argo airflow
Some time after writing the first article, where I cleverly use jsonnet and gitlab, I realized that pipelines are certainly good, but unnecessarily difficult and inconvenient.
在写了第一篇文章 (我巧妙地使用jsonnet和gitlab)之后的一段时间,我意识到管道当然不错,但是不必要地困难且不便。
In most cases, a typical task is need: “to generate YAML and put it in Kubernetes”. Actually, this is what the Argo CD does really well.
在大多数情况下,需要执行一个典型任务:“生成YAML并将其放入Kubernetes中”。 实际上,这就是Argo CD的出色表现。
Argo CD allows you to connect a Git repository and sync its state to Kubernetes. By default several types of applications are supported: Kustomize, Helm charts, Ksonnet, raw Jsonnet or simple directories with YAML/JSON manifests.
Argo CD允许您连接Git存储库并将其状态同步到Kubernetes。 默认情况下,支持多种类型的应用程序:Kustomize,Helm图表,Ksonnet,原始Jsonnet或带有YAML / JSON清单的简单目录。
Most users will be happy for having just this tool set, but not everyone. In order to satisfy the needs of anyone, Argo CD has the ability to use custom tooling.
大多数用户会为仅拥有此工具集而感到高兴,但并不是所有人。 为了满足任何人的需求,Argo CD可以使用自定义工具。
First of all, I was interested in the opportunity to add support for qbec and git-crypt, which were fully discussed in the previous article.
首先,我对有机会添加对qbec和git-crypt的支持感兴趣 ,这在上一篇文章中已进行了充分讨论。
Before start the configuration, we need first understand how the Argo CD works.For each app added, it has two phases:
在开始配置之前,我们需要首先了解Argo CD的工作方式。对于添加的每个应用程序,它都有两个阶段:
init —initial preparation before deployment, anything can be here: dependencies download, unpacking secrets, and so on.
init —部署前的初始准备,任何操作都可以在这里进行:依赖项下载,解压缩机密文件等。
generate — executing the command for generating manifests, the output must be a valid YAML stream, this is exactly what will be applied to the cluster.
generate —执行用于生成清单的命令,输出必须是有效的YAML流,这正是将应用于集群的内容。
Notably that Argo applies this approach to any type of application, including Helm. Thus in Argo CD Helm is not deploying any releases to a cluster, instead it is used to generate the manifests only.
值得注意的是,Argo将此方法应用于包括Helm在内的任何类型的应用程序。 因此,在Argo CD中,Helm不会将任何发行版部署到群集,而是仅用于生成清单。
From other side Argo is able to handle Helm hooks natively, which allows to not break the logic of applying releases.
另一方面,Argo可以本地处理Helm挂钩,这不会破坏应用释放的逻辑。
QBEC (QBEC)
Qbec allows you to conveniently describe applications using jsonnet, and besides, it has the ability to render Helm charts, and since Argo CD can handle Helm hooks, using this feature with Argo CD allows you to achieve even more correct result.
Qbec允许您使用jsonnet方便地描述应用程序,此外,它还具有呈现Helm图表的功能,并且由于Argo CD可以处理Helm挂钩,因此与Argo CD一起使用此功能可以使您获得更正确的结果。
In order to add qbec support to argocd, you need two things:
为了向argocd添加qbec支持,您需要做两件事:
- your Argo CD config must contain custom plugin definitionwith specific commands for generating manifests. 您的Argo CD配置必须包含自定义插件定义以及用于生成清单的特定命令。
the required binaries must be available in the argocd-repo-server image.
必需的二进制文件必须在argocd-repo-server映像中可用。
The first task is solved quite simply:
第一个任务很简单地解决 :
# cm.yaml
data:
configManagementPlugins: |
- name: qbec
generate:
command: [sh, -xc]
args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"']
(command init is not used)
( 不使用 命令 init )
$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)"
To add binaries, it is proposed to build a new image, or use the trick with the init-container:
要添加二进制文件,建议构建一个新映像,或将其与init-container结合使用 :
# deploy.yaml
spec:
template:
spec:
# 1. Define an emptyDir volume which will hold the custom binaries
volumes:
- name: custom-tools
emptyDir: {}
# 2. Use an init container to download/copy custom binaries into the emptyDir
initContainers:
- name: download-tools
image: alpine:3.12
command: [sh, -c]
args:
- wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# 3. Volume mount the custom binary to the bin directory (overriding the existing version)
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /usr/local/bin/qbec
name: custom-tools
subPath: qbec
- mountPath: /usr/local/bin/jsonnet-qbec
name: custom-tools
subPath: jsonnet-qbec$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)"
Now let’s see how the manifest of our application will look like:
现在让我们看一下应用程序清单。
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: qbec-app
namespace: argocd
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
project: default
source:
path: qbec-app
plugin:
env:
- name: ENVIRONMENT
value: default
name: qbec
repoURL: https://github.com/kvaps/argocd-play
syncPolicy:
automated:
prune: true
The ENVIRONMENT variable contains the name of environment for which we need to generate manifests.
ENVIRONMENT变量包含我们需要为其生成清单的环境的名称。
apply and see what we get:
申请,看看我们得到什么:
the app is up and running, great!
该应用程序已启动并正在运行,太棒了!
git-crypt (git-crypt)
Git-crypt allows you to set up transparent encryption of the repository. This is an easy and secure way to store sensitive data right in git.
Git-crypt允许您设置存储库的透明加密。 这是一种在git中直接存储敏感数据的简单而安全的方法。
The git-crypt implementation turned out to be more difficult.In theory, we could run git-crypt unlock
at the init stage of our custom plugin, but this is not very convenient, since it would not allow to use native deployment methods. For example, in the case of Helm and Jsonnet, we lose a flexible GUI interface which simplify the application configuration (values files, etc.).That is why I wanted to unseal the repository even on earlier stage, during the clone.
从理论上讲,我们可以在自定义插件的初始化阶段运行git-crypt unlock
,但这并不十分方便,因为它不允许使用本机部署方法。 例如,在Helm和Jsonnet的情况下,我们失去了一个灵活的GUI界面,该界面简化了应用程序配置(值文件等),这就是为什么我想在克隆期间甚至在更早阶段就将存储库解封的原因。
Since at the moment Argo CD does not provide the ability to describe any hooks for synchronizing the repository, I had to bypass this limitation using a tricky shell script that wraps the git command:
由于Argo CD目前不提供描述任何同步存储库的钩子的功能,因此我不得不使用包裹git命令的棘手的shell脚本来绕过此限制:
#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ec
Argo CD выполняет git fetch
каждый раз перед операцией деплоя. Именно на эту команду мы и повесим выполнение git-crypt unlock
для разблокировки репозитория.
Argo CD的git fetch
каждыйразпередоперациейдеплоя。 git-crypt unlock
дляразблокировкирепозитория。
Argo CD runs git fetch
every time before the deployment operation. Exaclty this command I used to handle the execution of git-crypt unlock
to unlock the repository.
部署操作之前,每次Argo CD都会运行git fetch
。 我用来处理执行git-crypt unlock
来解锁存储库的命令。
for tests, you can use my docker image, which is already has everything need:
为了进行测试,您可以使用我的docker映像,该映像已经具有所需的一切:
$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3
Now we need to think about how Argo will decrypt repositories.
现在,我们需要考虑Argo如何解密存储库。
Let’s generate a gpg key for it:
让我们为其生成一个gpg密钥:
$ kubectl exec -ti deploy/argocd-repo-server -- bash$ printf "%s\n" \
"%no-protection" \
"Key-Type: default" \
"Subkey-Type: default" \
"Name-Real: YOUR NAME" \
"Name-Email: YOUR EMAIL@example.com" \
"Expire-Date: 0" \
> genkey-batch $ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev'
Save the key name 8CB8B24F50B4797D
for further steps, then export the key itself:
保存密钥名称8CB8B24F50B4797D
以用于进一步的步骤,然后导出密钥本身:
$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2020-09-04 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub rsa3072 2020-09-04 [E]$ gpg --armor --export-secret-keys 8CB8B24F50B4797D
And add it as a separate secret:
并将其添加为单独的秘密:
# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: argocd-gpg-keys-secret
namespace: argocd
stringData:
8CB8B24F50B4797D: |-
-----BEGIN PGP PRIVATE KEY BLOCK----- lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
=yj11
-----END PGP PRIVATE KEY BLOCK-----$ kubectl apply -f argocd-gpg-keys-secret.yaml
The only thing left is to connect it to the argocd-repo-server container, to achieve this edit the deployment:
剩下的唯一事情就是将其连接到argocd-repo-server容器,以实现此编辑部署:
$ kubectl -n argocd edit deploy/argocd-repo-server
И заменим существующий gpg-keys volume на projected
, где и укажем наш секрет:
gpg-keys的音量已projected
, projected
会:
And replace existing gpg-keys volume type to projected
, and specify our secret there:
并将现有的gpg-keys卷类型替换为projected
,并在此处指定我们的秘密:
spec:
template:
spec:
volumes:
- name: gpg-keys
projected:
defaultMode: 420
sources:
- secret:
name: argocd-gpg-keys-secret
- configMap:
name: argocd-gpg-keys-cm
Argo CD automatically loads gpg keys from this directory during the startup, so it loads our private key as well.
Argo CD在启动过程中会自动从该目录加载gpg密钥,因此也会加载我们的私钥。
let’s check:
让我们检查:
$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>sec rsa3072 2020-09-03 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb rsa3072 2020-09-03 [E]
Отлично, ключ загружен! Теперь нам достаточно добавить Argo CD в наш репозиторий в качестве коллаборатора и он сможет автоматически расшифровывать его на лету.
Отлично,ключзагружен! Теперьнамдостаточнодобавить的Argo CD光盘
Great, the key is loaded! Now we only need to add Argo CD as a collaborator to our repository. This will enable automatic decryption on the fly.
太好了,密钥已加载! 现在,我们只需要将Argo CD作为协作者添加到我们的资源库即可。 这将启用动态解密。
Import the key to the local computer:
将密钥导入本地计算机:
$ gpg --armor --export-secret 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pem
Trust the key:
信任密钥:
$ gpg --edit-key 8CB8B24F50B4797D
trust
5
Add argo as collaborator to your git project:
将Argo作为协作者添加到您的git项目中:
$ git-crypt add-gpg-user 8CB8B24F50B4797D
Related links:
相关链接 :
翻译自: https://itnext.io/configure-custom-tooling-in-argo-cd-a4948d95626e
argo airflow