3 Patch argocd-server and argocd-repo-server deployment
kubectl patch deployment -n argocd argocd-server --patch-file argocd-server.yaml
kubectl patch deployment -n argocd argocd-repo-server --patch-file argocd-repo-server.yaml
- 5.3.4 Waiting argocd pod running, then argocd will auto sync gitlab config & pulgins
- 5.3.5 Login argocd and check config & plugins sync status
