# This is an auto-generated file. DO NOT EDIT apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: application-controller app.kubernetes.io/name: argocd-application-controller app.kubernetes.io/part-of: argocd name: argocd-application-controller --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: argocd-applicationset-controller app.kubernetes.io/part-of: argocd-applicationset name: argocd-applicationset-controller --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: dex-server app.kubernetes.io/name: argocd-dex-server app.kubernetes.io/part-of: argocd name: argocd-dex-server --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: notifications-controller app.kubernetes.io/name: argocd-notifications-controller app.kubernetes.io/part-of: argocd name: argocd-notifications-controller --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha-haproxy app.kubernetes.io/part-of: argocd name: argocd-redis-ha-haproxy --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: repo-server app.kubernetes.io/name: argocd-repo-server app.kubernetes.io/part-of: argocd name: argocd-repo-server --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server app.kubernetes.io/part-of: argocd name: argocd-server --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: application-controller app.kubernetes.io/name: argocd-application-controller app.kubernetes.io/part-of: argocd name: argocd-application-controller rules: - apiGroups: - "" resources: - secrets - configmaps verbs: - get - list - watch - apiGroups: - argoproj.io resources: - applications - appprojects verbs: - create - get - list - watch - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: argocd-applicationset-controller app.kubernetes.io/part-of: argocd-applicationset name: argocd-applicationset-controller rules: - apiGroups: - argoproj.io resources: - applications - applicationsets - applicationsets/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - argoproj.io resources: - appprojects verbs: - get - apiGroups: - argoproj.io resources: - applicationsets/status verbs: - get - patch - update - apiGroups: - "" resources: - events verbs: - create - get - list - patch - watch - apiGroups: - "" resources: - secrets - configmaps verbs: - get - list - watch - apiGroups: - apps - extensions resources: - deployments verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: dex-server app.kubernetes.io/name: argocd-dex-server app.kubernetes.io/part-of: argocd name: argocd-dex-server rules: - apiGroups: - "" resources: - secrets - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argocd-notifications-controller rules: - apiGroups: - argoproj.io resources: - applications - appprojects verbs: - get - list - watch - update - patch - apiGroups: - "" resources: - configmaps - secrets verbs: - list - watch - apiGroups: - "" resourceNames: - argocd-notifications-cm resources: - configmaps verbs: - get - apiGroups: - "" resourceNames: - argocd-notifications-secret resources: - secrets verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha rules: - apiGroups: - "" resources: - endpoints verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-haproxy rules: - apiGroups: - "" resources: - endpoints verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server app.kubernetes.io/part-of: argocd name: argocd-server rules: - apiGroups: - "" resources: - secrets - configmaps verbs: - create - get - list - watch - update - patch - delete - apiGroups: - argoproj.io resources: - applications - appprojects - applicationsets verbs: - create - get - list - watch - update - delete - patch - apiGroups: - "" resources: - events verbs: - create - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: application-controller app.kubernetes.io/name: argocd-application-controller app.kubernetes.io/part-of: argocd name: argocd-application-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-application-controller subjects: - kind: ServiceAccount name: argocd-application-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: argocd-applicationset-controller app.kubernetes.io/part-of: argocd-applicationset name: argocd-applicationset-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-applicationset-controller subjects: - kind: ServiceAccount name: argocd-applicationset-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: dex-server app.kubernetes.io/name: argocd-dex-server app.kubernetes.io/part-of: argocd name: argocd-dex-server roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-dex-server subjects: - kind: ServiceAccount name: argocd-dex-server --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: argocd-notifications-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-notifications-controller subjects: - kind: ServiceAccount name: argocd-notifications-controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-redis-ha subjects: - kind: ServiceAccount name: argocd-redis-ha --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-haproxy roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-redis-ha-haproxy subjects: - kind: ServiceAccount name: argocd-redis-ha-haproxy --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server app.kubernetes.io/part-of: argocd name: argocd-server roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-server subjects: - kind: ServiceAccount name: argocd-server --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd name: argocd-cm --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-cmd-params-cm app.kubernetes.io/part-of: argocd name: argocd-cmd-params-cm --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-gpg-keys-cm app.kubernetes.io/part-of: argocd name: argocd-gpg-keys-cm --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-notifications-cm --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-rbac-cm app.kubernetes.io/part-of: argocd name: argocd-rbac-cm --- apiVersion: v1 data: fix-split-brain.sh: | HOSTNAME="$(hostname)" INDEX="${HOSTNAME##*-}" SENTINEL_PORT=26379 ANNOUNCE_IP='' MASTER='' MASTER_GROUP="argocd" QUORUM="2" REDIS_CONF=/data/conf/redis.conf REDIS_PORT=6379 REDIS_TLS_PORT= SENTINEL_CONF=/data/conf/sentinel.conf SENTINEL_TLS_PORT= SERVICE=argocd-redis-ha SENTINEL_TLS_REPLICATION_ENABLED=false REDIS_TLS_REPLICATION_ENABLED=false ROLE='' REDIS_MASTER='' set -eu sentinel_get_master() { set +e if [ "$SENTINEL_PORT" -eq 0 ]; then redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' else redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' fi set -e } sentinel_get_master_retry() { master='' retry=${1} sleep=3 for i in $(seq 1 "${retry}"); do master=$(sentinel_get_master) if [ -n "${master}" ]; then break fi sleep $((sleep + i)) done echo "${master}" } identify_master() { echo "Identifying redis master (get-master-addr-by-name).." echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" MASTER="$(sentinel_get_master_retry 3)" if [ -n "${MASTER}" ]; then echo " $(date) Found redis master (${MASTER})" else echo " $(date) Did not find redis master (${MASTER})" fi } sentinel_update() { echo "Updating sentinel config.." echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then echo " redis master (${1}:${REDIS_TLS_PORT})" sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" else echo " redis master (${1}:${REDIS_PORT})" sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" fi echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} if [ "$SENTINEL_PORT" -eq 0 ]; then echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} else echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} fi } redis_update() { echo "Updating redis config.." if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} else echo " we are slave of redis master (${1}:${REDIS_PORT})" echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} fi echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} } copy_config() { echo "Copying default redis config.." echo " to '${REDIS_CONF}'" cp /readonly-config/redis.conf "${REDIS_CONF}" echo "Copying default sentinel config.." echo " to '${SENTINEL_CONF}'" cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" } setup_defaults() { echo "Setting up defaults.." echo " using statefulset index (${INDEX})" if [ "${INDEX}" = "0" ]; then echo "Setting this pod as master for redis and sentinel.." echo " using announce (${ANNOUNCE_IP})" redis_update "${ANNOUNCE_IP}" sentinel_update "${ANNOUNCE_IP}" echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" else echo "Getting redis master ip.." echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" if [ -z "${DEFAULT_MASTER}" ]; then echo "Error: Unable to resolve redis master (getent hosts)." exit 1 fi echo "Setting default slave config for redis and sentinel.." echo " using master ip (${DEFAULT_MASTER})" redis_update "${DEFAULT_MASTER}" sentinel_update "${DEFAULT_MASTER}" fi } redis_ping() { set +e if [ "$REDIS_PORT" -eq 0 ]; then redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping else redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping fi set -e } redis_ping_retry() { ping='' retry=${1} sleep=3 for i in $(seq 1 "${retry}"); do if [ "$(redis_ping)" = "PONG" ]; then ping='PONG' break fi sleep $((sleep + i)) MASTER=$(sentinel_get_master) done echo "${ping}" } find_master() { echo "Verifying redis master.." if [ "$REDIS_PORT" -eq 0 ]; then echo " ping (${MASTER}:${REDIS_TLS_PORT})" else echo " ping (${MASTER}:${REDIS_PORT})" fi if [ "$(redis_ping_retry 3)" != "PONG" ]; then echo " $(date) Can't ping redis master (${MASTER})" echo "Attempting to force failover (sentinel failover).." if [ "$SENTINEL_PORT" -eq 0 ]; then echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then echo " $(date) Failover returned with 'NOGOODSLAVE'" echo "Setting defaults for this pod.." setup_defaults return 0 fi else echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then echo " $(date) Failover returned with 'NOGOODSLAVE'" echo "Setting defaults for this pod.." setup_defaults return 0 fi fi echo "Hold on for 10sec" sleep 10 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." if [ "$SENTINEL_PORT" -eq 0 ]; then echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" else echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" fi MASTER="$(sentinel_get_master)" if [ "${MASTER}" ]; then echo " $(date) Found redis master (${MASTER})" echo "Updating redis and sentinel config.." sentinel_update "${MASTER}" redis_update "${MASTER}" else echo "$(date) Error: Could not failover, exiting..." exit 1 fi else echo " $(date) Found reachable redis master (${MASTER})" echo "Updating redis and sentinel config.." sentinel_update "${MASTER}" redis_update "${MASTER}" fi } redis_ro_update() { echo "Updating read-only redis config.." echo " redis.conf set 'replica-priority 0'" echo "replica-priority 0" >> ${REDIS_CONF} } getent_hosts() { index=${1:-${INDEX}} service="${SERVICE}-announce-${index}" pod="${SERVICE}-server-${index}" host=$(getent hosts "${service}") if [ -z "${host}" ]; then host=$(getent hosts "${pod}") fi echo "${host}" } identify_announce_ip() { echo "Identify announce ip for this pod.." echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') echo " identified announce (${ANNOUNCE_IP})" } redis_role() { set +e if [ "$REDIS_PORT" -eq 0 ]; then ROLE=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//') else ROLE=$(redis-cli -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//') fi set -e } identify_redis_master() { set +e if [ "$REDIS_PORT" -eq 0 ]; then REDIS_MASTER=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//') else REDIS_MASTER=$(redis-cli -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//') fi set -e } reinit() { set +e sh /readonly-config/init.sh if [ "$REDIS_PORT" -eq 0 ]; then echo "shutdown" | redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key else echo "shutdown" | redis-cli -p "${REDIS_PORT}" fi set -e } identify_announce_ip while true; do sleep 60 # where is redis master identify_master if [ "$MASTER" == "$ANNOUNCE_IP" ]; then redis_role if [ "$ROLE" != "master" ]; then reinit fi else identify_redis_master if [ "$REDIS_MASTER" != "$MASTER" ]; then reinit fi fi done haproxy.cfg: | defaults REDIS mode tcp timeout connect 4s timeout server 6m timeout client 6m timeout check 2s listen health_check_http_url bind [::]:8888 v4v6 mode http monitor-uri /healthz option dontlognull # Check Sentinel and whether they are nominated master backend check_if_redis_is_master_0 mode tcp option tcp-check tcp-check connect tcp-check send PING\r\n tcp-check expect string +PONG tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n tcp-check expect string REPLACE_ANNOUNCE0 tcp-check send QUIT\r\n tcp-check expect string +OK server R0 argocd-redis-ha-announce-0:26379 check inter 3s server R1 argocd-redis-ha-announce-1:26379 check inter 3s server R2 argocd-redis-ha-announce-2:26379 check inter 3s # Check Sentinel and whether they are nominated master backend check_if_redis_is_master_1 mode tcp option tcp-check tcp-check connect tcp-check send PING\r\n tcp-check expect string +PONG tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n tcp-check expect string REPLACE_ANNOUNCE1 tcp-check send QUIT\r\n tcp-check expect string +OK server R0 argocd-redis-ha-announce-0:26379 check inter 3s server R1 argocd-redis-ha-announce-1:26379 check inter 3s server R2 argocd-redis-ha-announce-2:26379 check inter 3s # Check Sentinel and whether they are nominated master backend check_if_redis_is_master_2 mode tcp option tcp-check tcp-check connect tcp-check send PING\r\n tcp-check expect string +PONG tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n tcp-check expect string REPLACE_ANNOUNCE2 tcp-check send QUIT\r\n tcp-check expect string +OK server R0 argocd-redis-ha-announce-0:26379 check inter 3s server R1 argocd-redis-ha-announce-1:26379 check inter 3s server R2 argocd-redis-ha-announce-2:26379 check inter 3s # decide redis backend to use #master frontend ft_redis_master bind [::]:6379 v4v6 use_backend bk_redis_master # Check all redis servers to see if they think they are master backend bk_redis_master mode tcp option tcp-check tcp-check connect tcp-check send PING\r\n tcp-check expect string +PONG tcp-check send info\ replication\r\n tcp-check expect string role:master tcp-check send QUIT\r\n tcp-check expect string +OK use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 } server R0 argocd-redis-ha-announce-0:6379 check inter 3s fall 1 rise 1 use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 } server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 1 use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 } server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1 haproxy_init.sh: | HAPROXY_CONF=/data/haproxy.cfg cp /readonly/haproxy.cfg "$HAPROXY_CONF" for loop in $(seq 1 10); do getent hosts argocd-redis-ha-announce-0 && break echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1 done ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }') if [ -z "$ANNOUNCE_IP0" ]; then echo "Could not resolve the announce ip for argocd-redis-ha-announce-0" exit 1 fi sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF" for loop in $(seq 1 10); do getent hosts argocd-redis-ha-announce-1 && break echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1 done ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }') if [ -z "$ANNOUNCE_IP1" ]; then echo "Could not resolve the announce ip for argocd-redis-ha-announce-1" exit 1 fi sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF" for loop in $(seq 1 10); do getent hosts argocd-redis-ha-announce-2 && break echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1 done ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }') if [ -z "$ANNOUNCE_IP2" ]; then echo "Could not resolve the announce ip for argocd-redis-ha-announce-2" exit 1 fi sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF" init.sh: | echo "$(date) Start..." HOSTNAME="$(hostname)" INDEX="${HOSTNAME##*-}" SENTINEL_PORT=26379 ANNOUNCE_IP='' MASTER='' MASTER_GROUP="argocd" QUORUM="2" REDIS_CONF=/data/conf/redis.conf REDIS_PORT=6379 REDIS_TLS_PORT= SENTINEL_CONF=/data/conf/sentinel.conf SENTINEL_TLS_PORT= SERVICE=argocd-redis-ha SENTINEL_TLS_REPLICATION_ENABLED=false REDIS_TLS_REPLICATION_ENABLED=false set -eu sentinel_get_master() { set +e if [ "$SENTINEL_PORT" -eq 0 ]; then redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' else redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' fi set -e } sentinel_get_master_retry() { master='' retry=${1} sleep=3 for i in $(seq 1 "${retry}"); do master=$(sentinel_get_master) if [ -n "${master}" ]; then break fi sleep $((sleep + i)) done echo "${master}" } identify_master() { echo "Identifying redis master (get-master-addr-by-name).." echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" MASTER="$(sentinel_get_master_retry 3)" if [ -n "${MASTER}" ]; then echo " $(date) Found redis master (${MASTER})" else echo " $(date) Did not find redis master (${MASTER})" fi } sentinel_update() { echo "Updating sentinel config.." echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then echo " redis master (${1}:${REDIS_TLS_PORT})" sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" else echo " redis master (${1}:${REDIS_PORT})" sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" fi echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} if [ "$SENTINEL_PORT" -eq 0 ]; then echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} else echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} fi } redis_update() { echo "Updating redis config.." if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} else echo " we are slave of redis master (${1}:${REDIS_PORT})" echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} fi echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} } copy_config() { echo "Copying default redis config.." echo " to '${REDIS_CONF}'" cp /readonly-config/redis.conf "${REDIS_CONF}" echo "Copying default sentinel config.." echo " to '${SENTINEL_CONF}'" cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" } setup_defaults() { echo "Setting up defaults.." echo " using statefulset index (${INDEX})" if [ "${INDEX}" = "0" ]; then echo "Setting this pod as master for redis and sentinel.." echo " using announce (${ANNOUNCE_IP})" redis_update "${ANNOUNCE_IP}" sentinel_update "${ANNOUNCE_IP}" echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" else echo "Getting redis master ip.." echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" if [ -z "${DEFAULT_MASTER}" ]; then echo "Error: Unable to resolve redis master (getent hosts)." exit 1 fi echo "Setting default slave config for redis and sentinel.." echo " using master ip (${DEFAULT_MASTER})" redis_update "${DEFAULT_MASTER}" sentinel_update "${DEFAULT_MASTER}" fi } redis_ping() { set +e if [ "$REDIS_PORT" -eq 0 ]; then redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping else redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping fi set -e } redis_ping_retry() { ping='' retry=${1} sleep=3 for i in $(seq 1 "${retry}"); do if [ "$(redis_ping)" = "PONG" ]; then ping='PONG' break fi sleep $((sleep + i)) MASTER=$(sentinel_get_master) done echo "${ping}" } find_master() { echo "Verifying redis master.." if [ "$REDIS_PORT" -eq 0 ]; then echo " ping (${MASTER}:${REDIS_TLS_PORT})" else echo " ping (${MASTER}:${REDIS_PORT})" fi if [ "$(redis_ping_retry 3)" != "PONG" ]; then echo " $(date) Can't ping redis master (${MASTER})" echo "Attempting to force failover (sentinel failover).." if [ "$SENTINEL_PORT" -eq 0 ]; then echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then echo " $(date) Failover returned with 'NOGOODSLAVE'" echo "Setting defaults for this pod.." setup_defaults return 0 fi else echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then echo " $(date) Failover returned with 'NOGOODSLAVE'" echo "Setting defaults for this pod.." setup_defaults return 0 fi fi echo "Hold on for 10sec" sleep 10 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." if [ "$SENTINEL_PORT" -eq 0 ]; then echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" else echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" fi MASTER="$(sentinel_get_master)" if [ "${MASTER}" ]; then echo " $(date) Found redis master (${MASTER})" echo "Updating redis and sentinel config.." sentinel_update "${MASTER}" redis_update "${MASTER}" else echo "$(date) Error: Could not failover, exiting..." exit 1 fi else echo " $(date) Found reachable redis master (${MASTER})" echo "Updating redis and sentinel config.." sentinel_update "${MASTER}" redis_update "${MASTER}" fi } redis_ro_update() { echo "Updating read-only redis config.." echo " redis.conf set 'replica-priority 0'" echo "replica-priority 0" >> ${REDIS_CONF} } getent_hosts() { index=${1:-${INDEX}} service="${SERVICE}-announce-${index}" pod="${SERVICE}-server-${index}" host=$(getent hosts "${service}") if [ -z "${host}" ]; then host=$(getent hosts "${pod}") fi echo "${host}" } identify_announce_ip() { echo "Identify announce ip for this pod.." echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') echo " identified announce (${ANNOUNCE_IP})" } mkdir -p /data/conf/ echo "Initializing config.." copy_config # where is redis master identify_master identify_announce_ip if [ -z "${ANNOUNCE_IP}" ]; then "Error: Could not resolve the announce ip for this pod." exit 1 elif [ "${MASTER}" ]; then find_master else setup_defaults fi if [ "${AUTH:-}" ]; then echo "Setting redis auth values.." ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g'); sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}" fi if [ "${SENTINELAUTH:-}" ]; then echo "Setting sentinel auth values" ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g'); sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF" fi echo "$(date) Ready..." redis.conf: | dir "/data" port 6379 rename-command FLUSHDB "" rename-command FLUSHALL "" bind 0.0.0.0 maxmemory 0 maxmemory-policy volatile-lru min-replicas-max-lag 5 min-replicas-to-write 1 rdbchecksum yes rdbcompression yes repl-diskless-sync yes save "" sentinel.conf: | dir "/data" port 26379 bind 0.0.0.0 sentinel down-after-milliseconds argocd 10000 sentinel failover-timeout argocd 180000 maxclients 10000 sentinel parallel-syncs argocd 5 trigger-failover-if-master.sh: | get_redis_role() { is_master=$( redis-cli \ -h localhost \ -p 6379 \ info | grep -c 'role:master' || true ) } get_redis_role if [[ "$is_master" -eq 1 ]]; then echo "This node is currently master, we trigger a failover." response=$( redis-cli \ -h localhost \ -p 26379 \ SENTINEL failover argocd ) if [[ "$response" != "OK" ]] ; then echo "$response" exit 1 fi timeout=30 while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do sleep 1 get_redis_role timeout=$((timeout - 1)) done echo "Failover successful" fi kind: ConfigMap metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-configmap --- apiVersion: v1 data: redis_liveness.sh: | response=$( redis-cli \ -h localhost \ -p 6379 \ ping ) if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then echo "$response" exit 1 fi echo "response=$response" redis_readiness.sh: | response=$( redis-cli \ -h localhost \ -p 6379 \ ping ) if [ "$response" != "PONG" ] ; then echo "$response" exit 1 fi echo "response=$response" sentinel_liveness.sh: | response=$( redis-cli \ -h localhost \ -p 26379 \ ping ) if [ "$response" != "PONG" ]; then echo "$response" exit 1 fi echo "response=$response" kind: ConfigMap metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-health-configmap --- apiVersion: v1 data: ssh_known_hosts: |- bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-ssh-known-hosts-cm app.kubernetes.io/part-of: argocd name: argocd-ssh-known-hosts-cm --- apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-tls-certs-cm app.kubernetes.io/part-of: argocd name: argocd-tls-certs-cm --- apiVersion: v1 kind: Secret metadata: name: argocd-notifications-secret type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: app.kubernetes.io/name: argocd-secret app.kubernetes.io/part-of: argocd name: argocd-secret type: Opaque --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: argocd-applicationset-controller app.kubernetes.io/part-of: argocd-applicationset name: argocd-applicationset-controller spec: ports: - name: webhook port: 7000 protocol: TCP targetPort: webhook - name: metrics port: 8080 protocol: TCP targetPort: metrics selector: app.kubernetes.io/name: argocd-applicationset-controller --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: dex-server app.kubernetes.io/name: argocd-dex-server app.kubernetes.io/part-of: argocd name: argocd-dex-server spec: ports: - name: http port: 5556 protocol: TCP targetPort: 5556 - name: grpc port: 5557 protocol: TCP targetPort: 5557 - name: metrics port: 5558 protocol: TCP targetPort: 5558 selector: app.kubernetes.io/name: argocd-dex-server --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: metrics app.kubernetes.io/name: argocd-metrics app.kubernetes.io/part-of: argocd name: argocd-metrics spec: ports: - name: metrics port: 8082 protocol: TCP targetPort: 8082 selector: app.kubernetes.io/name: argocd-application-controller --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: argocd-notifications-controller-metrics name: argocd-notifications-controller-metrics spec: ports: - name: metrics port: 9001 protocol: TCP targetPort: 9001 selector: app.kubernetes.io/name: argocd-notifications-controller --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha spec: clusterIP: None ports: - name: tcp-server port: 6379 protocol: TCP targetPort: redis - name: tcp-sentinel port: 26379 protocol: TCP targetPort: sentinel selector: app.kubernetes.io/name: argocd-redis-ha type: ClusterIP --- apiVersion: v1 kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-announce-0 spec: ports: - name: tcp-server port: 6379 protocol: TCP targetPort: redis - name: tcp-sentinel port: 26379 protocol: TCP targetPort: sentinel publishNotReadyAddresses: true selector: app.kubernetes.io/name: argocd-redis-ha statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0 type: ClusterIP --- apiVersion: v1 kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-announce-1 spec: ports: - name: tcp-server port: 6379 protocol: TCP targetPort: redis - name: tcp-sentinel port: 26379 protocol: TCP targetPort: sentinel publishNotReadyAddresses: true selector: app.kubernetes.io/name: argocd-redis-ha statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1 type: ClusterIP --- apiVersion: v1 kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-announce-2 spec: ports: - name: tcp-server port: 6379 protocol: TCP targetPort: redis - name: tcp-sentinel port: 26379 protocol: TCP targetPort: sentinel publishNotReadyAddresses: true selector: app.kubernetes.io/name: argocd-redis-ha statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2 type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha-haproxy app.kubernetes.io/part-of: argocd name: argocd-redis-ha-haproxy spec: ports: - name: tcp-haproxy port: 6379 protocol: TCP targetPort: redis selector: app.kubernetes.io/name: argocd-redis-ha-haproxy type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: repo-server app.kubernetes.io/name: argocd-repo-server app.kubernetes.io/part-of: argocd name: argocd-repo-server spec: ports: - name: server port: 8081 protocol: TCP targetPort: 8081 - name: metrics port: 8084 protocol: TCP targetPort: 8084 selector: app.kubernetes.io/name: argocd-repo-server --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server app.kubernetes.io/part-of: argocd name: argocd-server spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 - name: https port: 443 protocol: TCP targetPort: 8080 selector: app.kubernetes.io/name: argocd-server --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server-metrics app.kubernetes.io/part-of: argocd name: argocd-server-metrics spec: ports: - name: metrics port: 8083 protocol: TCP targetPort: 8083 selector: app.kubernetes.io/name: argocd-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: argocd-applicationset-controller app.kubernetes.io/part-of: argocd-applicationset name: argocd-applicationset-controller spec: selector: matchLabels: app.kubernetes.io/name: argocd-applicationset-controller template: metadata: labels: app.kubernetes.io/name: argocd-applicationset-controller spec: containers: - command: - entrypoint.sh - argocd-applicationset-controller env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION valueFrom: configMapKeyRef: key: applicationsetcontroller.enable.leader.election name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACE valueFrom: configMapKeyRef: key: applicationsetcontroller.namespace name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER valueFrom: configMapKeyRef: key: repo.server name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY valueFrom: configMapKeyRef: key: applicationsetcontroller.policy name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG valueFrom: configMapKeyRef: key: applicationsetcontroller.debug name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT valueFrom: configMapKeyRef: key: applicationsetcontroller.log.format name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL valueFrom: configMapKeyRef: key: applicationsetcontroller.log.level name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: key: applicationsetcontroller.dryrun name: argocd-cmd-params-cm optional: true - name: ARGOCD_GIT_MODULES_ENABLED valueFrom: configMapKeyRef: key: applicationsetcontroller.enable.git.submodule name: argocd-cmd-params-cm optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller ports: - containerPort: 7000 name: webhook - containerPort: 8080 name: metrics securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/gpg/source name: gpg-keys - mountPath: /app/config/gpg/keys name: gpg-keyring - mountPath: /tmp name: tmp serviceAccountName: argocd-applicationset-controller volumes: - configMap: name: argocd-ssh-known-hosts-cm name: ssh-known-hosts - configMap: name: argocd-tls-certs-cm name: tls-certs - configMap: name: argocd-gpg-keys-cm name: gpg-keys - emptyDir: {} name: gpg-keyring - emptyDir: {} name: tmp --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: dex-server app.kubernetes.io/name: argocd-dex-server app.kubernetes.io/part-of: argocd name: argocd-dex-server spec: selector: matchLabels: app.kubernetes.io/name: argocd-dex-server template: metadata: labels: app.kubernetes.io/name: argocd-dex-server spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname weight: 5 containers: - command: - /shared/argocd-dex - rundex env: - name: ARGOCD_DEX_SERVER_DISABLE_TLS valueFrom: configMapKeyRef: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true image: ghcr.io/dexidp/dex:v2.35.3-distroless imagePullPolicy: Always name: dex ports: - containerPort: 5556 - containerPort: 5557 - containerPort: 5558 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /shared name: static-files - mountPath: /tmp name: dexconfig - mountPath: /tls name: argocd-dex-server-tls initContainers: - command: - cp - -n - /usr/local/bin/argocd - /shared/argocd-dex image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: copyutil securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /shared name: static-files - mountPath: /tmp name: dexconfig serviceAccountName: argocd-dex-server volumes: - emptyDir: {} name: static-files - emptyDir: {} name: dexconfig - name: argocd-dex-server-tls secret: items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt optional: true secretName: argocd-dex-server-tls --- apiVersion: apps/v1 kind: Deployment metadata: name: argocd-notifications-controller spec: selector: matchLabels: app.kubernetes.io/name: argocd-notifications-controller strategy: type: Recreate template: metadata: labels: app.kubernetes.io/name: argocd-notifications-controller spec: containers: - command: - argocd-notifications image: quay.io/argoproj/argocd:latest imagePullPolicy: Always livenessProbe: tcpSocket: port: 9001 name: argocd-notifications-controller securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls workingDir: /app securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccountName: argocd-notifications-controller volumes: - configMap: name: argocd-tls-certs-cm name: tls-certs - name: argocd-repo-server-tls secret: items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt optional: true secretName: argocd-repo-server-tls --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha-haproxy app.kubernetes.io/part-of: argocd name: argocd-redis-ha-haproxy spec: replicas: 3 revisionHistoryLimit: 1 selector: matchLabels: app.kubernetes.io/name: argocd-redis-ha-haproxy strategy: type: RollingUpdate template: metadata: annotations: checksum/config: 33967cee643b636d6e9a66e82b7f85814ceb8c55fba7a1d8af439ef056934e5c labels: app.kubernetes.io/name: argocd-redis-ha-haproxy name: argocd-redis-ha-haproxy spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha-haproxy topologyKey: kubernetes.io/hostname containers: - image: haproxy:2.6.2-alpine imagePullPolicy: IfNotPresent lifecycle: {} livenessProbe: httpGet: path: /healthz port: 8888 initialDelaySeconds: 5 periodSeconds: 3 name: haproxy ports: - containerPort: 6379 name: redis readinessProbe: httpGet: path: /healthz port: 8888 initialDelaySeconds: 5 periodSeconds: 3 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /usr/local/etc/haproxy name: data - mountPath: /run/haproxy name: shared-socket initContainers: - args: - /readonly/haproxy_init.sh command: - sh image: haproxy:2.6.2-alpine imagePullPolicy: IfNotPresent name: config-init securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /readonly name: config-volume readOnly: true - mountPath: /data name: data securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 serviceAccountName: argocd-redis-ha-haproxy volumes: - configMap: name: argocd-redis-ha-configmap name: config-volume - emptyDir: {} name: shared-socket - emptyDir: {} name: data --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: repo-server app.kubernetes.io/name: argocd-repo-server app.kubernetes.io/part-of: argocd name: argocd-repo-server spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: argocd-repo-server template: metadata: labels: app.kubernetes.io/name: argocd-repo-server spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: argocd-repo-server topologyKey: failure-domain.beta.kubernetes.io/zone weight: 100 requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: argocd-repo-server topologyKey: kubernetes.io/hostname automountServiceAccountToken: false containers: - command: - entrypoint.sh - argocd-repo-server - --redis - argocd-redis-ha-haproxy:6379 env: - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: key: timeout.reconciliation name: argocd-cm optional: true - name: ARGOCD_REPO_SERVER_LOGFORMAT valueFrom: configMapKeyRef: key: reposerver.log.format name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_LOGLEVEL valueFrom: configMapKeyRef: key: reposerver.log.level name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT valueFrom: configMapKeyRef: key: reposerver.parallelism.limit name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_DISABLE_TLS valueFrom: configMapKeyRef: key: reposerver.disable.tls name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_MIN_VERSION valueFrom: configMapKeyRef: key: reposerver.tls.minversion name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_MAX_VERSION valueFrom: configMapKeyRef: key: reposerver.tls.maxversion name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_CIPHERS valueFrom: configMapKeyRef: key: reposerver.tls.ciphers name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: reposerver.repo.cache.expiration name: argocd-cmd-params-cm optional: true - name: REDIS_SERVER valueFrom: configMapKeyRef: key: redis.server name: argocd-cmd-params-cm optional: true - name: REDIS_COMPRESSION valueFrom: configMapKeyRef: key: redis.compression name: argocd-cmd-params-cm optional: true - name: REDISDB valueFrom: configMapKeyRef: key: redis.db name: argocd-cmd-params-cm optional: true - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: reposerver.default.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS valueFrom: configMapKeyRef: key: otlp.address name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE valueFrom: configMapKeyRef: key: reposerver.max.combined.directory.manifests.size name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS valueFrom: configMapKeyRef: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: key: reposerver.allow.oob.symlinks name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE valueFrom: configMapKeyRef: key: reposerver.streamed.manifest.max.tar.size name: argocd-cmd-params-cm optional: true - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE valueFrom: configMapKeyRef: key: reposerver.streamed.manifest.max.extracted.size name: argocd-cmd-params-cm optional: true - name: ARGOCD_GIT_MODULES_ENABLED valueFrom: configMapKeyRef: key: reposerver.enable.git.submodule name: argocd-cmd-params-cm optional: true - name: HELM_CACHE_HOME value: /helm-working-dir - name: HELM_CONFIG_HOME value: /helm-working-dir - name: HELM_DATA_HOME value: /helm-working-dir image: quay.io/argoproj/argocd:latest imagePullPolicy: Always livenessProbe: failureThreshold: 3 httpGet: path: /healthz?full=true port: 8084 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 name: argocd-repo-server ports: - containerPort: 8081 - containerPort: 8084 readinessProbe: httpGet: path: /healthz port: 8084 initialDelaySeconds: 5 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/gpg/source name: gpg-keys - mountPath: /app/config/gpg/keys name: gpg-keyring - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls - mountPath: /tmp name: tmp - mountPath: /helm-working-dir name: helm-working-dir - mountPath: /home/argocd/cmp-server/plugins name: plugins initContainers: - command: - cp - -n - /usr/local/bin/argocd - /var/run/argocd/argocd-cmp-server image: quay.io/argoproj/argocd:latest name: copyutil securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/argocd name: var-files serviceAccountName: argocd-repo-server volumes: - configMap: name: argocd-ssh-known-hosts-cm name: ssh-known-hosts - configMap: name: argocd-tls-certs-cm name: tls-certs - configMap: name: argocd-gpg-keys-cm name: gpg-keys - emptyDir: {} name: gpg-keyring - emptyDir: {} name: tmp - emptyDir: {} name: helm-working-dir - name: argocd-repo-server-tls secret: items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt optional: true secretName: argocd-repo-server-tls - emptyDir: {} name: var-files - emptyDir: {} name: plugins --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: server app.kubernetes.io/name: argocd-server app.kubernetes.io/part-of: argocd name: argocd-server spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: argocd-server template: metadata: labels: app.kubernetes.io/name: argocd-server spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: argocd-server topologyKey: failure-domain.beta.kubernetes.io/zone weight: 100 requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: argocd-server topologyKey: kubernetes.io/hostname containers: - command: - argocd-server - --redis - argocd-redis-ha-haproxy:6379 env: - name: ARGOCD_API_SERVER_REPLICAS value: "2" - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: key: server.insecure name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_BASEHREF valueFrom: configMapKeyRef: key: server.basehref name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_ROOTPATH valueFrom: configMapKeyRef: key: server.rootpath name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_LOGFORMAT valueFrom: configMapKeyRef: key: server.log.format name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_LOG_LEVEL valueFrom: configMapKeyRef: key: server.log.level name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: key: repo.server name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_DEX_SERVER valueFrom: configMapKeyRef: key: server.dex.server name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_DISABLE_AUTH valueFrom: configMapKeyRef: key: server.disable.auth name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_ENABLE_GZIP valueFrom: configMapKeyRef: key: server.enable.gzip name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS valueFrom: configMapKeyRef: key: server.repo.server.timeout.seconds name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_X_FRAME_OPTIONS valueFrom: configMapKeyRef: key: server.x.frame.options name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY valueFrom: configMapKeyRef: key: server.content.security.policy name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT valueFrom: configMapKeyRef: key: server.repo.server.plaintext name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS valueFrom: configMapKeyRef: key: server.repo.server.strict.tls name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT valueFrom: configMapKeyRef: key: server.dex.server.plaintext name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS valueFrom: configMapKeyRef: key: server.dex.server.strict.tls name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_MIN_VERSION valueFrom: configMapKeyRef: key: server.tls.minversion name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_MAX_VERSION valueFrom: configMapKeyRef: key: server.tls.maxversion name: argocd-cmd-params-cm optional: true - name: ARGOCD_TLS_CIPHERS valueFrom: configMapKeyRef: key: server.tls.ciphers name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: server.connection.status.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: server.oidc.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION valueFrom: configMapKeyRef: key: server.login.attempts.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_STATIC_ASSETS valueFrom: configMapKeyRef: key: server.staticassets name: argocd-cmd-params-cm optional: true - name: ARGOCD_APP_STATE_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: server.app.state.cache.expiration name: argocd-cmd-params-cm optional: true - name: REDIS_SERVER valueFrom: configMapKeyRef: key: redis.server name: argocd-cmd-params-cm optional: true - name: REDIS_COMPRESSION valueFrom: configMapKeyRef: key: redis.compression name: argocd-cmd-params-cm optional: true - name: REDISDB valueFrom: configMapKeyRef: key: redis.db name: argocd-cmd-params-cm optional: true - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: server.default.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_MAX_COOKIE_NUMBER valueFrom: configMapKeyRef: key: server.http.cookie.maxnumber name: argocd-cmd-params-cm optional: true - name: ARGOCD_SERVER_OTLP_ADDRESS valueFrom: configMapKeyRef: key: otlp.address name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_NAMESPACES valueFrom: configMapKeyRef: key: application.namespaces name: argocd-cmd-params-cm optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always livenessProbe: httpGet: path: /healthz?full=true port: 8080 initialDelaySeconds: 3 periodSeconds: 30 timeoutSeconds: 5 name: argocd-server ports: - containerPort: 8080 - containerPort: 8083 readinessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 3 periodSeconds: 30 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/server/tls name: argocd-repo-server-tls - mountPath: /app/config/dex/tls name: argocd-dex-server-tls - mountPath: /home/argocd name: plugins-home - mountPath: /tmp name: tmp serviceAccountName: argocd-server volumes: - emptyDir: {} name: plugins-home - emptyDir: {} name: tmp - configMap: name: argocd-ssh-known-hosts-cm name: ssh-known-hosts - configMap: name: argocd-tls-certs-cm name: tls-certs - name: argocd-repo-server-tls secret: items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt optional: true secretName: argocd-repo-server-tls - name: argocd-dex-server-tls secret: items: - key: tls.crt path: tls.crt - key: ca.crt path: ca.crt optional: true secretName: argocd-dex-server-tls --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app.kubernetes.io/component: application-controller app.kubernetes.io/name: argocd-application-controller app.kubernetes.io/part-of: argocd name: argocd-application-controller spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: argocd-application-controller serviceName: argocd-application-controller template: metadata: labels: app.kubernetes.io/name: argocd-application-controller spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: argocd-application-controller topologyKey: kubernetes.io/hostname weight: 100 - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname weight: 5 containers: - command: - argocd-application-controller - --redis - argocd-redis-ha-haproxy:6379 env: - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: key: timeout.reconciliation name: argocd-cm optional: true - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: key: timeout.hard.reconciliation name: argocd-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER valueFrom: configMapKeyRef: key: repo.server name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS valueFrom: configMapKeyRef: key: controller.repo.server.timeout.seconds name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS valueFrom: configMapKeyRef: key: controller.status.processors name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS valueFrom: configMapKeyRef: key: controller.operation.processors name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT valueFrom: configMapKeyRef: key: controller.log.format name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL valueFrom: configMapKeyRef: key: controller.log.level name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: controller.metrics.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS valueFrom: configMapKeyRef: key: controller.self.heal.timeout.seconds name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT valueFrom: configMapKeyRef: key: controller.repo.server.plaintext name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS valueFrom: configMapKeyRef: key: controller.repo.server.strict.tls name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH valueFrom: configMapKeyRef: key: controller.resource.health.persist name: argocd-cmd-params-cm optional: true - name: ARGOCD_APP_STATE_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: controller.app.state.cache.expiration name: argocd-cmd-params-cm optional: true - name: REDIS_SERVER valueFrom: configMapKeyRef: key: redis.server name: argocd-cmd-params-cm optional: true - name: REDIS_COMPRESSION valueFrom: configMapKeyRef: key: redis.compression name: argocd-cmd-params-cm optional: true - name: REDISDB valueFrom: configMapKeyRef: key: redis.db name: argocd-cmd-params-cm optional: true - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: key: controller.default.cache.expiration name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS valueFrom: configMapKeyRef: key: otlp.address name: argocd-cmd-params-cm optional: true - name: ARGOCD_APPLICATION_NAMESPACES valueFrom: configMapKeyRef: key: application.namespaces name: argocd-cmd-params-cm optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-application-controller ports: - containerPort: 8082 readinessProbe: httpGet: path: /healthz port: 8082 initialDelaySeconds: 5 periodSeconds: 10 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /app/config/controller/tls name: argocd-repo-server-tls - mountPath: /home/argocd name: argocd-home workingDir: /home/argocd serviceAccountName: argocd-application-controller volumes: - emptyDir: {} name: argocd-home - name: argocd-repo-server-tls secret: items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key - key: ca.crt path: ca.crt optional: true secretName: argocd-repo-server-tls --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app.kubernetes.io/component: redis app.kubernetes.io/name: argocd-redis-ha app.kubernetes.io/part-of: argocd name: argocd-redis-ha-server spec: podManagementPolicy: OrderedReady replicas: 3 selector: matchLabels: app.kubernetes.io/name: argocd-redis-ha serviceName: argocd-redis-ha template: metadata: annotations: checksum/init-config: 226aec192d2f29b5355769c9f1fbf093bf36c3a1e15b574b71fb8fe73fd37c05 labels: app.kubernetes.io/name: argocd-redis-ha spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha topologyKey: kubernetes.io/hostname automountServiceAccountToken: false containers: - args: - /data/conf/redis.conf command: - redis-server image: redis:7.0.5-alpine imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /bin/sh - /readonly-config/trigger-failover-if-master.sh livenessProbe: exec: command: - sh - -c - /health/redis_liveness.sh failureThreshold: 5 initialDelaySeconds: 30 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 15 name: redis ports: - containerPort: 6379 name: redis readinessProbe: exec: command: - sh - -c - /health/redis_readiness.sh failureThreshold: 5 initialDelaySeconds: 30 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 15 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /readonly-config name: config readOnly: true - mountPath: /data name: data - mountPath: /health name: health - args: - /data/conf/sentinel.conf command: - redis-sentinel image: redis:7.0.5-alpine imagePullPolicy: IfNotPresent lifecycle: {} livenessProbe: exec: command: - sh - -c - /health/sentinel_liveness.sh failureThreshold: 5 initialDelaySeconds: 30 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 15 name: sentinel ports: - containerPort: 26379 name: sentinel readinessProbe: exec: command: - sh - -c - /health/sentinel_liveness.sh failureThreshold: 5 initialDelaySeconds: 30 periodSeconds: 15 successThreshold: 3 timeoutSeconds: 15 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /data name: data - mountPath: /health name: health - args: - /readonly-config/fix-split-brain.sh command: - sh env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 - name: SENTINEL_ID_1 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 - name: SENTINEL_ID_2 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca image: redis:7.0.5-alpine imagePullPolicy: IfNotPresent name: split-brain-fix resources: {} volumeMounts: - mountPath: /readonly-config name: config readOnly: true - mountPath: /data name: data initContainers: - args: - /readonly-config/init.sh command: - sh env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 - name: SENTINEL_ID_1 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 - name: SENTINEL_ID_2 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca image: redis:7.0.5-alpine imagePullPolicy: IfNotPresent name: config-init securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /readonly-config name: config readOnly: true - mountPath: /data name: data securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 serviceAccountName: argocd-redis-ha terminationGracePeriodSeconds: 60 volumes: - configMap: name: argocd-redis-ha-configmap name: config - configMap: defaultMode: 493 name: argocd-redis-ha-health-configmap name: health - emptyDir: {} name: data updateStrategy: type: RollingUpdate --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-application-controller-network-policy spec: ingress: - from: - namespaceSelector: {} ports: - port: 8082 podSelector: matchLabels: app.kubernetes.io/name: argocd-application-controller policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-applicationset-controller-network-policy spec: ingress: - from: - namespaceSelector: {} ports: - port: 7000 protocol: TCP - port: 8080 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: argocd-applicationset-controller policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-dex-server-network-policy spec: ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: argocd-server ports: - port: 5556 protocol: TCP - port: 5557 protocol: TCP - from: - namespaceSelector: {} ports: - port: 5558 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: argocd-dex-server policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-notifications-controller-network-policy spec: ingress: - from: - namespaceSelector: {} ports: - port: 9001 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: argocd-notifications-controller policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-redis-ha-proxy-network-policy spec: egress: - ports: - port: 6379 protocol: TCP - port: 26379 protocol: TCP to: - podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP to: - namespaceSelector: {} ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: argocd-server - podSelector: matchLabels: app.kubernetes.io/name: argocd-repo-server - podSelector: matchLabels: app.kubernetes.io/name: argocd-application-controller ports: - port: 6379 protocol: TCP - port: 26379 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha-haproxy policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-redis-ha-server-network-policy spec: egress: - ports: - port: 6379 protocol: TCP - port: 26379 protocol: TCP to: - podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP to: - namespaceSelector: {} ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha-haproxy - podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha ports: - port: 6379 protocol: TCP - port: 26379 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: argocd-redis-ha policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-repo-server-network-policy spec: ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: argocd-server - podSelector: matchLabels: app.kubernetes.io/name: argocd-application-controller - podSelector: matchLabels: app.kubernetes.io/name: argocd-notifications-controller ports: - port: 8081 protocol: TCP - from: - namespaceSelector: {} ports: - port: 8084 podSelector: matchLabels: app.kubernetes.io/name: argocd-repo-server policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: argocd-server-network-policy spec: ingress: - {} podSelector: matchLabels: app.kubernetes.io/name: argocd-server policyTypes: - Ingress