You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3079 lines
93 KiB
3079 lines
93 KiB
2 years ago
|
# This is an auto-generated file. DO NOT EDIT
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: application-controller
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-application-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: controller
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
app.kubernetes.io/part-of: argocd-applicationset
|
||
|
name: argocd-applicationset-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: dex-server
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-dex-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: notifications-controller
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-notifications-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: repo-server
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-repo-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: application-controller
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-application-controller
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- secrets
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- applications
|
||
|
- appprojects
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- update
|
||
|
- patch
|
||
|
- delete
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- events
|
||
|
verbs:
|
||
|
- create
|
||
|
- list
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: controller
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
app.kubernetes.io/part-of: argocd-applicationset
|
||
|
name: argocd-applicationset-controller
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- applications
|
||
|
- applicationsets
|
||
|
- applicationsets/finalizers
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- appprojects
|
||
|
verbs:
|
||
|
- get
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- applicationsets/status
|
||
|
verbs:
|
||
|
- get
|
||
|
- patch
|
||
|
- update
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- events
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- secrets
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- apps
|
||
|
- extensions
|
||
|
resources:
|
||
|
- deployments
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: dex-server
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-dex-server
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- secrets
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
name: argocd-notifications-controller
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- applications
|
||
|
- appprojects
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- update
|
||
|
- patch
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- configmaps
|
||
|
- secrets
|
||
|
verbs:
|
||
|
- list
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resourceNames:
|
||
|
- argocd-notifications-cm
|
||
|
resources:
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resourceNames:
|
||
|
- argocd-notifications-secret
|
||
|
resources:
|
||
|
- secrets
|
||
|
verbs:
|
||
|
- get
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- endpoints
|
||
|
verbs:
|
||
|
- get
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- endpoints
|
||
|
verbs:
|
||
|
- get
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- secrets
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- update
|
||
|
- patch
|
||
|
- delete
|
||
|
- apiGroups:
|
||
|
- argoproj.io
|
||
|
resources:
|
||
|
- applications
|
||
|
- appprojects
|
||
|
- applicationsets
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- update
|
||
|
- delete
|
||
|
- patch
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- events
|
||
|
verbs:
|
||
|
- create
|
||
|
- list
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: application-controller
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-application-controller
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-application-controller
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-application-controller
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: controller
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
app.kubernetes.io/part-of: argocd-applicationset
|
||
|
name: argocd-applicationset-controller
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-applicationset-controller
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-applicationset-controller
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: dex-server
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-dex-server
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-dex-server
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-dex-server
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
name: argocd-notifications-controller
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-notifications-controller
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-notifications-controller
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-redis-ha
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-redis-ha
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: argocd-server
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: argocd-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-cmd-params-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-cmd-params-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-gpg-keys-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-gpg-keys-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
name: argocd-notifications-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-rbac-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-rbac-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
data:
|
||
|
fix-split-brain.sh: |
|
||
|
HOSTNAME="$(hostname)"
|
||
|
INDEX="${HOSTNAME##*-}"
|
||
|
SENTINEL_PORT=26379
|
||
|
ANNOUNCE_IP=''
|
||
|
MASTER=''
|
||
|
MASTER_GROUP="argocd"
|
||
|
QUORUM="2"
|
||
|
REDIS_CONF=/data/conf/redis.conf
|
||
|
REDIS_PORT=6379
|
||
|
REDIS_TLS_PORT=
|
||
|
SENTINEL_CONF=/data/conf/sentinel.conf
|
||
|
SENTINEL_TLS_PORT=
|
||
|
SERVICE=argocd-redis-ha
|
||
|
SENTINEL_TLS_REPLICATION_ENABLED=false
|
||
|
REDIS_TLS_REPLICATION_ENABLED=false
|
||
|
|
||
|
ROLE=''
|
||
|
REDIS_MASTER=''
|
||
|
|
||
|
set -eu
|
||
|
sentinel_get_master() {
|
||
|
set +e
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
||
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
||
|
else
|
||
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
||
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
sentinel_get_master_retry() {
|
||
|
master=''
|
||
|
retry=${1}
|
||
|
sleep=3
|
||
|
for i in $(seq 1 "${retry}"); do
|
||
|
master=$(sentinel_get_master)
|
||
|
if [ -n "${master}" ]; then
|
||
|
break
|
||
|
fi
|
||
|
sleep $((sleep + i))
|
||
|
done
|
||
|
echo "${master}"
|
||
|
}
|
||
|
|
||
|
identify_master() {
|
||
|
echo "Identifying redis master (get-master-addr-by-name).."
|
||
|
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
|
||
|
MASTER="$(sentinel_get_master_retry 3)"
|
||
|
if [ -n "${MASTER}" ]; then
|
||
|
echo " $(date) Found redis master (${MASTER})"
|
||
|
else
|
||
|
echo " $(date) Did not find redis master (${MASTER})"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
sentinel_update() {
|
||
|
echo "Updating sentinel config.."
|
||
|
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
|
||
|
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
|
||
|
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
|
||
|
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
|
||
|
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
|
||
|
echo " redis master (${1}:${REDIS_TLS_PORT})"
|
||
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
||
|
else
|
||
|
echo " redis master (${1}:${REDIS_PORT})"
|
||
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
||
|
fi
|
||
|
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
|
||
|
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
|
||
|
else
|
||
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
|
||
|
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_update() {
|
||
|
echo "Updating redis config.."
|
||
|
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
|
||
|
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
|
||
|
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
|
||
|
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
|
||
|
else
|
||
|
echo " we are slave of redis master (${1}:${REDIS_PORT})"
|
||
|
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
|
||
|
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
|
||
|
fi
|
||
|
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
|
||
|
}
|
||
|
|
||
|
copy_config() {
|
||
|
echo "Copying default redis config.."
|
||
|
echo " to '${REDIS_CONF}'"
|
||
|
cp /readonly-config/redis.conf "${REDIS_CONF}"
|
||
|
echo "Copying default sentinel config.."
|
||
|
echo " to '${SENTINEL_CONF}'"
|
||
|
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
|
||
|
}
|
||
|
|
||
|
setup_defaults() {
|
||
|
echo "Setting up defaults.."
|
||
|
echo " using statefulset index (${INDEX})"
|
||
|
if [ "${INDEX}" = "0" ]; then
|
||
|
echo "Setting this pod as master for redis and sentinel.."
|
||
|
echo " using announce (${ANNOUNCE_IP})"
|
||
|
redis_update "${ANNOUNCE_IP}"
|
||
|
sentinel_update "${ANNOUNCE_IP}"
|
||
|
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
|
||
|
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
|
||
|
else
|
||
|
echo "Getting redis master ip.."
|
||
|
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
|
||
|
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
|
||
|
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
|
||
|
if [ -z "${DEFAULT_MASTER}" ]; then
|
||
|
echo "Error: Unable to resolve redis master (getent hosts)."
|
||
|
exit 1
|
||
|
fi
|
||
|
echo "Setting default slave config for redis and sentinel.."
|
||
|
echo " using master ip (${DEFAULT_MASTER})"
|
||
|
redis_update "${DEFAULT_MASTER}"
|
||
|
sentinel_update "${DEFAULT_MASTER}"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_ping() {
|
||
|
set +e
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
|
||
|
else
|
||
|
redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
redis_ping_retry() {
|
||
|
ping=''
|
||
|
retry=${1}
|
||
|
sleep=3
|
||
|
for i in $(seq 1 "${retry}"); do
|
||
|
if [ "$(redis_ping)" = "PONG" ]; then
|
||
|
ping='PONG'
|
||
|
break
|
||
|
fi
|
||
|
sleep $((sleep + i))
|
||
|
MASTER=$(sentinel_get_master)
|
||
|
done
|
||
|
echo "${ping}"
|
||
|
}
|
||
|
|
||
|
find_master() {
|
||
|
echo "Verifying redis master.."
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
|
||
|
else
|
||
|
echo " ping (${MASTER}:${REDIS_PORT})"
|
||
|
fi
|
||
|
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
|
||
|
echo " $(date) Can't ping redis master (${MASTER})"
|
||
|
echo "Attempting to force failover (sentinel failover).."
|
||
|
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
||
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
||
|
echo "Setting defaults for this pod.."
|
||
|
setup_defaults
|
||
|
return 0
|
||
|
fi
|
||
|
else
|
||
|
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
||
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
||
|
echo "Setting defaults for this pod.."
|
||
|
setup_defaults
|
||
|
return 0
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
echo "Hold on for 10sec"
|
||
|
sleep 10
|
||
|
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
else
|
||
|
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
fi
|
||
|
MASTER="$(sentinel_get_master)"
|
||
|
if [ "${MASTER}" ]; then
|
||
|
echo " $(date) Found redis master (${MASTER})"
|
||
|
echo "Updating redis and sentinel config.."
|
||
|
sentinel_update "${MASTER}"
|
||
|
redis_update "${MASTER}"
|
||
|
else
|
||
|
echo "$(date) Error: Could not failover, exiting..."
|
||
|
exit 1
|
||
|
fi
|
||
|
else
|
||
|
echo " $(date) Found reachable redis master (${MASTER})"
|
||
|
echo "Updating redis and sentinel config.."
|
||
|
sentinel_update "${MASTER}"
|
||
|
redis_update "${MASTER}"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_ro_update() {
|
||
|
echo "Updating read-only redis config.."
|
||
|
echo " redis.conf set 'replica-priority 0'"
|
||
|
echo "replica-priority 0" >> ${REDIS_CONF}
|
||
|
}
|
||
|
|
||
|
getent_hosts() {
|
||
|
index=${1:-${INDEX}}
|
||
|
service="${SERVICE}-announce-${index}"
|
||
|
pod="${SERVICE}-server-${index}"
|
||
|
host=$(getent hosts "${service}")
|
||
|
if [ -z "${host}" ]; then
|
||
|
host=$(getent hosts "${pod}")
|
||
|
fi
|
||
|
echo "${host}"
|
||
|
}
|
||
|
|
||
|
identify_announce_ip() {
|
||
|
echo "Identify announce ip for this pod.."
|
||
|
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
|
||
|
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
|
||
|
echo " identified announce (${ANNOUNCE_IP})"
|
||
|
}
|
||
|
|
||
|
redis_role() {
|
||
|
set +e
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
ROLE=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
|
||
|
else
|
||
|
ROLE=$(redis-cli -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
identify_redis_master() {
|
||
|
set +e
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
REDIS_MASTER=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
|
||
|
else
|
||
|
REDIS_MASTER=$(redis-cli -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
reinit() {
|
||
|
set +e
|
||
|
sh /readonly-config/init.sh
|
||
|
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
echo "shutdown" | redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
|
||
|
else
|
||
|
echo "shutdown" | redis-cli -p "${REDIS_PORT}"
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
identify_announce_ip
|
||
|
|
||
|
while true; do
|
||
|
sleep 60
|
||
|
|
||
|
# where is redis master
|
||
|
identify_master
|
||
|
|
||
|
if [ "$MASTER" == "$ANNOUNCE_IP" ]; then
|
||
|
redis_role
|
||
|
if [ "$ROLE" != "master" ]; then
|
||
|
reinit
|
||
|
fi
|
||
|
else
|
||
|
identify_redis_master
|
||
|
if [ "$REDIS_MASTER" != "$MASTER" ]; then
|
||
|
reinit
|
||
|
fi
|
||
|
fi
|
||
|
done
|
||
|
haproxy.cfg: |
|
||
|
defaults REDIS
|
||
|
mode tcp
|
||
|
timeout connect 4s
|
||
|
timeout server 6m
|
||
|
timeout client 6m
|
||
|
timeout check 2s
|
||
|
|
||
|
listen health_check_http_url
|
||
|
bind [::]:8888 v4v6
|
||
|
mode http
|
||
|
monitor-uri /healthz
|
||
|
option dontlognull
|
||
|
# Check Sentinel and whether they are nominated master
|
||
|
backend check_if_redis_is_master_0
|
||
|
mode tcp
|
||
|
option tcp-check
|
||
|
tcp-check connect
|
||
|
tcp-check send PING\r\n
|
||
|
tcp-check expect string +PONG
|
||
|
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
|
||
|
tcp-check expect string REPLACE_ANNOUNCE0
|
||
|
tcp-check send QUIT\r\n
|
||
|
tcp-check expect string +OK
|
||
|
server R0 argocd-redis-ha-announce-0:26379 check inter 3s
|
||
|
server R1 argocd-redis-ha-announce-1:26379 check inter 3s
|
||
|
server R2 argocd-redis-ha-announce-2:26379 check inter 3s
|
||
|
# Check Sentinel and whether they are nominated master
|
||
|
backend check_if_redis_is_master_1
|
||
|
mode tcp
|
||
|
option tcp-check
|
||
|
tcp-check connect
|
||
|
tcp-check send PING\r\n
|
||
|
tcp-check expect string +PONG
|
||
|
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
|
||
|
tcp-check expect string REPLACE_ANNOUNCE1
|
||
|
tcp-check send QUIT\r\n
|
||
|
tcp-check expect string +OK
|
||
|
server R0 argocd-redis-ha-announce-0:26379 check inter 3s
|
||
|
server R1 argocd-redis-ha-announce-1:26379 check inter 3s
|
||
|
server R2 argocd-redis-ha-announce-2:26379 check inter 3s
|
||
|
# Check Sentinel and whether they are nominated master
|
||
|
backend check_if_redis_is_master_2
|
||
|
mode tcp
|
||
|
option tcp-check
|
||
|
tcp-check connect
|
||
|
tcp-check send PING\r\n
|
||
|
tcp-check expect string +PONG
|
||
|
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
|
||
|
tcp-check expect string REPLACE_ANNOUNCE2
|
||
|
tcp-check send QUIT\r\n
|
||
|
tcp-check expect string +OK
|
||
|
server R0 argocd-redis-ha-announce-0:26379 check inter 3s
|
||
|
server R1 argocd-redis-ha-announce-1:26379 check inter 3s
|
||
|
server R2 argocd-redis-ha-announce-2:26379 check inter 3s
|
||
|
|
||
|
# decide redis backend to use
|
||
|
#master
|
||
|
frontend ft_redis_master
|
||
|
bind [::]:6379 v4v6
|
||
|
use_backend bk_redis_master
|
||
|
# Check all redis servers to see if they think they are master
|
||
|
backend bk_redis_master
|
||
|
mode tcp
|
||
|
option tcp-check
|
||
|
tcp-check connect
|
||
|
tcp-check send PING\r\n
|
||
|
tcp-check expect string +PONG
|
||
|
tcp-check send info\ replication\r\n
|
||
|
tcp-check expect string role:master
|
||
|
tcp-check send QUIT\r\n
|
||
|
tcp-check expect string +OK
|
||
|
use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 }
|
||
|
server R0 argocd-redis-ha-announce-0:6379 check inter 3s fall 1 rise 1
|
||
|
use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 }
|
||
|
server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 1
|
||
|
use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 }
|
||
|
server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1
|
||
|
haproxy_init.sh: |
|
||
|
HAPROXY_CONF=/data/haproxy.cfg
|
||
|
cp /readonly/haproxy.cfg "$HAPROXY_CONF"
|
||
|
for loop in $(seq 1 10); do
|
||
|
getent hosts argocd-redis-ha-announce-0 && break
|
||
|
echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1
|
||
|
done
|
||
|
ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }')
|
||
|
if [ -z "$ANNOUNCE_IP0" ]; then
|
||
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-0"
|
||
|
exit 1
|
||
|
fi
|
||
|
sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF"
|
||
|
for loop in $(seq 1 10); do
|
||
|
getent hosts argocd-redis-ha-announce-1 && break
|
||
|
echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1
|
||
|
done
|
||
|
ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }')
|
||
|
if [ -z "$ANNOUNCE_IP1" ]; then
|
||
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-1"
|
||
|
exit 1
|
||
|
fi
|
||
|
sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF"
|
||
|
for loop in $(seq 1 10); do
|
||
|
getent hosts argocd-redis-ha-announce-2 && break
|
||
|
echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1
|
||
|
done
|
||
|
ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }')
|
||
|
if [ -z "$ANNOUNCE_IP2" ]; then
|
||
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-2"
|
||
|
exit 1
|
||
|
fi
|
||
|
sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF"
|
||
|
init.sh: |
|
||
|
echo "$(date) Start..."
|
||
|
HOSTNAME="$(hostname)"
|
||
|
INDEX="${HOSTNAME##*-}"
|
||
|
SENTINEL_PORT=26379
|
||
|
ANNOUNCE_IP=''
|
||
|
MASTER=''
|
||
|
MASTER_GROUP="argocd"
|
||
|
QUORUM="2"
|
||
|
REDIS_CONF=/data/conf/redis.conf
|
||
|
REDIS_PORT=6379
|
||
|
REDIS_TLS_PORT=
|
||
|
SENTINEL_CONF=/data/conf/sentinel.conf
|
||
|
SENTINEL_TLS_PORT=
|
||
|
SERVICE=argocd-redis-ha
|
||
|
SENTINEL_TLS_REPLICATION_ENABLED=false
|
||
|
REDIS_TLS_REPLICATION_ENABLED=false
|
||
|
|
||
|
set -eu
|
||
|
sentinel_get_master() {
|
||
|
set +e
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
||
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
||
|
else
|
||
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
||
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
sentinel_get_master_retry() {
|
||
|
master=''
|
||
|
retry=${1}
|
||
|
sleep=3
|
||
|
for i in $(seq 1 "${retry}"); do
|
||
|
master=$(sentinel_get_master)
|
||
|
if [ -n "${master}" ]; then
|
||
|
break
|
||
|
fi
|
||
|
sleep $((sleep + i))
|
||
|
done
|
||
|
echo "${master}"
|
||
|
}
|
||
|
|
||
|
identify_master() {
|
||
|
echo "Identifying redis master (get-master-addr-by-name).."
|
||
|
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
|
||
|
MASTER="$(sentinel_get_master_retry 3)"
|
||
|
if [ -n "${MASTER}" ]; then
|
||
|
echo " $(date) Found redis master (${MASTER})"
|
||
|
else
|
||
|
echo " $(date) Did not find redis master (${MASTER})"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
sentinel_update() {
|
||
|
echo "Updating sentinel config.."
|
||
|
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
|
||
|
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
|
||
|
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
|
||
|
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
|
||
|
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
|
||
|
echo " redis master (${1}:${REDIS_TLS_PORT})"
|
||
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
||
|
else
|
||
|
echo " redis master (${1}:${REDIS_PORT})"
|
||
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
||
|
fi
|
||
|
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
|
||
|
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
|
||
|
else
|
||
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
|
||
|
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_update() {
|
||
|
echo "Updating redis config.."
|
||
|
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
|
||
|
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
|
||
|
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
|
||
|
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
|
||
|
else
|
||
|
echo " we are slave of redis master (${1}:${REDIS_PORT})"
|
||
|
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
|
||
|
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
|
||
|
fi
|
||
|
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
|
||
|
}
|
||
|
|
||
|
copy_config() {
|
||
|
echo "Copying default redis config.."
|
||
|
echo " to '${REDIS_CONF}'"
|
||
|
cp /readonly-config/redis.conf "${REDIS_CONF}"
|
||
|
echo "Copying default sentinel config.."
|
||
|
echo " to '${SENTINEL_CONF}'"
|
||
|
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
|
||
|
}
|
||
|
|
||
|
setup_defaults() {
|
||
|
echo "Setting up defaults.."
|
||
|
echo " using statefulset index (${INDEX})"
|
||
|
if [ "${INDEX}" = "0" ]; then
|
||
|
echo "Setting this pod as master for redis and sentinel.."
|
||
|
echo " using announce (${ANNOUNCE_IP})"
|
||
|
redis_update "${ANNOUNCE_IP}"
|
||
|
sentinel_update "${ANNOUNCE_IP}"
|
||
|
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
|
||
|
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
|
||
|
else
|
||
|
echo "Getting redis master ip.."
|
||
|
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
|
||
|
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
|
||
|
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
|
||
|
if [ -z "${DEFAULT_MASTER}" ]; then
|
||
|
echo "Error: Unable to resolve redis master (getent hosts)."
|
||
|
exit 1
|
||
|
fi
|
||
|
echo "Setting default slave config for redis and sentinel.."
|
||
|
echo " using master ip (${DEFAULT_MASTER})"
|
||
|
redis_update "${DEFAULT_MASTER}"
|
||
|
sentinel_update "${DEFAULT_MASTER}"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_ping() {
|
||
|
set +e
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
|
||
|
else
|
||
|
redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
|
||
|
fi
|
||
|
set -e
|
||
|
}
|
||
|
|
||
|
redis_ping_retry() {
|
||
|
ping=''
|
||
|
retry=${1}
|
||
|
sleep=3
|
||
|
for i in $(seq 1 "${retry}"); do
|
||
|
if [ "$(redis_ping)" = "PONG" ]; then
|
||
|
ping='PONG'
|
||
|
break
|
||
|
fi
|
||
|
sleep $((sleep + i))
|
||
|
MASTER=$(sentinel_get_master)
|
||
|
done
|
||
|
echo "${ping}"
|
||
|
}
|
||
|
|
||
|
find_master() {
|
||
|
echo "Verifying redis master.."
|
||
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
||
|
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
|
||
|
else
|
||
|
echo " ping (${MASTER}:${REDIS_PORT})"
|
||
|
fi
|
||
|
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
|
||
|
echo " $(date) Can't ping redis master (${MASTER})"
|
||
|
echo "Attempting to force failover (sentinel failover).."
|
||
|
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
||
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
||
|
echo "Setting defaults for this pod.."
|
||
|
setup_defaults
|
||
|
return 0
|
||
|
fi
|
||
|
else
|
||
|
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
||
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
||
|
echo "Setting defaults for this pod.."
|
||
|
setup_defaults
|
||
|
return 0
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
echo "Hold on for 10sec"
|
||
|
sleep 10
|
||
|
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
|
||
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
||
|
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
else
|
||
|
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
||
|
fi
|
||
|
MASTER="$(sentinel_get_master)"
|
||
|
if [ "${MASTER}" ]; then
|
||
|
echo " $(date) Found redis master (${MASTER})"
|
||
|
echo "Updating redis and sentinel config.."
|
||
|
sentinel_update "${MASTER}"
|
||
|
redis_update "${MASTER}"
|
||
|
else
|
||
|
echo "$(date) Error: Could not failover, exiting..."
|
||
|
exit 1
|
||
|
fi
|
||
|
else
|
||
|
echo " $(date) Found reachable redis master (${MASTER})"
|
||
|
echo "Updating redis and sentinel config.."
|
||
|
sentinel_update "${MASTER}"
|
||
|
redis_update "${MASTER}"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
redis_ro_update() {
|
||
|
echo "Updating read-only redis config.."
|
||
|
echo " redis.conf set 'replica-priority 0'"
|
||
|
echo "replica-priority 0" >> ${REDIS_CONF}
|
||
|
}
|
||
|
|
||
|
getent_hosts() {
|
||
|
index=${1:-${INDEX}}
|
||
|
service="${SERVICE}-announce-${index}"
|
||
|
pod="${SERVICE}-server-${index}"
|
||
|
host=$(getent hosts "${service}")
|
||
|
if [ -z "${host}" ]; then
|
||
|
host=$(getent hosts "${pod}")
|
||
|
fi
|
||
|
echo "${host}"
|
||
|
}
|
||
|
|
||
|
identify_announce_ip() {
|
||
|
echo "Identify announce ip for this pod.."
|
||
|
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
|
||
|
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
|
||
|
echo " identified announce (${ANNOUNCE_IP})"
|
||
|
}
|
||
|
|
||
|
mkdir -p /data/conf/
|
||
|
|
||
|
echo "Initializing config.."
|
||
|
copy_config
|
||
|
|
||
|
# where is redis master
|
||
|
identify_master
|
||
|
|
||
|
identify_announce_ip
|
||
|
|
||
|
if [ -z "${ANNOUNCE_IP}" ]; then
|
||
|
"Error: Could not resolve the announce ip for this pod."
|
||
|
exit 1
|
||
|
elif [ "${MASTER}" ]; then
|
||
|
find_master
|
||
|
else
|
||
|
setup_defaults
|
||
|
fi
|
||
|
|
||
|
if [ "${AUTH:-}" ]; then
|
||
|
echo "Setting redis auth values.."
|
||
|
ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g');
|
||
|
sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}"
|
||
|
fi
|
||
|
|
||
|
if [ "${SENTINELAUTH:-}" ]; then
|
||
|
echo "Setting sentinel auth values"
|
||
|
ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g');
|
||
|
sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF"
|
||
|
fi
|
||
|
|
||
|
echo "$(date) Ready..."
|
||
|
redis.conf: |
|
||
|
dir "/data"
|
||
|
port 6379
|
||
|
rename-command FLUSHDB ""
|
||
|
rename-command FLUSHALL ""
|
||
|
bind 0.0.0.0
|
||
|
maxmemory 0
|
||
|
maxmemory-policy volatile-lru
|
||
|
min-replicas-max-lag 5
|
||
|
min-replicas-to-write 1
|
||
|
rdbchecksum yes
|
||
|
rdbcompression yes
|
||
|
repl-diskless-sync yes
|
||
|
save ""
|
||
|
sentinel.conf: |
|
||
|
dir "/data"
|
||
|
port 26379
|
||
|
bind 0.0.0.0
|
||
|
sentinel down-after-milliseconds argocd 10000
|
||
|
sentinel failover-timeout argocd 180000
|
||
|
maxclients 10000
|
||
|
sentinel parallel-syncs argocd 5
|
||
|
trigger-failover-if-master.sh: |
|
||
|
get_redis_role() {
|
||
|
is_master=$(
|
||
|
redis-cli \
|
||
|
-h localhost \
|
||
|
-p 6379 \
|
||
|
info | grep -c 'role:master' || true
|
||
|
)
|
||
|
}
|
||
|
get_redis_role
|
||
|
if [[ "$is_master" -eq 1 ]]; then
|
||
|
echo "This node is currently master, we trigger a failover."
|
||
|
response=$(
|
||
|
redis-cli \
|
||
|
-h localhost \
|
||
|
-p 26379 \
|
||
|
SENTINEL failover argocd
|
||
|
)
|
||
|
if [[ "$response" != "OK" ]] ; then
|
||
|
echo "$response"
|
||
|
exit 1
|
||
|
fi
|
||
|
timeout=30
|
||
|
while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do
|
||
|
sleep 1
|
||
|
get_redis_role
|
||
|
timeout=$((timeout - 1))
|
||
|
done
|
||
|
echo "Failover successful"
|
||
|
fi
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-configmap
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
data:
|
||
|
redis_liveness.sh: |
|
||
|
response=$(
|
||
|
redis-cli \
|
||
|
-h localhost \
|
||
|
-p 6379 \
|
||
|
ping
|
||
|
)
|
||
|
if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then
|
||
|
echo "$response"
|
||
|
exit 1
|
||
|
fi
|
||
|
echo "response=$response"
|
||
|
redis_readiness.sh: |
|
||
|
response=$(
|
||
|
redis-cli \
|
||
|
-h localhost \
|
||
|
-p 6379 \
|
||
|
ping
|
||
|
)
|
||
|
if [ "$response" != "PONG" ] ; then
|
||
|
echo "$response"
|
||
|
exit 1
|
||
|
fi
|
||
|
echo "response=$response"
|
||
|
sentinel_liveness.sh: |
|
||
|
response=$(
|
||
|
redis-cli \
|
||
|
-h localhost \
|
||
|
-p 26379 \
|
||
|
ping
|
||
|
)
|
||
|
if [ "$response" != "PONG" ]; then
|
||
|
echo "$response"
|
||
|
exit 1
|
||
|
fi
|
||
|
echo "response=$response"
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-health-configmap
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
data:
|
||
|
ssh_known_hosts: |-
|
||
|
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
|
||
|
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||
|
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
|
||
|
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
|
||
|
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
||
|
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
||
|
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
||
|
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
||
|
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-ssh-known-hosts-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ConfigMap
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-tls-certs-cm
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-tls-certs-cm
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Secret
|
||
|
metadata:
|
||
|
name: argocd-notifications-secret
|
||
|
type: Opaque
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Secret
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-secret
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-secret
|
||
|
type: Opaque
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: controller
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
app.kubernetes.io/part-of: argocd-applicationset
|
||
|
name: argocd-applicationset-controller
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: webhook
|
||
|
port: 7000
|
||
|
protocol: TCP
|
||
|
targetPort: webhook
|
||
|
- name: metrics
|
||
|
port: 8080
|
||
|
protocol: TCP
|
||
|
targetPort: metrics
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: dex-server
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-dex-server
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: http
|
||
|
port: 5556
|
||
|
protocol: TCP
|
||
|
targetPort: 5556
|
||
|
- name: grpc
|
||
|
port: 5557
|
||
|
protocol: TCP
|
||
|
targetPort: 5557
|
||
|
- name: metrics
|
||
|
port: 5558
|
||
|
protocol: TCP
|
||
|
targetPort: 5558
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: metrics
|
||
|
app.kubernetes.io/name: argocd-metrics
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-metrics
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: metrics
|
||
|
port: 8082
|
||
|
protocol: TCP
|
||
|
targetPort: 8082
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller-metrics
|
||
|
name: argocd-notifications-controller-metrics
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: metrics
|
||
|
port: 9001
|
||
|
protocol: TCP
|
||
|
targetPort: 9001
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha
|
||
|
spec:
|
||
|
clusterIP: None
|
||
|
ports:
|
||
|
- name: tcp-server
|
||
|
port: 6379
|
||
|
protocol: TCP
|
||
|
targetPort: redis
|
||
|
- name: tcp-sentinel
|
||
|
port: 26379
|
||
|
protocol: TCP
|
||
|
targetPort: sentinel
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
type: ClusterIP
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
annotations:
|
||
|
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-announce-0
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: tcp-server
|
||
|
port: 6379
|
||
|
protocol: TCP
|
||
|
targetPort: redis
|
||
|
- name: tcp-sentinel
|
||
|
port: 26379
|
||
|
protocol: TCP
|
||
|
targetPort: sentinel
|
||
|
publishNotReadyAddresses: true
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0
|
||
|
type: ClusterIP
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
annotations:
|
||
|
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-announce-1
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: tcp-server
|
||
|
port: 6379
|
||
|
protocol: TCP
|
||
|
targetPort: redis
|
||
|
- name: tcp-sentinel
|
||
|
port: 26379
|
||
|
protocol: TCP
|
||
|
targetPort: sentinel
|
||
|
publishNotReadyAddresses: true
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1
|
||
|
type: ClusterIP
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
annotations:
|
||
|
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-announce-2
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: tcp-server
|
||
|
port: 6379
|
||
|
protocol: TCP
|
||
|
targetPort: redis
|
||
|
- name: tcp-sentinel
|
||
|
port: 26379
|
||
|
protocol: TCP
|
||
|
targetPort: sentinel
|
||
|
publishNotReadyAddresses: true
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2
|
||
|
type: ClusterIP
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: tcp-haproxy
|
||
|
port: 6379
|
||
|
protocol: TCP
|
||
|
targetPort: redis
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
type: ClusterIP
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: repo-server
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-repo-server
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: server
|
||
|
port: 8081
|
||
|
protocol: TCP
|
||
|
targetPort: 8081
|
||
|
- name: metrics
|
||
|
port: 8084
|
||
|
protocol: TCP
|
||
|
targetPort: 8084
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: http
|
||
|
port: 80
|
||
|
protocol: TCP
|
||
|
targetPort: 8080
|
||
|
- name: https
|
||
|
port: 443
|
||
|
protocol: TCP
|
||
|
targetPort: 8080
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server-metrics
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server-metrics
|
||
|
spec:
|
||
|
ports:
|
||
|
- name: metrics
|
||
|
port: 8083
|
||
|
protocol: TCP
|
||
|
targetPort: 8083
|
||
|
selector:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: controller
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
app.kubernetes.io/part-of: argocd-applicationset
|
||
|
name: argocd-applicationset-controller
|
||
|
spec:
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
spec:
|
||
|
containers:
|
||
|
- command:
|
||
|
- entrypoint.sh
|
||
|
- argocd-applicationset-controller
|
||
|
env:
|
||
|
- name: NAMESPACE
|
||
|
valueFrom:
|
||
|
fieldRef:
|
||
|
fieldPath: metadata.namespace
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.enable.leader.election
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACE
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.namespace
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: repo.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.policy
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.debug
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.log.format
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.log.level
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.dryrun
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_GIT_MODULES_ENABLED
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: applicationsetcontroller.enable.git.submodule
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
name: argocd-applicationset-controller
|
||
|
ports:
|
||
|
- containerPort: 7000
|
||
|
name: webhook
|
||
|
- containerPort: 8080
|
||
|
name: metrics
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /app/config/ssh
|
||
|
name: ssh-known-hosts
|
||
|
- mountPath: /app/config/tls
|
||
|
name: tls-certs
|
||
|
- mountPath: /app/config/gpg/source
|
||
|
name: gpg-keys
|
||
|
- mountPath: /app/config/gpg/keys
|
||
|
name: gpg-keyring
|
||
|
- mountPath: /tmp
|
||
|
name: tmp
|
||
|
serviceAccountName: argocd-applicationset-controller
|
||
|
volumes:
|
||
|
- configMap:
|
||
|
name: argocd-ssh-known-hosts-cm
|
||
|
name: ssh-known-hosts
|
||
|
- configMap:
|
||
|
name: argocd-tls-certs-cm
|
||
|
name: tls-certs
|
||
|
- configMap:
|
||
|
name: argocd-gpg-keys-cm
|
||
|
name: gpg-keys
|
||
|
- emptyDir: {}
|
||
|
name: gpg-keyring
|
||
|
- emptyDir: {}
|
||
|
name: tmp
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: dex-server
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-dex-server
|
||
|
spec:
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||
|
- podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
weight: 5
|
||
|
containers:
|
||
|
- command:
|
||
|
- /shared/argocd-dex
|
||
|
- rundex
|
||
|
env:
|
||
|
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: dexserver.disable.tls
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
image: ghcr.io/dexidp/dex:v2.35.3-distroless
|
||
|
imagePullPolicy: Always
|
||
|
name: dex
|
||
|
ports:
|
||
|
- containerPort: 5556
|
||
|
- containerPort: 5557
|
||
|
- containerPort: 5558
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /shared
|
||
|
name: static-files
|
||
|
- mountPath: /tmp
|
||
|
name: dexconfig
|
||
|
- mountPath: /tls
|
||
|
name: argocd-dex-server-tls
|
||
|
initContainers:
|
||
|
- command:
|
||
|
- cp
|
||
|
- -n
|
||
|
- /usr/local/bin/argocd
|
||
|
- /shared/argocd-dex
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
name: copyutil
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /shared
|
||
|
name: static-files
|
||
|
- mountPath: /tmp
|
||
|
name: dexconfig
|
||
|
serviceAccountName: argocd-dex-server
|
||
|
volumes:
|
||
|
- emptyDir: {}
|
||
|
name: static-files
|
||
|
- emptyDir: {}
|
||
|
name: dexconfig
|
||
|
- name: argocd-dex-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: tls.key
|
||
|
path: tls.key
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-dex-server-tls
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
name: argocd-notifications-controller
|
||
|
spec:
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
strategy:
|
||
|
type: Recreate
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
spec:
|
||
|
containers:
|
||
|
- command:
|
||
|
- argocd-notifications
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
livenessProbe:
|
||
|
tcpSocket:
|
||
|
port: 9001
|
||
|
name: argocd-notifications-controller
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
volumeMounts:
|
||
|
- mountPath: /app/config/tls
|
||
|
name: tls-certs
|
||
|
- mountPath: /app/config/reposerver/tls
|
||
|
name: argocd-repo-server-tls
|
||
|
workingDir: /app
|
||
|
securityContext:
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
serviceAccountName: argocd-notifications-controller
|
||
|
volumes:
|
||
|
- configMap:
|
||
|
name: argocd-tls-certs-cm
|
||
|
name: tls-certs
|
||
|
- name: argocd-repo-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: tls.key
|
||
|
path: tls.key
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-repo-server-tls
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
spec:
|
||
|
replicas: 3
|
||
|
revisionHistoryLimit: 1
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
strategy:
|
||
|
type: RollingUpdate
|
||
|
template:
|
||
|
metadata:
|
||
|
annotations:
|
||
|
checksum/config: 33967cee643b636d6e9a66e82b7f85814ceb8c55fba7a1d8af439ef056934e5c
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
name: argocd-redis-ha-haproxy
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
- labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
containers:
|
||
|
- image: haproxy:2.6.2-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
lifecycle: {}
|
||
|
livenessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 8888
|
||
|
initialDelaySeconds: 5
|
||
|
periodSeconds: 3
|
||
|
name: haproxy
|
||
|
ports:
|
||
|
- containerPort: 6379
|
||
|
name: redis
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 8888
|
||
|
initialDelaySeconds: 5
|
||
|
periodSeconds: 3
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /usr/local/etc/haproxy
|
||
|
name: data
|
||
|
- mountPath: /run/haproxy
|
||
|
name: shared-socket
|
||
|
initContainers:
|
||
|
- args:
|
||
|
- /readonly/haproxy_init.sh
|
||
|
command:
|
||
|
- sh
|
||
|
image: haproxy:2.6.2-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
name: config-init
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /readonly
|
||
|
name: config-volume
|
||
|
readOnly: true
|
||
|
- mountPath: /data
|
||
|
name: data
|
||
|
securityContext:
|
||
|
fsGroup: 1000
|
||
|
runAsNonRoot: true
|
||
|
runAsUser: 1000
|
||
|
serviceAccountName: argocd-redis-ha-haproxy
|
||
|
volumes:
|
||
|
- configMap:
|
||
|
name: argocd-redis-ha-configmap
|
||
|
name: config-volume
|
||
|
- emptyDir: {}
|
||
|
name: shared-socket
|
||
|
- emptyDir: {}
|
||
|
name: data
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: repo-server
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-repo-server
|
||
|
spec:
|
||
|
replicas: 2
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||
|
- podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
topologyKey: failure-domain.beta.kubernetes.io/zone
|
||
|
weight: 100
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
- labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
automountServiceAccountToken: false
|
||
|
containers:
|
||
|
- command:
|
||
|
- entrypoint.sh
|
||
|
- argocd-repo-server
|
||
|
- --redis
|
||
|
- argocd-redis-ha-haproxy:6379
|
||
|
env:
|
||
|
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: timeout.reconciliation
|
||
|
name: argocd-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_LOGFORMAT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.log.format
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_LOGLEVEL
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.log.level
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.parallelism.limit
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.disable.tls
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_MIN_VERSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.tls.minversion
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_MAX_VERSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.tls.maxversion
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_CIPHERS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.tls.ciphers
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.repo.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_COMPRESSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.compression
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDISDB
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.db
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.default.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: otlp.address
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.max.combined.directory.manifests.size
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.plugin.tar.exclusions
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.allow.oob.symlinks
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.streamed.manifest.max.tar.size
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.streamed.manifest.max.extracted.size
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_GIT_MODULES_ENABLED
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: reposerver.enable.git.submodule
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: HELM_CACHE_HOME
|
||
|
value: /helm-working-dir
|
||
|
- name: HELM_CONFIG_HOME
|
||
|
value: /helm-working-dir
|
||
|
- name: HELM_DATA_HOME
|
||
|
value: /helm-working-dir
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
livenessProbe:
|
||
|
failureThreshold: 3
|
||
|
httpGet:
|
||
|
path: /healthz?full=true
|
||
|
port: 8084
|
||
|
initialDelaySeconds: 30
|
||
|
periodSeconds: 30
|
||
|
timeoutSeconds: 5
|
||
|
name: argocd-repo-server
|
||
|
ports:
|
||
|
- containerPort: 8081
|
||
|
- containerPort: 8084
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 8084
|
||
|
initialDelaySeconds: 5
|
||
|
periodSeconds: 10
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /app/config/ssh
|
||
|
name: ssh-known-hosts
|
||
|
- mountPath: /app/config/tls
|
||
|
name: tls-certs
|
||
|
- mountPath: /app/config/gpg/source
|
||
|
name: gpg-keys
|
||
|
- mountPath: /app/config/gpg/keys
|
||
|
name: gpg-keyring
|
||
|
- mountPath: /app/config/reposerver/tls
|
||
|
name: argocd-repo-server-tls
|
||
|
- mountPath: /tmp
|
||
|
name: tmp
|
||
|
- mountPath: /helm-working-dir
|
||
|
name: helm-working-dir
|
||
|
- mountPath: /home/argocd/cmp-server/plugins
|
||
|
name: plugins
|
||
|
initContainers:
|
||
|
- command:
|
||
|
- cp
|
||
|
- -n
|
||
|
- /usr/local/bin/argocd
|
||
|
- /var/run/argocd/argocd-cmp-server
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
name: copyutil
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /var/run/argocd
|
||
|
name: var-files
|
||
|
serviceAccountName: argocd-repo-server
|
||
|
volumes:
|
||
|
- configMap:
|
||
|
name: argocd-ssh-known-hosts-cm
|
||
|
name: ssh-known-hosts
|
||
|
- configMap:
|
||
|
name: argocd-tls-certs-cm
|
||
|
name: tls-certs
|
||
|
- configMap:
|
||
|
name: argocd-gpg-keys-cm
|
||
|
name: gpg-keys
|
||
|
- emptyDir: {}
|
||
|
name: gpg-keyring
|
||
|
- emptyDir: {}
|
||
|
name: tmp
|
||
|
- emptyDir: {}
|
||
|
name: helm-working-dir
|
||
|
- name: argocd-repo-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: tls.key
|
||
|
path: tls.key
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-repo-server-tls
|
||
|
- emptyDir: {}
|
||
|
name: var-files
|
||
|
- emptyDir: {}
|
||
|
name: plugins
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: server
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-server
|
||
|
spec:
|
||
|
replicas: 2
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||
|
- podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
topologyKey: failure-domain.beta.kubernetes.io/zone
|
||
|
weight: 100
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
- labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
containers:
|
||
|
- command:
|
||
|
- argocd-server
|
||
|
- --redis
|
||
|
- argocd-redis-ha-haproxy:6379
|
||
|
env:
|
||
|
- name: ARGOCD_API_SERVER_REPLICAS
|
||
|
value: "2"
|
||
|
- name: ARGOCD_SERVER_INSECURE
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.insecure
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_BASEHREF
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.basehref
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_ROOTPATH
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.rootpath
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_LOGFORMAT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.log.format
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_LOG_LEVEL
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.log.level
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_REPO_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: repo.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_DEX_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.dex.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_DISABLE_AUTH
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.disable.auth
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_ENABLE_GZIP
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.enable.gzip
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.repo.server.timeout.seconds
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.x.frame.options
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.content.security.policy
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.repo.server.plaintext
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.repo.server.strict.tls
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.dex.server.plaintext
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.dex.server.strict.tls
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_MIN_VERSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.tls.minversion
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_MAX_VERSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.tls.maxversion
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_TLS_CIPHERS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.tls.ciphers
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.connection.status.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.oidc.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.login.attempts.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_STATIC_ASSETS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.staticassets
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.app.state.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_COMPRESSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.compression
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDISDB
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.db
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.default.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_MAX_COOKIE_NUMBER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: server.http.cookie.maxnumber
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_SERVER_OTLP_ADDRESS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: otlp.address
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_NAMESPACES
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: application.namespaces
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
livenessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz?full=true
|
||
|
port: 8080
|
||
|
initialDelaySeconds: 3
|
||
|
periodSeconds: 30
|
||
|
timeoutSeconds: 5
|
||
|
name: argocd-server
|
||
|
ports:
|
||
|
- containerPort: 8080
|
||
|
- containerPort: 8083
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 8080
|
||
|
initialDelaySeconds: 3
|
||
|
periodSeconds: 30
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /app/config/ssh
|
||
|
name: ssh-known-hosts
|
||
|
- mountPath: /app/config/tls
|
||
|
name: tls-certs
|
||
|
- mountPath: /app/config/server/tls
|
||
|
name: argocd-repo-server-tls
|
||
|
- mountPath: /app/config/dex/tls
|
||
|
name: argocd-dex-server-tls
|
||
|
- mountPath: /home/argocd
|
||
|
name: plugins-home
|
||
|
- mountPath: /tmp
|
||
|
name: tmp
|
||
|
serviceAccountName: argocd-server
|
||
|
volumes:
|
||
|
- emptyDir: {}
|
||
|
name: plugins-home
|
||
|
- emptyDir: {}
|
||
|
name: tmp
|
||
|
- configMap:
|
||
|
name: argocd-ssh-known-hosts-cm
|
||
|
name: ssh-known-hosts
|
||
|
- configMap:
|
||
|
name: argocd-tls-certs-cm
|
||
|
name: tls-certs
|
||
|
- name: argocd-repo-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: tls.key
|
||
|
path: tls.key
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-repo-server-tls
|
||
|
- name: argocd-dex-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-dex-server-tls
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: StatefulSet
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: application-controller
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-application-controller
|
||
|
spec:
|
||
|
replicas: 1
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
serviceName: argocd-application-controller
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||
|
- podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
weight: 100
|
||
|
- podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
weight: 5
|
||
|
containers:
|
||
|
- command:
|
||
|
- argocd-application-controller
|
||
|
- --redis
|
||
|
- argocd-redis-ha-haproxy:6379
|
||
|
env:
|
||
|
- name: ARGOCD_CONTROLLER_REPLICAS
|
||
|
value: "1"
|
||
|
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: timeout.reconciliation
|
||
|
name: argocd-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: timeout.hard.reconciliation
|
||
|
name: argocd-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: repo.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.repo.server.timeout.seconds
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.status.processors
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.operation.processors
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.log.format
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.log.level
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.metrics.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.self.heal.timeout.seconds
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.repo.server.plaintext
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.repo.server.strict.tls
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.resource.health.persist
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.app.state.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_SERVER
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.server
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDIS_COMPRESSION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.compression
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: REDISDB
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: redis.db
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: controller.default.cache.expiration
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: otlp.address
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
- name: ARGOCD_APPLICATION_NAMESPACES
|
||
|
valueFrom:
|
||
|
configMapKeyRef:
|
||
|
key: application.namespaces
|
||
|
name: argocd-cmd-params-cm
|
||
|
optional: true
|
||
|
image: quay.io/argoproj/argocd:latest
|
||
|
imagePullPolicy: Always
|
||
|
name: argocd-application-controller
|
||
|
ports:
|
||
|
- containerPort: 8082
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 8082
|
||
|
initialDelaySeconds: 5
|
||
|
periodSeconds: 10
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
readOnlyRootFilesystem: true
|
||
|
runAsNonRoot: true
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /app/config/controller/tls
|
||
|
name: argocd-repo-server-tls
|
||
|
- mountPath: /home/argocd
|
||
|
name: argocd-home
|
||
|
workingDir: /home/argocd
|
||
|
serviceAccountName: argocd-application-controller
|
||
|
volumes:
|
||
|
- emptyDir: {}
|
||
|
name: argocd-home
|
||
|
- name: argocd-repo-server-tls
|
||
|
secret:
|
||
|
items:
|
||
|
- key: tls.crt
|
||
|
path: tls.crt
|
||
|
- key: tls.key
|
||
|
path: tls.key
|
||
|
- key: ca.crt
|
||
|
path: ca.crt
|
||
|
optional: true
|
||
|
secretName: argocd-repo-server-tls
|
||
|
---
|
||
|
apiVersion: apps/v1
|
||
|
kind: StatefulSet
|
||
|
metadata:
|
||
|
labels:
|
||
|
app.kubernetes.io/component: redis
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
app.kubernetes.io/part-of: argocd
|
||
|
name: argocd-redis-ha-server
|
||
|
spec:
|
||
|
podManagementPolicy: OrderedReady
|
||
|
replicas: 3
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
serviceName: argocd-redis-ha
|
||
|
template:
|
||
|
metadata:
|
||
|
annotations:
|
||
|
checksum/init-config: 226aec192d2f29b5355769c9f1fbf093bf36c3a1e15b574b71fb8fe73fd37c05
|
||
|
labels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
spec:
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
- labelSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
topologyKey: kubernetes.io/hostname
|
||
|
automountServiceAccountToken: false
|
||
|
containers:
|
||
|
- args:
|
||
|
- /data/conf/redis.conf
|
||
|
command:
|
||
|
- redis-server
|
||
|
image: redis:7.0.5-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
lifecycle:
|
||
|
preStop:
|
||
|
exec:
|
||
|
command:
|
||
|
- /bin/sh
|
||
|
- /readonly-config/trigger-failover-if-master.sh
|
||
|
livenessProbe:
|
||
|
exec:
|
||
|
command:
|
||
|
- sh
|
||
|
- -c
|
||
|
- /health/redis_liveness.sh
|
||
|
failureThreshold: 5
|
||
|
initialDelaySeconds: 30
|
||
|
periodSeconds: 15
|
||
|
successThreshold: 1
|
||
|
timeoutSeconds: 15
|
||
|
name: redis
|
||
|
ports:
|
||
|
- containerPort: 6379
|
||
|
name: redis
|
||
|
readinessProbe:
|
||
|
exec:
|
||
|
command:
|
||
|
- sh
|
||
|
- -c
|
||
|
- /health/redis_readiness.sh
|
||
|
failureThreshold: 5
|
||
|
initialDelaySeconds: 30
|
||
|
periodSeconds: 15
|
||
|
successThreshold: 1
|
||
|
timeoutSeconds: 15
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /readonly-config
|
||
|
name: config
|
||
|
readOnly: true
|
||
|
- mountPath: /data
|
||
|
name: data
|
||
|
- mountPath: /health
|
||
|
name: health
|
||
|
- args:
|
||
|
- /data/conf/sentinel.conf
|
||
|
command:
|
||
|
- redis-sentinel
|
||
|
image: redis:7.0.5-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
lifecycle: {}
|
||
|
livenessProbe:
|
||
|
exec:
|
||
|
command:
|
||
|
- sh
|
||
|
- -c
|
||
|
- /health/sentinel_liveness.sh
|
||
|
failureThreshold: 5
|
||
|
initialDelaySeconds: 30
|
||
|
periodSeconds: 15
|
||
|
successThreshold: 1
|
||
|
timeoutSeconds: 15
|
||
|
name: sentinel
|
||
|
ports:
|
||
|
- containerPort: 26379
|
||
|
name: sentinel
|
||
|
readinessProbe:
|
||
|
exec:
|
||
|
command:
|
||
|
- sh
|
||
|
- -c
|
||
|
- /health/sentinel_liveness.sh
|
||
|
failureThreshold: 5
|
||
|
initialDelaySeconds: 30
|
||
|
periodSeconds: 15
|
||
|
successThreshold: 3
|
||
|
timeoutSeconds: 15
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /data
|
||
|
name: data
|
||
|
- mountPath: /health
|
||
|
name: health
|
||
|
- args:
|
||
|
- /readonly-config/fix-split-brain.sh
|
||
|
command:
|
||
|
- sh
|
||
|
env:
|
||
|
- name: SENTINEL_ID_0
|
||
|
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
|
||
|
- name: SENTINEL_ID_1
|
||
|
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
|
||
|
- name: SENTINEL_ID_2
|
||
|
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
|
||
|
image: redis:7.0.5-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
name: split-brain-fix
|
||
|
resources: {}
|
||
|
volumeMounts:
|
||
|
- mountPath: /readonly-config
|
||
|
name: config
|
||
|
readOnly: true
|
||
|
- mountPath: /data
|
||
|
name: data
|
||
|
initContainers:
|
||
|
- args:
|
||
|
- /readonly-config/init.sh
|
||
|
command:
|
||
|
- sh
|
||
|
env:
|
||
|
- name: SENTINEL_ID_0
|
||
|
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
|
||
|
- name: SENTINEL_ID_1
|
||
|
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
|
||
|
- name: SENTINEL_ID_2
|
||
|
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
|
||
|
image: redis:7.0.5-alpine
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
name: config-init
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
volumeMounts:
|
||
|
- mountPath: /readonly-config
|
||
|
name: config
|
||
|
readOnly: true
|
||
|
- mountPath: /data
|
||
|
name: data
|
||
|
securityContext:
|
||
|
fsGroup: 1000
|
||
|
runAsNonRoot: true
|
||
|
runAsUser: 1000
|
||
|
serviceAccountName: argocd-redis-ha
|
||
|
terminationGracePeriodSeconds: 60
|
||
|
volumes:
|
||
|
- configMap:
|
||
|
name: argocd-redis-ha-configmap
|
||
|
name: config
|
||
|
- configMap:
|
||
|
defaultMode: 493
|
||
|
name: argocd-redis-ha-health-configmap
|
||
|
name: health
|
||
|
- emptyDir: {}
|
||
|
name: data
|
||
|
updateStrategy:
|
||
|
type: RollingUpdate
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-application-controller-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- from:
|
||
|
- namespaceSelector: {}
|
||
|
ports:
|
||
|
- port: 8082
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-applicationset-controller-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- from:
|
||
|
- namespaceSelector: {}
|
||
|
ports:
|
||
|
- port: 7000
|
||
|
protocol: TCP
|
||
|
- port: 8080
|
||
|
protocol: TCP
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-applicationset-controller
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-dex-server-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- from:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
ports:
|
||
|
- port: 5556
|
||
|
protocol: TCP
|
||
|
- port: 5557
|
||
|
protocol: TCP
|
||
|
- from:
|
||
|
- namespaceSelector: {}
|
||
|
ports:
|
||
|
- port: 5558
|
||
|
protocol: TCP
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-dex-server
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-notifications-controller-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- from:
|
||
|
- namespaceSelector: {}
|
||
|
ports:
|
||
|
- port: 9001
|
||
|
protocol: TCP
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-redis-ha-proxy-network-policy
|
||
|
spec:
|
||
|
egress:
|
||
|
- ports:
|
||
|
- port: 6379
|
||
|
protocol: TCP
|
||
|
- port: 26379
|
||
|
protocol: TCP
|
||
|
to:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
- ports:
|
||
|
- port: 53
|
||
|
protocol: UDP
|
||
|
- port: 53
|
||
|
protocol: TCP
|
||
|
to:
|
||
|
- namespaceSelector: {}
|
||
|
ingress:
|
||
|
- from:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
ports:
|
||
|
- port: 6379
|
||
|
protocol: TCP
|
||
|
- port: 26379
|
||
|
protocol: TCP
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
- Egress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-redis-ha-server-network-policy
|
||
|
spec:
|
||
|
egress:
|
||
|
- ports:
|
||
|
- port: 6379
|
||
|
protocol: TCP
|
||
|
- port: 26379
|
||
|
protocol: TCP
|
||
|
to:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
- ports:
|
||
|
- port: 53
|
||
|
protocol: UDP
|
||
|
- port: 53
|
||
|
protocol: TCP
|
||
|
to:
|
||
|
- namespaceSelector: {}
|
||
|
ingress:
|
||
|
- from:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
ports:
|
||
|
- port: 6379
|
||
|
protocol: TCP
|
||
|
- port: 26379
|
||
|
protocol: TCP
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-redis-ha
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
- Egress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-repo-server-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- from:
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-application-controller
|
||
|
- podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-notifications-controller
|
||
|
ports:
|
||
|
- port: 8081
|
||
|
protocol: TCP
|
||
|
- from:
|
||
|
- namespaceSelector: {}
|
||
|
ports:
|
||
|
- port: 8084
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-repo-server
|
||
|
policyTypes:
|
||
|
- Ingress
|
||
|
---
|
||
|
apiVersion: networking.k8s.io/v1
|
||
|
kind: NetworkPolicy
|
||
|
metadata:
|
||
|
name: argocd-server-network-policy
|
||
|
spec:
|
||
|
ingress:
|
||
|
- {}
|
||
|
podSelector:
|
||
|
matchLabels:
|
||
|
app.kubernetes.io/name: argocd-server
|
||
|
policyTypes:
|
||
|
- Ingress
|