Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

Update manifests to use v0.8.0

Browse source 
Make manifests friendly to `kubectl apply` semantics by omitting `data:` field
RBAC docs improvements
This commit is contained in:
Jesse Suen 2018-09-04 17:58:50 -07:00 committed by GitHub
parent 5bcf8c40e0
commit d7c04ae24c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 125 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
CHANGELOG.md
View file

@ -1,6 +1,6 @@
# Changelog
## v0.8.0 (TBD)
## v0.8.0 (2018-09-04)
### Notes about upgrading from v0.7
* The RBAC model has been improved to support explicit denies. What this means is that any previous
@ -15,14 +15,20 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
```
### Changes since v0.7:
+ Support kustomize as an application source
+ Introduce project tokens for automation access
+ Add ability to delete a single application resource to support immutable updates
+ Support kustomize as an application source (issue #510)
+ Introduce project tokens for automation access (issue #498)
+ Add ability to delete a single application resource to support immutable updates (issue #262)
+ Update RBAC model to support explicit denies (issue #497)
+ Ability to view Kubernetes events related to application projects for auditing
+ Add PVC healthcheck to controller (issue #501)
+ Run all containers as an unprivileged user (issue #528)
* Upgrade ksonnet to v0.12.0
* Add readiness probe to API server
* Add readiness probes to API server (issue #522)
* Use gRPC error codes instead of fmt.Errorf (#532)
- API discovery becomes best effort when partial resource list is returned (issue #524)
- Fix `argocd app wait` printing incorrect Sync output (issue #542)
- Fix issue where argocd could not sync to a tag (#541)
- Fix issue where static assets were browser cached between upgrades (issue #489)
## v0.7.2 (2018-08-21)
- API discovery becomes best effort when partial resource list is returned (issue #524)

8
Makefile
View file

@ -62,16 +62,16 @@ cli: clean-debug
.PHONY: cli-linux
cli-linux: clean-debug
docker build --iidfile /tmp/argocd-linux-id --target builder --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" .
docker build --iidfile /tmp/argocd-linux-id --target argocd-build --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" .
docker create --name tmp-argocd-linux `cat /tmp/argocd-linux-id`
docker cp tmp-argocd-linux:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
docker cp tmp-argocd-linux:/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
docker rm tmp-argocd-linux
.PHONY: cli-darwin
cli-darwin: clean-debug
docker build --iidfile /tmp/argocd-darwin-id --target builder --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" .
docker build --iidfile /tmp/argocd-darwin-id --target argocd-build --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" .
docker create --name tmp-argocd-darwin `cat /tmp/argocd-darwin-id`
docker cp tmp-argocd-darwin:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
docker cp tmp-argocd-darwin:/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
docker rm tmp-argocd-darwin
.PHONY: argocd-util

12
docs/rbac.md
View file

@ -2,13 +2,17 @@
## Overview
The feature RBAC allows restricting access to ArgoCD resources. ArgoCD does not have own user management system and has only one built-in user `admin`. The `admin` user is a
superuser and it has full access. RBAC requires configuring [SSO](./sso.md) integration. Once [SSO](./sso.md) is connected you can define RBAC roles and map roles to groups.
The RBAC feature enables restriction of access to ArgoCD resources. ArgoCD does not have its own
user management system and has only one built-in user `admin`. The `admin` user is a superuser and
it has unrestricted access to the system. RBAC requires [SSO configuration](./sso.md). Once SSO is
configured, additional RBAC roles can be defined, and SSO groups can man be mapped to roles.
## Configure RBAC
RBAC configuration allows defining roles and groups. ArgoCD has two pre-defined roles: role `role:readonly` which provides read-only access to all resources and role `role:admin`
which provides full access. Role definitions are available in [builtin-policy.csv](../util/rbac/builtin-policy.csv) file.
RBAC configuration allows defining roles and groups. ArgoCD has two pre-defined roles:
* `role:readonly` - read-only access to all resources
* `role:admin` - unrestricted access to all resources
These role definitions can be seen in [builtin-policy.csv](../util/rbac/builtin-policy.csv)
Additional roles and groups can be configured in `argocd-rbac-cm` ConfigMap. The example below custom role `org-admin`. The role is assigned to any user which belongs to
`your-github-org:your-team` group. All other users get `role:readonly` and cannot modify ArgoCD settings.

27
manifests/components/02a_argocd-cm.yaml
View file

@ -3,12 +3,23 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
# See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso
# for more details about how to setup data config needed for sso
#data:
# ArgoCD's externally facing URL
# url: https://argo-cd-demo.argoproj.io
# URL is the external URL of ArgoCD
#url:
# A dex connector configuration
#dex.config:
# A dex connector configuration.
# Visit https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso
# for instructions on configuring SSO.
# dex.config: |
# connectors:
# # GitHub example
# - type: github
# id: github
# name: GitHub
# config:
# clientID: aabbccddeeff00112233
# clientSecret: $dex.github.clientSecret
# orgs:
# - name: your-github-org
# teams:
# - red-team

26
manifests/components/02b_argocd-secret.yaml
View file

@ -1,24 +1,26 @@
---
# NOTE: the values in this secret will be populated by the initial startup of the API
# NOTE: some values in this secret will be populated by the initial startup of the API server
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
# bcrypt hash of the admin password
#admin.password:
# random server signature key for session validation
#server.secretkey:
#data:
# TLS certificate and private key for API server
#server.crt:
#server.key:
# server.crt:
# server.key:
# The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
# events. To enable webhooks, configure one or more of the following keys with the shared git
# provider webhook secret. The payload URL configured in the git provider should use the
# /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
#github.webhook.secret:
#gitlab.webhook.secret:
#bitbucket.webhook.uuid:
# github.webhook.secret:
# gitlab.webhook.secret:
# bitbucket.webhook.uuid:
# bcrypt hash of the admin password (autogenerated on initial startup).
# To reset a forgotten password, delete this key and restart the argocd-server
# admin.password:
# random server signature key for session validation (autogenerated on initial startup)
# server.secretkey:

30
manifests/components/02c_argocd-rbac-cm.yaml
View file

@ -3,24 +3,14 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
# policy.csv holds the CSV file policy file which contains additional policy and role definitions.
# ArgoCD defines two built-in roles:
# * role:readonly - readonly access to all objects
# * role:admin - admin access to all objects
# The built-in policy can be seen under util/rbac/builtin-policy.csv
#policy.csv: ""
#data:
# An RBAC policy .csv file containing additional policy and role definitions.
# See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
# policy.csv: |
# # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
# p, my-org:team-alpha, applications, sync, my-project/*, allow
# # Make all members of "my-org:team-beta" admins
# g, my-org:team-beta, role:admin
# There are two policy formats:
# 1. Applications (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
# For example, the following rule gives all members of 'my-org:team1' the ability to sync
# applications in the project named: my-project
# p, my-org:team1, applications, sync, my-project/*
# policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
# a user for API requests
policy.default: role:readonly
# The default role ArgoCD will fall back to, when authorizing API requests
# policy.default: role:readonly

2
manifests/components/03d_application-controller-deployment.yaml
View file

@ -14,6 +14,6 @@ spec:
spec:
containers:
- command: [/argocd-application-controller, --repo-server, 'argocd-repo-server:8081']
image: argoproj/argocd-application-controller:v0.7.2
image: argoproj/argocd-application-controller:v0.8.0
name: application-controller
serviceAccountName: application-controller

8
manifests/components/04d_argocd-server-deployment.yaml
View file

@ -15,32 +15,30 @@ spec:
serviceAccountName: argocd-server
initContainers:
- name: copyutil
image: argoproj/argocd-server:v0.7.2
image: argoproj/argocd-server:v0.8.0
command: [cp, /argocd-util, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
- name: ui
image: argoproj/argocd-ui:v0.7.2
image: argoproj/argocd-ui:v0.8.0
command: [cp, -r, /app, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
containers:
- name: argocd-server
image: argoproj/argocd-server:v0.7.2
image: argoproj/argocd-server:v0.8.0
command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081']
volumeMounts:
- mountPath: /shared
name: static-files
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]

2
manifests/components/05a_argocd-repo-server-deployment.yaml
View file

@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: argocd-repo-server
image: argoproj/argocd-repo-server:v0.7.2
image: argoproj/argocd-repo-server:v0.8.0
command: [/argocd-repo-server]
ports:
- containerPort: 8081

99
manifests/install.yaml
View file

@ -33,65 +33,68 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
# See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso
# for more details about how to setup data config needed for sso
#data:
# ArgoCD's externally facing URL
# url: https://argo-cd-demo.argoproj.io
# URL is the external URL of ArgoCD
#url:
# A dex connector configuration
#dex.config:
# A dex connector configuration.
# Visit https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso
# for instructions on configuring SSO.
# dex.config: |
# connectors:
# # GitHub example
# - type: github
# id: github
# name: GitHub
# config:
# clientID: aabbccddeeff00112233
# clientSecret: $dex.github.clientSecret
# orgs:
# - name: your-github-org
# teams:
# - red-team
---
# NOTE: the values in this secret will be populated by the initial startup of the API
# NOTE: some values in this secret will be populated by the initial startup of the API server
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
# bcrypt hash of the admin password
#admin.password:
# random server signature key for session validation
#server.secretkey:
#data:
# TLS certificate and private key for API server
#server.crt:
#server.key:
# server.crt:
# server.key:
# The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
# events. To enable webhooks, configure one or more of the following keys with the shared git
# provider webhook secret. The payload URL configured in the git provider should use the
# /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
#github.webhook.secret:
#gitlab.webhook.secret:
#bitbucket.webhook.uuid:
# github.webhook.secret:
# gitlab.webhook.secret:
# bitbucket.webhook.uuid:
# bcrypt hash of the admin password (autogenerated on initial startup).
# To reset a forgotten password, delete this key and restart the argocd-server
# admin.password:
# random server signature key for session validation (autogenerated on initial startup)
# server.secretkey:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
# policy.csv holds the CSV file policy file which contains additional policy and role definitions.
# ArgoCD defines two built-in roles:
# * role:readonly - readonly access to all objects
# * role:admin - admin access to all objects
# The built-in policy can be seen under util/rbac/builtin-policy.csv
#policy.csv: ""
#data:
# An RBAC policy .csv file containing additional policy and role definitions.
# See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
# policy.csv: |
# # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
# p, my-org:team-alpha, applications, sync, my-project/*, allow
# # Make all members of "my-org:team-beta" admins
# g, my-org:team-beta, role:admin
# There are two policy formats:
# 1. Applications (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
# For example, the following rule gives all members of 'my-org:team1' the ability to sync
# applications in the project named: my-project
# p, my-org:team1, applications, sync, my-project/*
# policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
# a user for API requests
policy.default: role:readonly
# The default role ArgoCD will fall back to, when authorizing API requests
# policy.default: role:readonly
---
apiVersion: v1
kind: ServiceAccount
@ -162,7 +165,7 @@ spec:
spec:
containers:
- command: [/argocd-application-controller, --repo-server, 'argocd-repo-server:8081']
image: argoproj/argocd-application-controller:v0.7.2
image: argoproj/argocd-application-controller:v0.8.0
name: application-controller
serviceAccountName: application-controller
---
@ -238,24 +241,30 @@ spec:
serviceAccountName: argocd-server
initContainers:
- name: copyutil
image: argoproj/argocd-server:v0.7.2
image: argoproj/argocd-server:v0.8.0
command: [cp, /argocd-util, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
- name: ui
image: argoproj/argocd-ui:v0.7.2
image: argoproj/argocd-ui:v0.8.0
command: [cp, -r, /app, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
containers:
- name: argocd-server
image: argoproj/argocd-server:v0.7.2
image: argoproj/argocd-server:v0.8.0
command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081']
volumeMounts:
- mountPath: /shared
name: static-files
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]
@ -298,7 +307,7 @@ spec:
spec:
containers:
- name: argocd-repo-server
image: argoproj/argocd-repo-server:v0.7.2
image: argoproj/argocd-repo-server:v0.8.0
command: [/argocd-repo-server]
ports:
- containerPort: 8081