- 1. Introduction
- 2. Installing ArgoCD and Openshift GitOps
- 3. Creating your first application
- 4. Managing your infra with Openshift GitOps
- 5. Storing secrets content outside of git
- 6. Annex: Installing Nexus
- 7. Openshift GitOps support and deployed versions
- 8. Documentation and useful links
GitOps is an increasingly popular set of practices for managing the complexities of running hybrid multicluster Kubernetes infrastructure. GitOps centers on treating Git repositories as the single source of truth and applying Git workflows that have been consistently used for application development to infrastructure and application operators.
This repository provides a starting point to deploy many different operator and applications, such as GitOps, ArgoCD, Nexus, as well as your first application.
Red Hat OpenShift GitOps Red Hat OpenShift GitOps uses Argo CD to manage specific cluster-scoped resources, including platform operators, optional Operator Lifecycle Manager (OLM) operators, and user management. Argo CD is a popular Cloud Native Computing Foundation (CNCF) open source GitOps Kubernetes Operator for declarative configuration on Kubernetes clusters.
Now, we are going to install the Red Hat OpenShift GitOps Operator to an OpenShift Container Platform cluster and logging in to the Argo CD instance.
oc process -f templates/gitops-01-operator.yaml | oc apply -f -After the installation is completed, the operator pods will be running in the openshift-operators project.
By default, the GitOps operator deploys an ArgoCD instance in the openshift-gitops project. To avoid that and have full control of the installation location, the following configuration has been set in the previous OCP template.
spec:
config:
env:
- name: DISABLE_DEFAULT_ARGOCD_INSTANCE
value: "true"Now, we are going to deploy our ArgoCD instance manually using the following template:
oc process -f templates/gitops-02-argocd.yaml | oc apply -f -This command will create a namespace gitops, a default Application Project and an ArgoCD cluster. The configuration used is the default Operator configuration with some small improvements: Delegating authentication on the OpenShift integrated login, or implementing basic RBAC policies.
Access the installed ArgoCD cluster using the following route:
oc get routes argocd-cluster-server -n gitops --template="https://{{.spec.host}}"ArgoCD provides several ways of authenticating users. Here we will talk about the two easier to configure: The default admin user and the integration with Openshift login.
Enabling OpenShift integrated login is quite simple, but might not be perfectly documented as of today. It is already configured in the templates deployed in the section above. This is just for documentation purposes.
This feature implies changes at several levels:
-
Set an environment variable at the operator level. This will tell the operator to enable Dex server for external authentication. GH Issue, Blog post.
spec: config: env: - name: DISABLE_DEX value: "false"
-
Configure the ArgoCD object to use the DEX Openshift login integration.
spec: dex: openShiftOAuth: true
-
Configure the ArgoCD object with the desired RBAC policies. For example, the simples option:
spec: rbac: defaultPolicy: 'role:readonly' policy: | g, system:cluster-admins, role:admin scopes: '[groups]'
Apart from using the Openshift integrated login, it is possible to use the built-in admin user. This user has been disabled in the ArgoCD template template/gitops-02-argocd.yaml configuring .spec.disableAdmin to true. Set it to false if you want to use it.
Then, you will be able to login using ArgoCD user / password. Use user admin and obtain the password with the following command:
oc extract secret/argocd-cluster-cluster -n gitops --to=-|
🔥
|
Authorization in ArgoCD is a combination of configuring permissions at different levels. Here we present all three levels that you have to take care of in order to set proper authorization configuration. Please, read the three following sections carefully. |
The current version of Openshift GitOps supports deploying several clusters of ArgoCD in the same Openshift cluster. This feature is essential for organizations that want to implement multi-tenancy at the OCP level. With this feature available, now we have to distribute each namespace among the ArgoCD clusters. This is done using the managed-by label.
Add a label to the namespace where your application is deployed in so that the Argo CD instance in the gitops namespace can manage it:
oc label namespace spring-petclinic argocd.argoproj.io/managed-by=gitopsIf you don’t do so, the error message that you will see in the web console when you try to synchronize an application is:
Namespace "<namespace>" for <resource> "<resource-name>" is not managed.Link to the documentation.
The ArgoCD instance have only privileges in its namespace which is gitops. For creating/updating/listing resources in other namespaces, it’s mandatory to update the RBAC for its Service Account.
This section can be as complex as the security requirements that your organization demands for the ArgoCD deployment. The easiest solution for non-productive environments would be to grant cluster-admin rights to the service account that interacts with the k8s API.
oc adm policy add-cluster-role-to-user admin system:serviceaccount:gitops:argocd-cluster-argocd-application-controllerIf you prefer to have a per-project tunning, you can use the configuration set in the template template/gitops-03-application-app.yaml, where we provide project admin rights to the same service account. This is also oriented to get a proper multi-tenancy configuration, like in the previous section. Check the template mentioned or use the following command:
oc adm policy add-role-to-user admin system:serviceaccount:gitops:argocd-cluster-argocd-application-controller -n spring-petclinicObviously, you can even set a finer tunning by creating a custom Role and RoleBinding to specify the resources that each ArgoCD will be allowed to manage per namespace. This KCS gives you an example of how to configure one of these RoleBindings.
Extra documentation:
-
Deep-dive blog post about namespace isolation using the SA
RoleBindings. -
Upstream issue regarding permissions for the ArgoCD instance.
The RBAC feature enables restriction of access to Argo CD resources. Argo CD does not have its own user management system and has only one built-in user admin.
The RBAC configuration can be customized using the `ArgoCD.spec.rbac.policy `
/ / TO DO
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ https://rtfm.co.ua/en/argocd-users-access-and-rbac/#Projects_and_roles https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#configuring-rbac-with-projects https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
oc adm groups new spring-petclinic-developer oc adm groups new spring-petclinic-admin oc adm groups add-users spring-petclinic-admin alopezme oc adm groups add-users spring-petclinic-developer svidalur
|
|
This section expects you to create the namespace for the demo application manually. In the following section you will see how to automate it with GitOps, too. Execute the following command: oc new-project spring-petclinic --display-name="Pet Clinic app" --description="This project holds all the resources of the Pet Clinic application" |
Create an Application resource using the following template:
oc process -f templates/gitops-03-application-app.yaml | oc apply -f -|
|
This section explains how to automate the management of Openshift infra resources like projects. Please, delete the project created manually in the previous section. Execute the following command: oc delete project spring-petclinic |
|
❗
|
TL;DR: Execute the following script to auto-install a Nexus instance in your cluster: |
Nexus Repository OSS is an open source repository that supports many artifact formats, including Docker, Java™, and npm. With the Nexus tool integration, pipelines in your toolchain can publish and retrieve versioned apps and their dependencies by using central repositories that are accessible from other environments.
If you are planning to deploy your applications using Helm charts, most of the architectures you will need a Helm repository to host to packaged Helm charts. Install a Nexus repository manager using the following commands:
# Define common variables
OPERATOR_NAMESPACE="nexus"
# Deploy operator
oc process -f templates/nexus-01-operator.yaml -p OPERATOR_NAMESPACE=$OPERATOR_NAMESPACE | oc apply -f -
# Workaround for issue: https://github.com/sonatype/operator-nxrm3/issues/8
oc adm policy add-scc-to-user privileged -z default -n $OPERATOR_NAMESPACE
# Deploy application instance
oc process -f templates/nexus-02-server.yaml -p OPERATOR_NAMESPACE=$OPERATOR_NAMESPACE -p SERVER_NAME="nexus-server" | oc apply -f -Create a Helm repository with the following steps:
-
Access the Nexus route:
oc get routes nexus-server --template="https://{{.spec.host}}". -
Log in using the admin credentials:
admin/admin123. -
Server Administration > Repositories > Create Repositories > "Helm(hosted)"
-
name:
helm-charts. -
DeploymentPolicy:
Allow redeploy.
-
-
Click on
Create repository.
If you don’t want to use the console, you can use CURL command to create this repository on the auto-install-nexus script.
OpenShift GitOps is shipped inclusive as part of the OpenShift Container Platform subscription and supported per the Red Hat production terms of support.
Check the following table with GitOps versions and its equivalent to ArgoCD:
| GitOps version | OCP version | ArgoCD version | Release date |
|---|---|---|---|
1.0 (TP) |
4.6 |
1.8 |
Feb 12, 2021 |
1.1 |
4.7 |
X |
April 15, 2021 |
1.2 |
4.8 |
2.0 |
July 29, 2021 |
1.3 (Not GA yet) |
4.9 |
2.1 |
October, 2021? |
For more information, check the Red Hat OpenShift Container Platform Life Cycle Policy.
Note that only the ArgoCD CRD is supported, the rest are Tech Preview in the latest version of Openshift GitOps:
| Feature | Support in GitOps 1.2 |
|---|---|
Argo CD |
GA |
Argo CD ApplicationSet |
TP |
Red Hat OpenShift GitOps Application Manager (kam) |
TP |
Red Hat OpenShift GitOps Service |
TP |
For more information check the Openshift GitOps release notes.