2022-10-12 09:25:48 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
# CONSTANTS
|
|
|
|
|
|
|
|
|
|
readonly KIND_IMAGE=kindest/node:v1.24.4
|
|
|
|
|
readonly NAME=argo
|
|
|
|
|
|
2022-10-16 17:39:43 +02:00
|
|
|
# DELETE CLUSTER
|
|
|
|
|
|
|
|
|
|
kind delete cluster --name $NAME || true
|
|
|
|
|
|
2022-10-12 09:25:48 +02:00
|
|
|
# CREATE CLUSTER
|
|
|
|
|
|
|
|
|
|
kind create cluster --name $NAME --image $KIND_IMAGE --config - <<EOF
|
|
|
|
|
kind: Cluster
|
|
|
|
|
apiVersion: kind.x-k8s.io/v1alpha4
|
|
|
|
|
nodes:
|
|
|
|
|
- role: control-plane
|
|
|
|
|
kubeadmConfigPatches:
|
|
|
|
|
- |
|
|
|
|
|
kind: InitConfiguration
|
|
|
|
|
nodeRegistration:
|
|
|
|
|
kubeletExtraArgs:
|
|
|
|
|
node-labels: "ingress-ready=true"
|
|
|
|
|
extraPortMappings:
|
|
|
|
|
- containerPort: 80
|
|
|
|
|
hostPort: 80
|
|
|
|
|
protocol: TCP
|
|
|
|
|
- containerPort: 443
|
|
|
|
|
hostPort: 443
|
|
|
|
|
protocol: TCP
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# DEPLOY INGRESS-NGINX
|
|
|
|
|
|
|
|
|
|
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
|
|
|
|
|
|
|
|
|
|
sleep 15
|
|
|
|
|
|
|
|
|
|
kubectl wait --namespace ingress-nginx \
|
|
|
|
|
--for=condition=ready pod \
|
|
|
|
|
--selector=app.kubernetes.io/component=controller \
|
|
|
|
|
--timeout=90s
|
|
|
|
|
|
|
|
|
|
# DEPLOY ARGOCD
|
|
|
|
|
|
|
|
|
|
helm upgrade --install --wait --timeout 15m --atomic --namespace argocd --create-namespace \
|
|
|
|
|
--repo https://argoproj.github.io/argo-helm argocd argo-cd --values - <<EOF
|
|
|
|
|
dex:
|
|
|
|
|
enabled: false
|
|
|
|
|
redis:
|
|
|
|
|
enabled: true
|
|
|
|
|
redis-ha:
|
|
|
|
|
enabled: false
|
|
|
|
|
repoServer:
|
|
|
|
|
serviceAccount:
|
|
|
|
|
create: true
|
|
|
|
|
server:
|
|
|
|
|
config:
|
2022-10-16 17:39:43 +02:00
|
|
|
resource.exclusions: |
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- kyverno.io
|
|
|
|
|
kinds:
|
|
|
|
|
- AdmissionReport
|
|
|
|
|
- BackgroundScanReport
|
|
|
|
|
- ClusterAdmissionReport
|
|
|
|
|
- ClusterBackgroundScanReport
|
|
|
|
|
clusters:
|
|
|
|
|
- '*'
|
2022-10-12 09:25:48 +02:00
|
|
|
resource.compareoptions: |
|
|
|
|
|
ignoreAggregatedRoles: true
|
|
|
|
|
ignoreResourceStatusField: all
|
|
|
|
|
url: http://localhost/argocd
|
|
|
|
|
application.instanceLabelKey: argocd.argoproj.io/instance
|
|
|
|
|
extraArgs:
|
|
|
|
|
- --insecure
|
|
|
|
|
- --rootpath
|
|
|
|
|
- /argocd
|
|
|
|
|
ingress:
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/ingress.class: nginx
|
|
|
|
|
cert-manager.io/cluster-issuer: ca-issuer
|
|
|
|
|
enabled: true
|
|
|
|
|
paths:
|
|
|
|
|
- /argocd
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# CREATE KYVERNO APP
|
|
|
|
|
|
|
|
|
|
kubectl apply -f - <<EOF
|
|
|
|
|
apiVersion: argoproj.io/v1alpha1
|
|
|
|
|
kind: Application
|
|
|
|
|
metadata:
|
|
|
|
|
name: kyverno
|
|
|
|
|
namespace: argocd
|
|
|
|
|
spec:
|
|
|
|
|
destination:
|
|
|
|
|
namespace: kyverno
|
|
|
|
|
server: https://kubernetes.default.svc
|
|
|
|
|
project: default
|
|
|
|
|
source:
|
|
|
|
|
chart: kyverno
|
|
|
|
|
repoURL: https://kyverno.github.io/kyverno
|
|
|
|
|
targetRevision: 2.6.0
|
|
|
|
|
syncPolicy:
|
|
|
|
|
automated:
|
|
|
|
|
prune: true
|
|
|
|
|
selfHeal: true
|
|
|
|
|
syncOptions:
|
|
|
|
|
- CreateNamespace=true
|
|
|
|
|
- Replace=true
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# CREATE KYVERNO-POLICIES APP
|
|
|
|
|
|
|
|
|
|
kubectl apply -f - <<EOF
|
|
|
|
|
apiVersion: argoproj.io/v1alpha1
|
|
|
|
|
kind: Application
|
|
|
|
|
metadata:
|
|
|
|
|
name: kyverno-policies
|
|
|
|
|
namespace: argocd
|
|
|
|
|
spec:
|
|
|
|
|
destination:
|
|
|
|
|
namespace: kyverno
|
|
|
|
|
server: https://kubernetes.default.svc
|
|
|
|
|
project: default
|
|
|
|
|
source:
|
|
|
|
|
chart: kyverno-policies
|
|
|
|
|
repoURL: https://kyverno.github.io/kyverno
|
|
|
|
|
targetRevision: 2.6.0
|
|
|
|
|
syncPolicy:
|
|
|
|
|
automated:
|
|
|
|
|
prune: true
|
|
|
|
|
selfHeal: true
|
|
|
|
|
syncOptions:
|
|
|
|
|
- CreateNamespace=true
|
2022-10-16 17:39:43 +02:00
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# CREATE REPORTER-UI APP
|
|
|
|
|
|
|
|
|
|
kubectl apply -f - <<EOF
|
|
|
|
|
apiVersion: argoproj.io/v1alpha1
|
|
|
|
|
kind: Application
|
|
|
|
|
metadata:
|
|
|
|
|
name: policy-reporter
|
|
|
|
|
namespace: argocd
|
|
|
|
|
spec:
|
|
|
|
|
destination:
|
|
|
|
|
namespace: kyverno
|
|
|
|
|
server: https://kubernetes.default.svc
|
|
|
|
|
project: default
|
|
|
|
|
source:
|
|
|
|
|
chart: policy-reporter
|
|
|
|
|
repoURL: https://kyverno.github.io/policy-reporter
|
|
|
|
|
targetRevision: 2.13.1
|
|
|
|
|
helm:
|
|
|
|
|
values: |
|
|
|
|
|
ui:
|
|
|
|
|
enabled: true
|
|
|
|
|
ingress:
|
|
|
|
|
annotations:
|
|
|
|
|
nginx.ingress.kubernetes.io/rewrite-target: \$1\$2
|
|
|
|
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
|
|
|
rewrite ^(/policy-reporter)$ \$1/ redirect;
|
|
|
|
|
enabled: true
|
|
|
|
|
hosts:
|
|
|
|
|
- host: ~
|
|
|
|
|
paths:
|
|
|
|
|
- path: /policy-reporter(/|$)(.*)
|
|
|
|
|
pathType: Prefix
|
|
|
|
|
kyvernoPlugin:
|
|
|
|
|
enabled: true
|
|
|
|
|
syncPolicy:
|
|
|
|
|
automated:
|
|
|
|
|
prune: true
|
|
|
|
|
selfHeal: true
|
|
|
|
|
syncOptions:
|
|
|
|
|
- CreateNamespace=true
|
2022-10-12 09:25:48 +02:00
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
ARGOCD_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)
|
|
|
|
|
|
|
|
|
|
echo "---------------------------------------------------------------------------------"
|
|
|
|
|
echo "ArgoCD is running and available at http://localhost/argocd"
|
|
|
|
|
echo "- log in with admin / $ARGOCD_PASSWORD"
|
2022-10-16 17:39:43 +02:00
|
|
|
echo "policy-reporter is running and available at http://localhost/policy-reporter"
|
