Skip to content

Instantly share code, notes, and snippets.

@bikramgupta
Last active October 14, 2019 13:17
Show Gist options
  • Save bikramgupta/9c24c14f0177b9862f7b628a880f7568 to your computer and use it in GitHub Desktop.
Save bikramgupta/9c24c14f0177b9862f7b628a880f7568 to your computer and use it in GitHub Desktop.
argocd-secops-tutorial
# Install argo CD
[centos@ip-172-31-8-215 argocd]$ kubectl create namespace argocd
namespace/argocd created
[centos@ip-172-31-8-215 argocd]$ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io created
customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io created
serviceaccount/argocd-application-controller created
serviceaccount/argocd-dex-server created
serviceaccount/argocd-server created
role.rbac.authorization.k8s.io/argocd-application-controller created
role.rbac.authorization.k8s.io/argocd-dex-server created
role.rbac.authorization.k8s.io/argocd-server created
clusterrole.rbac.authorization.k8s.io/argocd-application-controller created
clusterrole.rbac.authorization.k8s.io/argocd-server created
rolebinding.rbac.authorization.k8s.io/argocd-application-controller created
rolebinding.rbac.authorization.k8s.io/argocd-dex-server created
rolebinding.rbac.authorization.k8s.io/argocd-server created
clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller created
clusterrolebinding.rbac.authorization.k8s.io/argocd-server created
configmap/argocd-cm created
configmap/argocd-rbac-cm created
configmap/argocd-ssh-known-hosts-cm created
configmap/argocd-tls-certs-cm created
secret/argocd-secret created
service/argocd-dex-server created
service/argocd-metrics created
service/argocd-redis created
service/argocd-repo-server created
service/argocd-server-metrics created
service/argocd-server created
deployment.apps/argocd-application-controller created
deployment.apps/argocd-dex-server created
deployment.apps/argocd-redis created
deployment.apps/argocd-repo-server created
deployment.apps/argocd-server created
[centos@ip-172-31-8-215 argocd]$
# There are 2 CRDs - applications and appprojects.
# Configmaps, RBAC permissions
# We need to expose argocd-server outside the cluster
[centos@ip-172-31-8-215 argocd]$ kubectl get all -n argocd
NAME READY STATUS RESTARTS AGE
pod/argocd-application-controller-68f8bf79d8-rrtwb 1/1 Running 0 19m
pod/argocd-dex-server-5994988c7f-jk42n 1/1 Running 0 19m
pod/argocd-redis-78c9595d44-pkgpp 1/1 Running 0 19m
pod/argocd-repo-server-775496b8dd-wr7dx 1/1 Running 0 19m
pod/argocd-server-56db6f6cb6-rl9ks 1/1 Running 0 19m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/argocd-dex-server ClusterIP 10.110.249.95 <none> 5556/TCP,5557/TCP 19m
service/argocd-metrics ClusterIP 10.110.6.191 <none> 8082/TCP 19m
service/argocd-redis ClusterIP 10.108.93.90 <none> 6379/TCP 19m
service/argocd-repo-server ClusterIP 10.111.133.223 <none> 8081/TCP,8084/TCP 19m
service/argocd-server ClusterIP 10.96.199.175 <none> 80/TCP,443/TCP 19m
service/argocd-server-metrics ClusterIP 10.102.185.137 <none> 8083/TCP 19m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/argocd-application-controller 1/1 1 1 19m
deployment.apps/argocd-dex-server 1/1 1 1 19m
deployment.apps/argocd-redis 1/1 1 1 19m
deployment.apps/argocd-repo-server 1/1 1 1 19m
deployment.apps/argocd-server 1/1 1 1 19m
NAME DESIRED CURRENT READY AGE
replicaset.apps/argocd-application-controller-68f8bf79d8 1 1 1 19m
replicaset.apps/argocd-dex-server-5994988c7f 1 1 1 19m
replicaset.apps/argocd-redis-78c9595d44 1 1 1 19m
replicaset.apps/argocd-repo-server-775496b8dd 1 1 1 19m
replicaset.apps/argocd-server-56db6f6cb6 1 1 1 19m
[centos@ip-172-31-8-215 argocd]$
# Let us expose argocd server using a NodePort for this tutorial
[centos@ip-172-31-8-215 argocd]$ kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "NodePort"}}'
service/argocd-server patched
[centos@ip-172-31-8-215 argocd]$ kubectl get svc -n argocd argocd-server
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
argocd-server NodePort 10.96.199.175 <none> 80:32623/TCP,443:30058/TCP 23m
[centos@ip-172-31-8-215 argocd]$
# So now we can access argocd server on nodeport 30058
# Let us first change the default password (name of argocd-server pod) for admin user.
[centos@ip-172-31-8-215 argocd]$ kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd-server-56db6f6cb6-rl9ks
[centos@ip-172-31-8-215 argocd]$ argocd login 10.96.199.175
WARNING: server certificate had error: x509: cannot validate certificate for 10.96.199.175 because it doesn't contain any IP SANs. Proceed insecurely (y/n)? y
Username: admin
Password:
'admin' logged in successfully
Context '10.96.199.175' updated
[centos@ip-172-31-8-215 argocd]$ argocd account update-password
*** Enter current password:
*** Enter new password:
*** Confirm new password:
Password updated
Context '10.96.199.175' updated
[centos@ip-172-31-8-215 argocd]$
# Argo CD ui is very intuitive. Follow through the ui to add your github repo and add your policy folder to sync.
# Let us sync via CLI
[centos@ip-172-31-8-215 argocd]$ argocd
argocd controls a Argo CD server
Usage:
argocd [flags]
argocd [command]
Available Commands:
account Manage account settings
app Manage applications
cert Manage repository certificates and SSH known hosts entries
cluster Manage cluster credentials
completion output shell completion code for the specified shell (bash or zsh)
context Switch between contexts
help Help about any command
login Log in to Argo CD
logout Log out from Argo CD
proj Manage projects
relogin Refresh an expired authenticate token
repo Manage git repository connection parameters
version Print version information
Flags:
--auth-token string Authentication token
--config string Path to Argo CD config (default "/home/centos/.argocd/config")
--grpc-web Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.
-h, --help help for argocd
--insecure Skip server certificate and domain verification
--loglevel string Set the logging level. One of: debug|info|warn|error (default "info")
--plaintext Disable TLS
--server string Argo CD server address
--server-crt string Server certificate file
Use "argocd [command] --help" for more information about a command.
[centos@ip-172-31-8-215 hep]$ argocd app list
NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET
secops https://kubernetes.default.svc default default OutOfSync Missing <none> <none> https://github.com/bikram20/k8sconfig secops HEAD
[centos@ip-172-31-8-215 hep]$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment