Argocd Kustomize and SealedSecret - hqzhang/cloudtestbed GitHub Wiki
1. Installation
1) install argocd
kubectl create namespace argocd;
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml;
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.15.0/controller.yaml;
kubectl port-forward svc/argocd-server -n argocd 8080:443
2) login argocd
argocd login localhost:8080 --username admin --password argocd-server-69678b4f65-ktktq
3) create sealed secret
kubectl -n default create secret generic mysecret --dry-run=client --from-literal foo=bar --output json |\
kubeseal --scope cluster > sealsect.json
or cat secret.yaml | kubeseal --cert cert.crt --scope cluster-wide > sealsecret
4) apply sealed secret
kubectl apply -f sealsect.json
kubectl get secret
5) create argocd project
argocd proj create myproject --dest https://kubernetes.default.svc,mynamespace \
--src https://github.com/argoproj/argocd-example-apps.git
6) create an application
argocd app create guestbook \
--repo https://github.com/argoproj/argocd-example-apps.git \
--path guestbook \
--dest-server https://kubernetes.default.svc \
--dest-namespace default
6) create and deploy apps by yaml
kubectl apply -n argocd -f ./argo/argo-cd/app.yaml
kubectl delete -n argocd -f ./argo/argo-cd/app.yaml
cat << EOF > app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: myproject
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: myproject
server: https://kubernetes.default.svc
project: myproject
source:
path: guestbook
repoURL: https://github.com/argoproj/argocd-example-apps.git
targetRevision: master
EOF
7) get password for argo cd id=admin
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd-server-547d9bb879-xxxxx
8) deploy app
argocd app get guestbook
argocd app sync guestbook
9) undeploy app
argocd app delete guestbook
kubectl delete app APPNAME
#SealSecret Operation
A cluster-side controller / operator
A client-side utility: kubeseal
1) Generate key pair
export PRIVATEKEY="sealtls.key";
export PUBLICKEY="sealtls.crt";
export NAMESPACE="kube-system";
export SECRETNAME="sealedsecrete-server-1";
echo "Generate a new RSA key pair (certificates):"
openssl req -x509 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=sealed-secret/O=sealed-secret";
2)create a secret
kubectl create namespace "$NAMESPACE";
kubectl -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY";
3) apply to sealed server server
kubectl -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active
4) Generate sealed secret
kubectl -n default create secret generic mysecret --dry-run=client --from-literal foo=bar --output json |kubeseal > sealsecret.yaml
6) reset seal secret controller
kubectl -n "$NAMESPACE" delete pod -l name=sealed-secrets-controller
7) retrieve new certificate
kubeseal --fetch-cert
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
8) view logs
kubectl -n "$NAMESPACE" logs -l name=sealed-secrets-controller
9) apply and view secret
kubectl apply -f mysealsect.json ;
kubectl get secret yoursecret -o jsonpath='{.data.foo}'
AG Parent Application
App of Apps
argocd app create apps \
--dest-namespace argocd \
--dest-server https://kubernetes.default.svc \
--repo https://github.com/argoproj/argocd-example-apps.git \
--path apps
1)secret
kc -n default create secret generic my secret -dry-run=client --from-liberal foo=bar --output json
Get YmFyCg==
Decode echo YmFyCg== | base64 -D
2)sealedSecret
kubectl -n default create secret generic mysecret --dry-run=client --from-literal foo=bar -o yaml |kubeseal > sealsect.yaml
3) remove unnecessary
sed -i -e '/annotations/d' \
-e '/sealedsecrets/d' \
-e '/namespace/d' \
-e '/creationTimestamp/d' \
-e '/template/,$d' \
sealsect.yaml
3)apply it
kubectl apply -f sealsect.json
4)check it
kubectl get secret mysecret -o jsonpath='{.data.foo}'