1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

refactor: split argocd lab into multiple steps (#5410)

* refactor: argocd lab

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: split argocd lab into multiple steps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tempo

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-11-22 09:36:40 +01:00 committed by GitHub
parent f70c6ef444
commit 28619ce3db
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 447 additions and 362 deletions

View file

@ -0,0 +1,48 @@
#!/usr/bin/env bash
set -e
# DELETE CLUSTER
kind delete cluster --name ${KIND_NAME:-argo} || true
# CREATE CLUSTER
kind create cluster --name ${KIND_NAME:-argo} --image ${KIND_IMAGE:-kindest/node:v1.24.4} --config - <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |-
kind: ClusterConfiguration
controllerManager:
extraArgs:
bind-address: 0.0.0.0
etcd:
local:
extraArgs:
listen-metrics-urls: http://0.0.0.0:2381
scheduler:
extraArgs:
bind-address: 0.0.0.0
- |-
kind: KubeProxyConfiguration
metricsBindAddress: 0.0.0.0
nodes:
- role: control-plane
kubeadmConfigPatches:
- |-
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
- role: worker
- role: worker
EOF

View file

@ -0,0 +1,14 @@
#!/usr/bin/env bash
set -e
# DEPLOY INGRESS-NGINX
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
sleep 15
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=90s

46
scripts/labs/argocd/2-argocd.sh Executable file
View file

@ -0,0 +1,46 @@
#!/usr/bin/env bash
set -e
# DEPLOY ARGOCD
helm upgrade --install --wait --timeout 15m --atomic --namespace argocd --create-namespace \
--repo https://argoproj.github.io/argo-helm argocd argo-cd --values - <<EOF
dex:
enabled: false
redis:
enabled: true
redis-ha:
enabled: false
repoServer:
serviceAccount:
create: true
server:
config:
resource.exclusions: |
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- '*'
resource.compareoptions: |
ignoreAggregatedRoles: true
ignoreResourceStatusField: all
url: http://localhost/argocd
application.instanceLabelKey: argocd.argoproj.io/instance
extraArgs:
- --insecure
- --rootpath
- /argocd
ingress:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: ca-issuer
enabled: true
paths:
- /argocd
EOF

View file

@ -0,0 +1,78 @@
#!/usr/bin/env bash
set -e
# CREATE KUBE-PROMETHEUS-STACK APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kube-prometheus-stack
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: kube-prometheus-stack
repoURL: https://prometheus-community.github.io/helm-charts
targetRevision: 41.7.3
helm:
values: |
kubeEtcd:
service:
enabled: true
targetPort: 2381
defaultRules:
create: true
alertmanager:
alertmanagerSpec:
routePrefix: /alertmanager
alertmanagerConfigSelector:
matchLabels: {}
alertmanagerConfigNamespaceSelector:
matchLabels: {}
ingress:
enabled: true
pathType: Prefix
prometheus:
prometheusSpec:
externalUrl: /prometheus
routePrefix: /prometheus
ruleSelectorNilUsesHelmValues: false
serviceMonitorSelectorNilUsesHelmValues: false
podMonitorSelectorNilUsesHelmValues: false
probeSelectorNilUsesHelmValues: false
ingress:
enabled: true
pathType: Prefix
grafana:
enabled: true
adminPassword: admin
sidecar:
enableUniqueFilenames: true
dashboards:
enabled: true
searchNamespace: ALL
provider:
foldersFromFilesStructure: true
datasources:
enabled: true
searchNamespace: ALL
grafana.ini:
server:
root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana"
serve_from_sub_path: true
ingress:
enabled: true
path: /grafana
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
EOF

30
scripts/labs/argocd/4-loki.sh Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/env bash
set -e
# CREATE LOKI APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: loki-stack
repoURL: https://grafana.github.io/helm-charts
targetRevision: 2.8.4
helm:
values: |
loki:
isDefault: false
syncPolicy:
automated:
prune: true
selfHeal: true
EOF

52
scripts/labs/argocd/5-tempo.sh Executable file
View file

@ -0,0 +1,52 @@
#!/usr/bin/env bash
set -e
# CREATE TEMPO APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tempo
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: tempo
repoURL: https://grafana.github.io/helm-charts
targetRevision: 0.16.5
helm:
values: |
tempo:
searchEnabled: true
syncPolicy:
automated:
prune: true
selfHeal: true
EOF
kubectl create namespadce monitoring || true
kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
labels:
grafana_datasource: "1"
name: tempo-datasource
namespace: monitoring
data:
tempo-datasource.yaml: |-
apiVersion: 1
datasources:
- name: Tempo
type: tempo
access: proxy
url: "http://tempo.monitoring:3100"
version: 1
isDefault: false
EOF

View file

@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -e
# CREATE METRICS-SERVER APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: argocd
spec:
destination:
namespace: kube-system
server: https://kubernetes.default.svc
project: default
source:
chart: metrics-server
repoURL: https://charts.bitnami.com/bitnami
targetRevision: 6.2.2
helm:
values: |
extraArgs:
- --kubelet-insecure-tls=true
apiService:
create: true
syncPolicy:
automated:
prune: true
selfHeal: true
EOF

View file

@ -0,0 +1,38 @@
#!/usr/bin/env bash
set -e
# CREATE KYVERNO APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno
targetRevision: 2.6.1
helm:
values: |
serviceMonitor:
enabled: true
initContainer:
extraArgs:
- --loggingFormat=json
extraArgs:
- --loggingFormat=json
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
EOF

View file

@ -0,0 +1,28 @@
#!/usr/bin/env bash
set -e
# CREATE KYVERNO-POLICIES APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno-policies
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: kyverno-policies
repoURL: https://kyverno.github.io/kyverno
targetRevision: 2.6.1
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
EOF

View file

@ -0,0 +1,45 @@
#!/usr/bin/env bash
set -e
# CREATE POLICY-REPORTER APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: policy-reporter
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: policy-reporter
repoURL: https://kyverno.github.io/policy-reporter
targetRevision: 2.13.4
helm:
values: |
ui:
enabled: true
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: \$1\$2
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^(/policy-reporter)$ \$1/ redirect;
enabled: true
hosts:
- host: ~
paths:
- path: /policy-reporter(/|$)(.*)
pathType: Prefix
kyvernoPlugin:
enabled: true
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
EOF

View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -e
readonly SRC=$(dirname "$0")
$SRC/0-cluster.sh
$SRC/1-ingress-nginx.sh
$SRC/2-argocd.sh
$SRC/3-kube-prometheus-stack.sh
$SRC/4-loki.sh
$SRC/5-tempo.sh

View file

@ -2,369 +2,13 @@
set -e
# CONSTANTS
readonly SRC=$(dirname "$0")
readonly KIND_IMAGE=kindest/node:v1.24.4
readonly NAME=argo
# DELETE CLUSTER
kind delete cluster --name $NAME || true
# CREATE CLUSTER
kind create cluster --name $NAME --image $KIND_IMAGE --config - <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |-
kind: ClusterConfiguration
controllerManager:
extraArgs:
bind-address: 0.0.0.0
etcd:
local:
extraArgs:
listen-metrics-urls: http://0.0.0.0:2381
scheduler:
extraArgs:
bind-address: 0.0.0.0
- |-
kind: KubeProxyConfiguration
metricsBindAddress: 0.0.0.0
nodes:
- role: control-plane
kubeadmConfigPatches:
- |-
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
- role: worker
- role: worker
EOF
# DEPLOY INGRESS-NGINX
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
sleep 15
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=90s
# DEPLOY ARGOCD
helm upgrade --install --wait --timeout 15m --atomic --namespace argocd --create-namespace \
--repo https://argoproj.github.io/argo-helm argocd argo-cd --values - <<EOF
dex:
enabled: false
redis:
enabled: true
redis-ha:
enabled: false
repoServer:
serviceAccount:
create: true
server:
config:
resource.exclusions: |
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- '*'
resource.compareoptions: |
ignoreAggregatedRoles: true
ignoreResourceStatusField: all
url: http://localhost/argocd
application.instanceLabelKey: argocd.argoproj.io/instance
extraArgs:
- --insecure
- --rootpath
- /argocd
ingress:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: ca-issuer
enabled: true
paths:
- /argocd
EOF
# CREATE METRICS-SERVER APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: argocd
spec:
destination:
namespace: kube-system
server: https://kubernetes.default.svc
project: default
source:
chart: metrics-server
repoURL: https://charts.bitnami.com/bitnami
targetRevision: 6.2.2
helm:
values: |
extraArgs:
- --kubelet-insecure-tls=true
apiService:
create: true
syncPolicy:
automated:
prune: true
selfHeal: true
EOF
# CREATE KUBE-PROMETHEUS-STACK APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kube-prometheus-stack
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: kube-prometheus-stack
repoURL: https://prometheus-community.github.io/helm-charts
targetRevision: 41.7.3
helm:
values: |
kubeEtcd:
service:
enabled: true
targetPort: 2381
defaultRules:
create: true
alertmanager:
alertmanagerSpec:
routePrefix: /alertmanager
alertmanagerConfigSelector:
matchLabels: {}
alertmanagerConfigNamespaceSelector:
matchLabels: {}
ingress:
enabled: true
pathType: Prefix
prometheus:
prometheusSpec:
externalUrl: /prometheus
routePrefix: /prometheus
ruleSelectorNilUsesHelmValues: false
serviceMonitorSelectorNilUsesHelmValues: false
podMonitorSelectorNilUsesHelmValues: false
probeSelectorNilUsesHelmValues: false
ingress:
enabled: true
pathType: Prefix
grafana:
enabled: true
adminPassword: admin
sidecar:
enableUniqueFilenames: true
dashboards:
enabled: true
searchNamespace: ALL
provider:
foldersFromFilesStructure: true
datasources:
enabled: true
searchNamespace: ALL
grafana.ini:
server:
root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana"
serve_from_sub_path: true
ingress:
enabled: true
path: /grafana
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
EOF
# CREATE LOKI APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: loki-stack
repoURL: https://grafana.github.io/helm-charts
targetRevision: 2.8.4
helm:
values: |
loki:
isDefault: false
syncPolicy:
automated:
prune: true
selfHeal: true
EOF
# CREATE TEMPO APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tempo
namespace: argocd
spec:
destination:
namespace: monitoring
server: https://kubernetes.default.svc
project: default
source:
chart: tempo
repoURL: https://grafana.github.io/helm-charts
targetRevision: 0.16.5
helm:
values: |
tempo:
searchEnabled: true
syncPolicy:
automated:
prune: true
selfHeal: true
EOF
# CREATE KYVERNO APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno
targetRevision: 2.6.1
helm:
values: |
serviceMonitor:
enabled: true
initContainer:
extraArgs:
- --loggingFormat=json
extraArgs:
- --loggingFormat=json
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
EOF
# CREATE KYVERNO-POLICIES APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno-policies
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: kyverno-policies
repoURL: https://kyverno.github.io/kyverno
targetRevision: 2.6.1
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
EOF
# CREATE POLICY-REPORTER APP
kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: policy-reporter
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: policy-reporter
repoURL: https://kyverno.github.io/policy-reporter
targetRevision: 2.13.4
helm:
values: |
ui:
enabled: true
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: \$1\$2
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^(/policy-reporter)$ \$1/ redirect;
enabled: true
hosts:
- host: ~
paths:
- path: /policy-reporter(/|$)(.*)
pathType: Prefix
kyvernoPlugin:
enabled: true
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
EOF
$SRC/common-steps.sh
$SRC/6-metrics-server.sh
$SRC/7-kyverno.sh
$SRC/8-kyverno-policies.sh
$SRC/9-policy-reporter.sh
echo "---------------------------------------------------------------------------------"

18
scripts/labs/argocd/minimal.sh Executable file
View file

@ -0,0 +1,18 @@
#!/usr/bin/env bash
set -e
readonly SRC=$(dirname "$0")
$SRC/common-steps.sh
echo "---------------------------------------------------------------------------------"
ARGOCD_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)
echo "ARGOCD is running and available at http://localhost/argocd"
echo "- log in with admin / $ARGOCD_PASSWORD"
echo "PROMETHEUS is running and available at http://localhost/prometheus"
echo "ALERTMANAGER is running and available at http://localhost/alertmanager"
echo "GRAFANA is running and available at http://localhost/grafana"
echo "- log in with admin / admin"