mirror of
https://github.com/argoproj/argo-cd.git
synced 2026-02-20 01:28:45 +01:00
4080 lines
132 KiB
YAML
Generated
4080 lines
132 KiB
YAML
Generated
# This is an auto-generated file. DO NOT EDIT
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: application-controller
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-application-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha
|
|
secrets:
|
|
- name: argocd-redis
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-haproxy
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: repo-server
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-repo-server
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: application-controller
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-application-controller
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- applications
|
|
- applicationsets
|
|
- appprojects
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- list
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- applications
|
|
- applicationsets
|
|
- applicationsets/finalizers
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- appprojects
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- applicationsets/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- patch
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resourceNames:
|
|
- 58ac56fa.applicationsets.argoproj.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- update
|
|
- create
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- applications
|
|
- appprojects
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
- secrets
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- argocd-notifications-cm
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- argocd-notifications-secret
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- get
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-haproxy
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- argocd-redis
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- get
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
- configmaps
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- applications
|
|
- appprojects
|
|
- applicationsets
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- delete
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- list
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: application-controller
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-application-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-application-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-application-controller
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-applicationset-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-applicationset-controller
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-dex-server
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-dex-server
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-notifications-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-notifications-controller
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-redis-ha
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-redis-ha
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-haproxy
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-redis-ha-haproxy
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-redis-ha-haproxy
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: argocd-server
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-server
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
resource.customizations.ignoreResourceUpdates.ConfigMap: |
|
|
jqPathExpressions:
|
|
# Ignore the cluster-autoscaler status
|
|
- '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"'
|
|
# Ignore the annotation of the legacy Leases election
|
|
- '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"'
|
|
resource.customizations.ignoreResourceUpdates.Endpoints: |
|
|
jsonPointers:
|
|
- /metadata
|
|
- /subsets
|
|
resource.customizations.ignoreResourceUpdates.all: |
|
|
jsonPointers:
|
|
- /status
|
|
resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: |
|
|
jqPathExpressions:
|
|
- '.metadata.annotations."deployment.kubernetes.io/desired-replicas"'
|
|
- '.metadata.annotations."deployment.kubernetes.io/max-replicas"'
|
|
- '.metadata.annotations."rollout.argoproj.io/desired-replicas"'
|
|
resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
|
|
jqPathExpressions:
|
|
- '.metadata.annotations."notified.notifications.argoproj.io"'
|
|
- '.metadata.annotations."argocd.argoproj.io/refresh"'
|
|
- '.metadata.annotations."argocd.argoproj.io/hydrate"'
|
|
- '.operation'
|
|
resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: |
|
|
jqPathExpressions:
|
|
- '.metadata.annotations."notified.notifications.argoproj.io"'
|
|
resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
|
|
jqPathExpressions:
|
|
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
|
|
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
|
|
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
|
|
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
|
|
resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: |
|
|
jsonPointers:
|
|
- /metadata
|
|
- /endpoints
|
|
- /ports
|
|
resource.exclusions: |
|
|
### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter
|
|
- apiGroups:
|
|
- ''
|
|
- discovery.k8s.io
|
|
kinds:
|
|
- Endpoints
|
|
- EndpointSlice
|
|
### Internal Kubernetes resources excluded reduce the number of watched events
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
kinds:
|
|
- Lease
|
|
### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events
|
|
- apiGroups:
|
|
- authentication.k8s.io
|
|
- authorization.k8s.io
|
|
kinds:
|
|
- SelfSubjectReview
|
|
- TokenReview
|
|
- LocalSubjectAccessReview
|
|
- SelfSubjectAccessReview
|
|
- SelfSubjectRulesReview
|
|
- SubjectAccessReview
|
|
### Intermediate Certificate Request excluded reduce the number of watched events
|
|
- apiGroups:
|
|
- certificates.k8s.io
|
|
kinds:
|
|
- CertificateSigningRequest
|
|
- apiGroups:
|
|
- cert-manager.io
|
|
kinds:
|
|
- CertificateRequest
|
|
### Cilium internal resources excluded reduce the number of watched events and UI Clutter
|
|
- apiGroups:
|
|
- cilium.io
|
|
kinds:
|
|
- CiliumIdentity
|
|
- CiliumEndpoint
|
|
- CiliumEndpointSlice
|
|
### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance
|
|
- apiGroups:
|
|
- kyverno.io
|
|
- reports.kyverno.io
|
|
- wgpolicyk8s.io
|
|
kinds:
|
|
- PolicyReport
|
|
- ClusterPolicyReport
|
|
- EphemeralReport
|
|
- ClusterEphemeralReport
|
|
- AdmissionReport
|
|
- ClusterAdmissionReport
|
|
- BackgroundScanReport
|
|
- ClusterBackgroundScanReport
|
|
- UpdateRequest
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-cm
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
redis.server: argocd-redis-ha-haproxy:6379
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-cmd-params-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-cmd-params-cm
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-gpg-keys-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-gpg-keys-cm
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-cm
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-rbac-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-rbac-cm
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
fix-split-brain.sh: |
|
|
HOSTNAME="$(hostname)"
|
|
INDEX="${HOSTNAME##*-}"
|
|
SENTINEL_PORT=26379
|
|
ANNOUNCE_IP=''
|
|
MASTER=''
|
|
MASTER_GROUP="argocd"
|
|
QUORUM="2"
|
|
REDIS_CONF=/data/conf/redis.conf
|
|
REDIS_PORT=6379
|
|
REDIS_TLS_PORT=
|
|
SENTINEL_CONF=/data/conf/sentinel.conf
|
|
SENTINEL_TLS_PORT=
|
|
SERVICE=argocd-redis-ha
|
|
SENTINEL_TLS_REPLICATION_ENABLED=false
|
|
REDIS_TLS_REPLICATION_ENABLED=false
|
|
|
|
ROLE=''
|
|
REDIS_MASTER=''
|
|
|
|
set -eu
|
|
sentinel_get_master() {
|
|
set +e
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
|
else
|
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
sentinel_get_master_retry() {
|
|
master=''
|
|
retry=${1}
|
|
sleep=3
|
|
for i in $(seq 1 "${retry}"); do
|
|
master=$(sentinel_get_master)
|
|
if [ -n "${master}" ]; then
|
|
break
|
|
fi
|
|
sleep $((sleep + i))
|
|
done
|
|
echo "${master}"
|
|
}
|
|
|
|
identify_master() {
|
|
echo "Identifying redis master (get-master-addr-by-name).."
|
|
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
|
|
MASTER="$(sentinel_get_master_retry 3)"
|
|
if [ -n "${MASTER}" ]; then
|
|
echo " $(date) Found redis master (${MASTER})"
|
|
else
|
|
echo " $(date) Did not find redis master (${MASTER})"
|
|
fi
|
|
}
|
|
|
|
sentinel_update() {
|
|
echo "Updating sentinel config.."
|
|
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
|
|
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
|
|
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
|
|
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
|
|
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
|
|
echo " redis master (${1}:${REDIS_TLS_PORT})"
|
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
|
else
|
|
echo " redis master (${1}:${REDIS_PORT})"
|
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
|
fi
|
|
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
|
|
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
|
|
else
|
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
|
|
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
|
|
fi
|
|
}
|
|
|
|
redis_update() {
|
|
echo "Updating redis config.."
|
|
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
|
|
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
|
|
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
|
|
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
|
|
else
|
|
echo " we are slave of redis master (${1}:${REDIS_PORT})"
|
|
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
|
|
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
|
|
fi
|
|
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
|
|
}
|
|
|
|
copy_config() {
|
|
echo "Copying default redis config.."
|
|
echo " to '${REDIS_CONF}'"
|
|
cp /readonly-config/redis.conf "${REDIS_CONF}"
|
|
echo "Copying default sentinel config.."
|
|
echo " to '${SENTINEL_CONF}'"
|
|
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
|
|
}
|
|
|
|
setup_defaults() {
|
|
echo "Setting up defaults.."
|
|
echo " using statefulset index (${INDEX})"
|
|
if [ "${INDEX}" = "0" ]; then
|
|
echo "Setting this pod as master for redis and sentinel.."
|
|
echo " using announce (${ANNOUNCE_IP})"
|
|
redis_update "${ANNOUNCE_IP}"
|
|
sentinel_update "${ANNOUNCE_IP}"
|
|
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
|
|
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
|
|
else
|
|
echo "Getting redis master ip.."
|
|
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
|
|
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
|
|
if [ -z "${DEFAULT_MASTER}" ]; then
|
|
echo "Error: Unable to resolve redis master (getent hosts)."
|
|
exit 1
|
|
fi
|
|
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
|
|
echo "Setting default slave config for redis and sentinel.."
|
|
echo " using master ip (${DEFAULT_MASTER})"
|
|
redis_update "${DEFAULT_MASTER}"
|
|
sentinel_update "${DEFAULT_MASTER}"
|
|
fi
|
|
}
|
|
|
|
redis_ping() {
|
|
set +e
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
|
|
else
|
|
redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
redis_ping_retry() {
|
|
ping=''
|
|
retry=${1}
|
|
sleep=3
|
|
for i in $(seq 1 "${retry}"); do
|
|
if [ "$(redis_ping)" = "PONG" ]; then
|
|
ping='PONG'
|
|
break
|
|
fi
|
|
sleep $((sleep + i))
|
|
MASTER=$(sentinel_get_master)
|
|
done
|
|
echo "${ping}"
|
|
}
|
|
|
|
find_master() {
|
|
echo "Verifying redis master.."
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
|
|
else
|
|
echo " ping (${MASTER}:${REDIS_PORT})"
|
|
fi
|
|
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
|
|
echo " $(date) Can't ping redis master (${MASTER})"
|
|
echo "Attempting to force failover (sentinel failover).."
|
|
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
|
echo "Setting defaults for this pod.."
|
|
setup_defaults
|
|
return 0
|
|
fi
|
|
else
|
|
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
|
echo "Setting defaults for this pod.."
|
|
setup_defaults
|
|
return 0
|
|
fi
|
|
fi
|
|
|
|
echo "Hold on for 10sec"
|
|
sleep 10
|
|
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
else
|
|
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
fi
|
|
MASTER="$(sentinel_get_master)"
|
|
if [ "${MASTER}" ]; then
|
|
echo " $(date) Found redis master (${MASTER})"
|
|
echo "Updating redis and sentinel config.."
|
|
sentinel_update "${MASTER}"
|
|
redis_update "${MASTER}"
|
|
else
|
|
echo "$(date) Error: Could not failover, exiting..."
|
|
exit 1
|
|
fi
|
|
else
|
|
echo " $(date) Found reachable redis master (${MASTER})"
|
|
echo "Updating redis and sentinel config.."
|
|
sentinel_update "${MASTER}"
|
|
redis_update "${MASTER}"
|
|
fi
|
|
}
|
|
|
|
redis_ro_update() {
|
|
echo "Updating read-only redis config.."
|
|
echo " redis.conf set 'replica-priority 0'"
|
|
echo "replica-priority 0" >> ${REDIS_CONF}
|
|
}
|
|
|
|
getent_hosts() {
|
|
index=${1:-${INDEX}}
|
|
service="${SERVICE}-announce-${index}"
|
|
host=$(getent hosts "${service}")
|
|
echo "${host}"
|
|
}
|
|
|
|
identify_announce_ip() {
|
|
echo "Identify announce ip for this pod.."
|
|
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
|
|
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
|
|
echo " identified announce (${ANNOUNCE_IP})"
|
|
}
|
|
|
|
redis_role() {
|
|
set +e
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
|
|
else
|
|
ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
identify_redis_master() {
|
|
set +e
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
|
|
else
|
|
REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
reinit() {
|
|
set +e
|
|
sh /readonly-config/init.sh
|
|
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
|
|
else
|
|
echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
identify_announce_ip
|
|
|
|
while [ -z "${ANNOUNCE_IP}" ]; do
|
|
echo "Error: Could not resolve the announce ip for this pod."
|
|
sleep 30
|
|
identify_announce_ip
|
|
done
|
|
|
|
trap "exit 0" TERM
|
|
while true; do
|
|
sleep 60
|
|
|
|
# where is redis master
|
|
identify_master
|
|
|
|
if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
|
|
redis_role
|
|
if [ "$ROLE" != "master" ]; then
|
|
echo "waiting for redis to become master"
|
|
sleep 10
|
|
identify_master
|
|
redis_role
|
|
echo "Redis role is $ROLE, expected role is master. No need to reinitialize."
|
|
if [ "$ROLE" != "master" ]; then
|
|
echo "Redis role is $ROLE, expected role is master, reinitializing"
|
|
reinit
|
|
fi
|
|
fi
|
|
elif [ "${MASTER}" ]; then
|
|
identify_redis_master
|
|
if [ "$REDIS_MASTER" != "$MASTER" ]; then
|
|
echo "Redis master and local master are not the same. waiting."
|
|
sleep 10
|
|
identify_master
|
|
identify_redis_master
|
|
echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}. No need to reinitialize."
|
|
if [ "${REDIS_MASTER}" != "${MASTER}" ]; then
|
|
echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}, reinitializing"
|
|
reinit
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
haproxy.cfg: "defaults REDIS\n mode tcp\n timeout connect 4s\n timeout server
|
|
6m\n timeout client 6m\n timeout check 2s\n\nlisten health_check_http_url\n
|
|
\ bind :8888 \n mode http\n monitor-uri /healthz\n option dontlognull\n#
|
|
Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n
|
|
\ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n
|
|
\ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\
|
|
argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE0\n tcp-check send QUIT\\r\\n\n
|
|
\ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379
|
|
check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
|
|
Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n
|
|
\ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n
|
|
\ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\
|
|
argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE1\n tcp-check send QUIT\\r\\n\n
|
|
\ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379
|
|
check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
|
|
Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n
|
|
\ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n
|
|
\ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\
|
|
argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE2\n tcp-check send QUIT\\r\\n\n
|
|
\ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379
|
|
check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n#
|
|
decide redis backend to use\n#master\nfrontend ft_redis_master\n bind :6379 \n
|
|
\ use_backend bk_redis_master\n# Check all redis servers to see if they think
|
|
they are master\nbackend bk_redis_master\n mode tcp\n option tcp-check\n tcp-check
|
|
connect\n tcp-check send \"AUTH ${AUTH}\"\\r\\n\n tcp-check expect string +OK\n
|
|
\ tcp-check send PING\\r\\n\n tcp-check expect string +PONG\n tcp-check send
|
|
info\\ replication\\r\\n\n tcp-check expect string role:master\n tcp-check send
|
|
QUIT\\r\\n\n tcp-check expect string +OK\n use-server R0 if { srv_is_up(R0)
|
|
} { nbsrv(check_if_redis_is_master_0) ge 2 }\n server R0 argocd-redis-ha-announce-0:6379
|
|
check inter 3s fall 1 rise 1\n use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
|
|
ge 2 }\n server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
|
|
1\n use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge
|
|
2 }\n server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\nfrontend
|
|
stats\n mode http\n bind :9101 \n http-request use-service prometheus-exporter
|
|
if { path /metrics }\n stats enable\n stats uri /stats\n stats refresh 10s\n#
|
|
Additional configuration\nglobal\n maxconn 4096\n"
|
|
haproxy_init.sh: |
|
|
HAPROXY_CONF=/data/haproxy.cfg
|
|
cp /readonly/haproxy.cfg "$HAPROXY_CONF"
|
|
for loop in $(seq 1 10); do
|
|
getent hosts argocd-redis-ha-announce-0 && break
|
|
echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1
|
|
done
|
|
ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }')
|
|
if [ -z "$ANNOUNCE_IP0" ]; then
|
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-0"
|
|
exit 1
|
|
fi
|
|
sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF"
|
|
for loop in $(seq 1 10); do
|
|
getent hosts argocd-redis-ha-announce-1 && break
|
|
echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1
|
|
done
|
|
ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }')
|
|
if [ -z "$ANNOUNCE_IP1" ]; then
|
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-1"
|
|
exit 1
|
|
fi
|
|
sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF"
|
|
for loop in $(seq 1 10); do
|
|
getent hosts argocd-redis-ha-announce-2 && break
|
|
echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1
|
|
done
|
|
ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }')
|
|
if [ -z "$ANNOUNCE_IP2" ]; then
|
|
echo "Could not resolve the announce ip for argocd-redis-ha-announce-2"
|
|
exit 1
|
|
fi
|
|
sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF"
|
|
init.sh: |
|
|
echo "$(date) Start..."
|
|
HOSTNAME="$(hostname)"
|
|
INDEX="${HOSTNAME##*-}"
|
|
SENTINEL_PORT=26379
|
|
ANNOUNCE_IP=''
|
|
MASTER=''
|
|
MASTER_GROUP="argocd"
|
|
QUORUM="2"
|
|
REDIS_CONF=/data/conf/redis.conf
|
|
REDIS_PORT=6379
|
|
REDIS_TLS_PORT=
|
|
SENTINEL_CONF=/data/conf/sentinel.conf
|
|
SENTINEL_TLS_PORT=
|
|
SERVICE=argocd-redis-ha
|
|
SENTINEL_TLS_REPLICATION_ENABLED=false
|
|
REDIS_TLS_REPLICATION_ENABLED=false
|
|
|
|
set -eu
|
|
sentinel_get_master() {
|
|
set +e
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
|
else
|
|
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
|
|
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
sentinel_get_master_retry() {
|
|
master=''
|
|
retry=${1}
|
|
sleep=3
|
|
for i in $(seq 1 "${retry}"); do
|
|
master=$(sentinel_get_master)
|
|
if [ -n "${master}" ]; then
|
|
break
|
|
fi
|
|
sleep $((sleep + i))
|
|
done
|
|
echo "${master}"
|
|
}
|
|
|
|
identify_master() {
|
|
echo "Identifying redis master (get-master-addr-by-name).."
|
|
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
|
|
MASTER="$(sentinel_get_master_retry 3)"
|
|
if [ -n "${MASTER}" ]; then
|
|
echo " $(date) Found redis master (${MASTER})"
|
|
else
|
|
echo " $(date) Did not find redis master (${MASTER})"
|
|
fi
|
|
}
|
|
|
|
sentinel_update() {
|
|
echo "Updating sentinel config.."
|
|
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
|
|
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
|
|
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
|
|
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
|
|
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
|
|
echo " redis master (${1}:${REDIS_TLS_PORT})"
|
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
|
else
|
|
echo " redis master (${1}:${REDIS_PORT})"
|
|
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
|
|
fi
|
|
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
|
|
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
|
|
else
|
|
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
|
|
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
|
|
fi
|
|
}
|
|
|
|
redis_update() {
|
|
echo "Updating redis config.."
|
|
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
|
|
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
|
|
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
|
|
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
|
|
else
|
|
echo " we are slave of redis master (${1}:${REDIS_PORT})"
|
|
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
|
|
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
|
|
fi
|
|
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
|
|
}
|
|
|
|
copy_config() {
|
|
echo "Copying default redis config.."
|
|
echo " to '${REDIS_CONF}'"
|
|
cp /readonly-config/redis.conf "${REDIS_CONF}"
|
|
echo "Copying default sentinel config.."
|
|
echo " to '${SENTINEL_CONF}'"
|
|
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
|
|
}
|
|
|
|
setup_defaults() {
|
|
echo "Setting up defaults.."
|
|
echo " using statefulset index (${INDEX})"
|
|
if [ "${INDEX}" = "0" ]; then
|
|
echo "Setting this pod as master for redis and sentinel.."
|
|
echo " using announce (${ANNOUNCE_IP})"
|
|
redis_update "${ANNOUNCE_IP}"
|
|
sentinel_update "${ANNOUNCE_IP}"
|
|
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
|
|
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
|
|
else
|
|
echo "Getting redis master ip.."
|
|
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
|
|
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
|
|
if [ -z "${DEFAULT_MASTER}" ]; then
|
|
echo "Error: Unable to resolve redis master (getent hosts)."
|
|
exit 1
|
|
fi
|
|
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
|
|
echo "Setting default slave config for redis and sentinel.."
|
|
echo " using master ip (${DEFAULT_MASTER})"
|
|
redis_update "${DEFAULT_MASTER}"
|
|
sentinel_update "${DEFAULT_MASTER}"
|
|
fi
|
|
}
|
|
|
|
redis_ping() {
|
|
set +e
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
|
|
else
|
|
redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
|
|
fi
|
|
set -e
|
|
}
|
|
|
|
redis_ping_retry() {
|
|
ping=''
|
|
retry=${1}
|
|
sleep=3
|
|
for i in $(seq 1 "${retry}"); do
|
|
if [ "$(redis_ping)" = "PONG" ]; then
|
|
ping='PONG'
|
|
break
|
|
fi
|
|
sleep $((sleep + i))
|
|
MASTER=$(sentinel_get_master)
|
|
done
|
|
echo "${ping}"
|
|
}
|
|
|
|
find_master() {
|
|
echo "Verifying redis master.."
|
|
if [ "$REDIS_PORT" -eq 0 ]; then
|
|
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
|
|
else
|
|
echo " ping (${MASTER}:${REDIS_PORT})"
|
|
fi
|
|
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
|
|
echo " $(date) Can't ping redis master (${MASTER})"
|
|
echo "Attempting to force failover (sentinel failover).."
|
|
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
|
echo "Setting defaults for this pod.."
|
|
setup_defaults
|
|
return 0
|
|
fi
|
|
else
|
|
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
|
|
echo " $(date) Failover returned with 'NOGOODSLAVE'"
|
|
echo "Setting defaults for this pod.."
|
|
setup_defaults
|
|
return 0
|
|
fi
|
|
fi
|
|
|
|
echo "Hold on for 10sec"
|
|
sleep 10
|
|
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
|
|
if [ "$SENTINEL_PORT" -eq 0 ]; then
|
|
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
else
|
|
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
|
|
fi
|
|
MASTER="$(sentinel_get_master)"
|
|
if [ "${MASTER}" ]; then
|
|
echo " $(date) Found redis master (${MASTER})"
|
|
echo "Updating redis and sentinel config.."
|
|
sentinel_update "${MASTER}"
|
|
redis_update "${MASTER}"
|
|
else
|
|
echo "$(date) Error: Could not failover, exiting..."
|
|
exit 1
|
|
fi
|
|
else
|
|
echo " $(date) Found reachable redis master (${MASTER})"
|
|
echo "Updating redis and sentinel config.."
|
|
sentinel_update "${MASTER}"
|
|
redis_update "${MASTER}"
|
|
fi
|
|
}
|
|
|
|
redis_ro_update() {
|
|
echo "Updating read-only redis config.."
|
|
echo " redis.conf set 'replica-priority 0'"
|
|
echo "replica-priority 0" >> ${REDIS_CONF}
|
|
}
|
|
|
|
getent_hosts() {
|
|
index=${1:-${INDEX}}
|
|
service="${SERVICE}-announce-${index}"
|
|
host=$(getent hosts "${service}")
|
|
echo "${host}"
|
|
}
|
|
|
|
identify_announce_ip() {
|
|
echo "Identify announce ip for this pod.."
|
|
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
|
|
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
|
|
echo " identified announce (${ANNOUNCE_IP})"
|
|
}
|
|
|
|
mkdir -p /data/conf/
|
|
|
|
echo "Initializing config.."
|
|
copy_config
|
|
|
|
# where is redis master
|
|
identify_master
|
|
|
|
identify_announce_ip
|
|
|
|
if [ -z "${ANNOUNCE_IP}" ]; then
|
|
"Error: Could not resolve the announce ip for this pod"
|
|
exit 1
|
|
elif [ "${MASTER}" ]; then
|
|
find_master
|
|
else
|
|
setup_defaults
|
|
fi
|
|
|
|
if [ "${AUTH:-}" ]; then
|
|
echo "Setting redis auth values.."
|
|
ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g');
|
|
sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}"
|
|
fi
|
|
|
|
if [ "${SENTINELAUTH:-}" ]; then
|
|
echo "Setting sentinel auth values"
|
|
ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g');
|
|
sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF"
|
|
fi
|
|
|
|
echo "$(date) Ready..."
|
|
redis.conf: |
|
|
dir "/data"
|
|
port 6379
|
|
rename-command FLUSHDB ""
|
|
rename-command FLUSHALL ""
|
|
bind 0.0.0.0
|
|
maxmemory 0
|
|
maxmemory-policy volatile-lru
|
|
min-replicas-max-lag 5
|
|
min-replicas-to-write 1
|
|
rdbchecksum yes
|
|
rdbcompression yes
|
|
repl-diskless-sync yes
|
|
save ""
|
|
requirepass replace-default-auth
|
|
masterauth replace-default-auth
|
|
sentinel.conf: |
|
|
dir "/data"
|
|
port 26379
|
|
bind 0.0.0.0
|
|
sentinel down-after-milliseconds argocd 10000
|
|
sentinel failover-timeout argocd 180000
|
|
maxclients 10000
|
|
sentinel parallel-syncs argocd 5
|
|
sentinel auth-pass argocd replace-default-auth
|
|
trigger-failover-if-master.sh: |
|
|
get_redis_role() {
|
|
is_master=$(
|
|
redis-cli \
|
|
-a "${AUTH}" --no-auth-warning \
|
|
-h localhost \
|
|
-p 6379 \
|
|
info | grep -c 'role:master' || true
|
|
)
|
|
}
|
|
get_redis_role
|
|
if [[ "$is_master" -eq 1 ]]; then
|
|
echo "This node is currently master, we trigger a failover."
|
|
response=$(
|
|
redis-cli \
|
|
-h localhost \
|
|
-p 26379 \
|
|
SENTINEL failover argocd
|
|
)
|
|
if [[ "$response" != "OK" ]] ; then
|
|
echo "$response"
|
|
exit 1
|
|
fi
|
|
timeout=30
|
|
while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do
|
|
sleep 1
|
|
get_redis_role
|
|
timeout=$((timeout - 1))
|
|
done
|
|
echo "Failover successful"
|
|
fi
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-configmap
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
redis_liveness.sh: |
|
|
response=$(
|
|
redis-cli \
|
|
-a "${AUTH}" --no-auth-warning \
|
|
-h localhost \
|
|
-p 6379 \
|
|
ping
|
|
)
|
|
echo "response=$response"
|
|
case $response in
|
|
PONG|LOADING*) ;;
|
|
*) exit 1 ;;
|
|
esac
|
|
exit 0
|
|
redis_readiness.sh: |
|
|
response=$(
|
|
redis-cli \
|
|
-a "${AUTH}" --no-auth-warning \
|
|
-h localhost \
|
|
-p 6379 \
|
|
ping
|
|
)
|
|
if [ "$response" != "PONG" ] ; then
|
|
echo "ping=$response"
|
|
exit 1
|
|
fi
|
|
|
|
response=$(
|
|
redis-cli \
|
|
-a "${AUTH}" --no-auth-warning \
|
|
-h localhost \
|
|
-p 6379 \
|
|
role
|
|
)
|
|
role=$( echo "$response" | sed "1!d" )
|
|
if [ "$role" = "master" ]; then
|
|
echo "role=$role"
|
|
exit 0
|
|
elif [ "$role" = "slave" ]; then
|
|
repl=$( echo "$response" | sed "4!d" )
|
|
echo "role=$role; repl=$repl"
|
|
if [ "$repl" = "connected" ]; then
|
|
exit 0
|
|
else
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "role=$role"
|
|
exit 1
|
|
fi
|
|
sentinel_liveness.sh: |
|
|
response=$(
|
|
redis-cli \
|
|
-h localhost \
|
|
-p 26379 \
|
|
ping
|
|
)
|
|
if [ "$response" != "PONG" ]; then
|
|
echo "$response"
|
|
exit 1
|
|
fi
|
|
echo "response=$response"
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-health-configmap
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
ssh_known_hosts: |
|
|
# This file was automatically generated by hack/update-ssh-known-hosts.sh. DO NOT EDIT
|
|
[ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
|
[ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
|
[ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
|
|
bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
|
|
bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
|
|
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
|
|
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
|
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
|
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
|
|
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
|
|
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
|
|
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
|
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
|
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-ssh-known-hosts-cm
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-tls-certs-cm
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-tls-certs-cm
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-secret
|
|
type: Opaque
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-secret
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-secret
|
|
type: Opaque
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller
|
|
spec:
|
|
ports:
|
|
- name: webhook
|
|
port: 7000
|
|
protocol: TCP
|
|
targetPort: webhook
|
|
- name: metrics
|
|
port: 8080
|
|
protocol: TCP
|
|
targetPort: metrics
|
|
selector:
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server
|
|
spec:
|
|
ports:
|
|
- appProtocol: TCP
|
|
name: http
|
|
port: 5556
|
|
protocol: TCP
|
|
targetPort: 5556
|
|
- name: grpc
|
|
port: 5557
|
|
protocol: TCP
|
|
targetPort: 5557
|
|
- name: metrics
|
|
port: 5558
|
|
protocol: TCP
|
|
targetPort: 5558
|
|
selector:
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: metrics
|
|
app.kubernetes.io/name: argocd-metrics
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-metrics
|
|
spec:
|
|
ports:
|
|
- name: metrics
|
|
port: 8082
|
|
protocol: TCP
|
|
targetPort: 8082
|
|
selector:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller-metrics
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller-metrics
|
|
spec:
|
|
ports:
|
|
- name: metrics
|
|
port: 9001
|
|
protocol: TCP
|
|
targetPort: 9001
|
|
selector:
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha
|
|
spec:
|
|
clusterIP: None
|
|
ports:
|
|
- name: tcp-server
|
|
port: 6379
|
|
protocol: TCP
|
|
targetPort: redis
|
|
- name: tcp-sentinel
|
|
port: 26379
|
|
protocol: TCP
|
|
targetPort: sentinel
|
|
selector:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-announce-0
|
|
spec:
|
|
ports:
|
|
- name: tcp-server
|
|
port: 6379
|
|
protocol: TCP
|
|
targetPort: redis
|
|
- name: tcp-sentinel
|
|
port: 26379
|
|
protocol: TCP
|
|
targetPort: sentinel
|
|
publishNotReadyAddresses: true
|
|
selector:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-announce-1
|
|
spec:
|
|
ports:
|
|
- name: tcp-server
|
|
port: 6379
|
|
protocol: TCP
|
|
targetPort: redis
|
|
- name: tcp-sentinel
|
|
port: 26379
|
|
protocol: TCP
|
|
targetPort: sentinel
|
|
publishNotReadyAddresses: true
|
|
selector:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-announce-2
|
|
spec:
|
|
ports:
|
|
- name: tcp-server
|
|
port: 6379
|
|
protocol: TCP
|
|
targetPort: redis
|
|
- name: tcp-sentinel
|
|
port: 26379
|
|
protocol: TCP
|
|
targetPort: sentinel
|
|
publishNotReadyAddresses: true
|
|
selector:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-haproxy
|
|
spec:
|
|
ports:
|
|
- name: tcp-haproxy
|
|
port: 6379
|
|
protocol: TCP
|
|
targetPort: redis
|
|
- name: http-exporter-port
|
|
port: 9101
|
|
protocol: TCP
|
|
targetPort: metrics-port
|
|
selector:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: repo-server
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-repo-server
|
|
spec:
|
|
ports:
|
|
- name: server
|
|
port: 8081
|
|
protocol: TCP
|
|
targetPort: 8081
|
|
- name: metrics
|
|
port: 8084
|
|
protocol: TCP
|
|
targetPort: 8084
|
|
selector:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server
|
|
spec:
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
protocol: TCP
|
|
targetPort: 8080
|
|
- name: https
|
|
port: 443
|
|
protocol: TCP
|
|
targetPort: 8080
|
|
selector:
|
|
app.kubernetes.io/name: argocd-server
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server-metrics
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server-metrics
|
|
spec:
|
|
ports:
|
|
- name: metrics
|
|
port: 8083
|
|
protocol: TCP
|
|
targetPort: 8083
|
|
selector:
|
|
app.kubernetes.io/name: argocd-server
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- /usr/local/bin/argocd-applicationset-controller
|
|
env:
|
|
- name: GRPC_ENABLE_TXT_SERVICE_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.grpc.enable.txt.service.config
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.global.preserved.annotations
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.global.preserved.labels
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.leader.election
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: repo.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.policy
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.policy.override
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.debug
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: log.format.timestamp
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_QPS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.client.qps
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_BURST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.client.burst
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.client.max.idle.connections
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.tcp.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_KEEPALIVE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.tcp.keepalive
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.tls.handshake.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_IDLE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.k8s.tcp.idle.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.dryrun
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_GIT_MODULES_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.git.submodule
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.progressive.syncs
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.tokenref.strict.mode
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.new.git.file.globbing
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.repo.server.plaintext
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.repo.server.strict.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.repo.server.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.concurrent.reconciliations.max
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.namespaces
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.scm.root.ca.path
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.allowed.scm.providers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.scm.providers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.github.api.metrics
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.webhook.parallelism.limit
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.requeue.after
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.status.max.resources.count
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
name: argocd-applicationset-controller
|
|
ports:
|
|
- containerPort: 7000
|
|
name: webhook
|
|
- containerPort: 8080
|
|
name: metrics
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /app/config/ssh
|
|
name: ssh-known-hosts
|
|
- mountPath: /app/config/tls
|
|
name: tls-certs
|
|
- mountPath: /app/config/gpg/source
|
|
name: gpg-keys
|
|
- mountPath: /app/config/gpg/keys
|
|
name: gpg-keyring
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
- mountPath: /app/config/reposerver/tls
|
|
name: argocd-repo-server-tls
|
|
- mountPath: /home/argocd/params
|
|
name: argocd-cmd-params-cm
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
serviceAccountName: argocd-applicationset-controller
|
|
volumes:
|
|
- configMap:
|
|
name: argocd-ssh-known-hosts-cm
|
|
name: ssh-known-hosts
|
|
- configMap:
|
|
name: argocd-tls-certs-cm
|
|
name: tls-certs
|
|
- configMap:
|
|
name: argocd-gpg-keys-cm
|
|
name: gpg-keys
|
|
- emptyDir: {}
|
|
name: gpg-keyring
|
|
- emptyDir: {}
|
|
name: tmp
|
|
- name: argocd-repo-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-repo-server-tls
|
|
- configMap:
|
|
items:
|
|
- key: applicationsetcontroller.profile.enabled
|
|
path: profiler.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
name: argocd-cmd-params-cm
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/part-of: argocd
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 5
|
|
containers:
|
|
- command:
|
|
- /shared/argocd-dex
|
|
- rundex
|
|
env:
|
|
- name: ARGOCD_DEX_SERVER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: dexserver.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_DEX_SERVER_LOGLEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: dexserver.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: log.format.timestamp
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: dexserver.disable.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
image: ghcr.io/dexidp/dex:v2.44.0
|
|
imagePullPolicy: Always
|
|
name: dex
|
|
ports:
|
|
- containerPort: 5556
|
|
- containerPort: 5557
|
|
- containerPort: 5558
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /shared
|
|
name: static-files
|
|
- mountPath: /tmp
|
|
name: dexconfig
|
|
- mountPath: /tls
|
|
name: argocd-dex-server-tls
|
|
initContainers:
|
|
- command:
|
|
- /bin/cp
|
|
- -n
|
|
- /usr/local/bin/argocd
|
|
- /shared/argocd-dex
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
name: copyutil
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /shared
|
|
name: static-files
|
|
- mountPath: /tmp
|
|
name: dexconfig
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
serviceAccountName: argocd-dex-server
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: static-files
|
|
- emptyDir: {}
|
|
name: dexconfig
|
|
- name: argocd-dex-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-dex-server-tls
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- /usr/local/bin/argocd-notifications
|
|
env:
|
|
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: notificationscontroller.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: notificationscontroller.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: log.format.timestamp
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_NAMESPACES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: application.namespaces
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: notificationscontroller.selfservice.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: notificationscontroller.repo.server.plaintext
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: 9001
|
|
name: argocd-notifications-controller
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /app/config/tls
|
|
name: tls-certs
|
|
- mountPath: /app/config/reposerver/tls
|
|
name: argocd-repo-server-tls
|
|
workingDir: /app
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: argocd-notifications-controller
|
|
volumes:
|
|
- configMap:
|
|
name: argocd-tls-certs-cm
|
|
name: tls-certs
|
|
- name: argocd-repo-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-repo-server-tls
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-haproxy
|
|
spec:
|
|
replicas: 3
|
|
revisionHistoryLimit: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
strategy:
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: cd6508bdf9819601c454d0cc491fb77a209e3a88761d92514d105b6681829953
|
|
prometheus.io/path: /metrics
|
|
prometheus.io/port: "9101"
|
|
prometheus.io/scrape: "true"
|
|
labels:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
name: argocd-redis-ha-haproxy
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
topologyKey: kubernetes.io/hostname
|
|
automountServiceAccountToken: true
|
|
containers:
|
|
- env:
|
|
- name: AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
lifecycle: {}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: probe
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 3
|
|
name: haproxy
|
|
ports:
|
|
- containerPort: 8888
|
|
name: probe
|
|
- containerPort: 6379
|
|
name: redis
|
|
- containerPort: 9101
|
|
name: metrics-port
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: probe
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 3
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /usr/local/etc/haproxy
|
|
name: data
|
|
- mountPath: /run/haproxy
|
|
name: shared-socket
|
|
initContainers:
|
|
- command:
|
|
- argocd
|
|
- admin
|
|
- redis-initial-password
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: IfNotPresent
|
|
name: secret-init
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
- args:
|
|
- /readonly/haproxy_init.sh
|
|
command:
|
|
- sh
|
|
image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
name: config-init
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /readonly
|
|
name: config-volume
|
|
readOnly: true
|
|
- mountPath: /data
|
|
name: data
|
|
securityContext:
|
|
fsGroup: 99
|
|
runAsNonRoot: true
|
|
runAsUser: 99
|
|
serviceAccountName: argocd-redis-ha-haproxy
|
|
volumes:
|
|
- configMap:
|
|
name: argocd-redis-ha-configmap
|
|
name: config-volume
|
|
- emptyDir: {}
|
|
name: shared-socket
|
|
- emptyDir: {}
|
|
name: data
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: repo-server
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-repo-server
|
|
spec:
|
|
replicas: 2
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
topologyKey: topology.kubernetes.io/zone
|
|
weight: 100
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
topologyKey: kubernetes.io/hostname
|
|
automountServiceAccountToken: false
|
|
containers:
|
|
- args:
|
|
- /usr/local/bin/argocd-repo-server
|
|
env:
|
|
- name: REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
- name: GRPC_ENABLE_TXT_SERVICE_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.grpc.enable.txt.service.config
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: timeout.reconciliation
|
|
name: argocd-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_LOGLEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: log.format.timestamp
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.parallelism.limit
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.listen.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.metrics.listen.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.disable.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_MIN_VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.tls.minversion
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_MAX_VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.tls.maxversion
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_CIPHERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.tls.ciphers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.repo.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_COMPRESSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.compression
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDISDB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.db
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.default.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.insecure
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.headers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OTLP_ATTRS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.attrs
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.max.combined.directory.manifests.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.plugin.tar.exclusions
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.plugin.use.manifest.generate.paths
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.allow.oob.symlinks
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.streamed.manifest.max.tar.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.streamed.manifest.max.extracted.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.helm.manifest.max.extracted.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.disable.helm.manifest.max.extracted.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.oci.manifest.max.extracted.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.disable.oci.manifest.max.extracted.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.oci.layer.media.types
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.revision.cache.lock.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_GIT_MODULES_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.enable.git.submodule
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.git.lsremote.parallelism.limit
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_GIT_REQUEST_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.git.request.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.enable.builtin.git.config
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_GRPC_MAX_SIZE_MB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.grpc.max.size
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.include.hidden.directories
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_HELM_USER_AGENT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: reposerver.helm.user.agent
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: HELM_CACHE_HOME
|
|
value: /helm-working-dir
|
|
- name: HELM_CONFIG_HOME
|
|
value: /helm-working-dir
|
|
- name: HELM_DATA_HOME
|
|
value: /helm-working-dir
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /healthz?full=true
|
|
port: 8084
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
name: argocd-repo-server
|
|
ports:
|
|
- containerPort: 8081
|
|
- containerPort: 8084
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8084
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /app/config/ssh
|
|
name: ssh-known-hosts
|
|
- mountPath: /app/config/tls
|
|
name: tls-certs
|
|
- mountPath: /app/config/gpg/source
|
|
name: gpg-keys
|
|
- mountPath: /app/config/gpg/keys
|
|
name: gpg-keyring
|
|
- mountPath: /app/config/reposerver/tls
|
|
name: argocd-repo-server-tls
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
- mountPath: /helm-working-dir
|
|
name: helm-working-dir
|
|
- mountPath: /home/argocd/cmp-server/plugins
|
|
name: plugins
|
|
initContainers:
|
|
- args:
|
|
- /bin/cp --update=none /usr/local/bin/argocd /var/run/argocd/argocd && /bin/ln
|
|
-s /var/run/argocd/argocd /var/run/argocd/argocd-cmp-server
|
|
command:
|
|
- sh
|
|
- -c
|
|
image: quay.io/argoproj/argocd:latest
|
|
name: copyutil
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /var/run/argocd
|
|
name: var-files
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
serviceAccountName: argocd-repo-server
|
|
volumes:
|
|
- configMap:
|
|
name: argocd-ssh-known-hosts-cm
|
|
name: ssh-known-hosts
|
|
- configMap:
|
|
name: argocd-tls-certs-cm
|
|
name: tls-certs
|
|
- configMap:
|
|
name: argocd-gpg-keys-cm
|
|
name: gpg-keys
|
|
- emptyDir: {}
|
|
name: gpg-keyring
|
|
- emptyDir: {}
|
|
name: tmp
|
|
- emptyDir: {}
|
|
name: helm-working-dir
|
|
- name: argocd-repo-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-repo-server-tls
|
|
- emptyDir: {}
|
|
name: var-files
|
|
- emptyDir: {}
|
|
name: plugins
|
|
- configMap:
|
|
items:
|
|
- key: reposerver.profile.enabled
|
|
path: profiler.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
name: argocd-cmd-params-cm
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server
|
|
spec:
|
|
replicas: 2
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-server
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
topologyKey: topology.kubernetes.io/zone
|
|
weight: 100
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- args:
|
|
- /usr/local/bin/argocd-server
|
|
env:
|
|
- name: ARGOCD_API_SERVER_REPLICAS
|
|
value: "2"
|
|
- name: REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
- name: GRPC_ENABLE_TXT_SERVICE_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.grpc.enable.txt.service.config
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_INSECURE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.insecure
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_BASEHREF
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.basehref
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_ROOTPATH
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.rootpath
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_QPS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.client.qps
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_BURST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.client.burst
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.client.max.idle.connections
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.tcp.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_KEEPALIVE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.tcp.keepalive
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.tls.handshake.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_IDLE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8s.tcp.idle.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_REPO_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: repo.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_DEX_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.dex.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_DISABLE_AUTH
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.disable.auth
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_ENABLE_GZIP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.enable.gzip
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.repo.server.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.x.frame.options
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.content.security.policy
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.repo.server.plaintext
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.repo.server.strict.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.dex.server.plaintext
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.dex.server.strict.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_MIN_VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.tls.minversion
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_MAX_VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.tls.maxversion
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_TLS_CIPHERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.tls.ciphers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.connection.status.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.oidc.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_STATIC_ASSETS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.staticassets
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.app.state.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_COMPRESSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.compression
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDISDB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.db
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.default.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_MAX_COOKIE_NUMBER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.http.cookie.maxnumber
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_LISTEN_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.listen.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.metrics.listen.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_OTLP_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_OTLP_INSECURE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.insecure
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_OTLP_HEADERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.headers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_OTLP_ATTRS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.attrs
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_NAMESPACES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: application.namespaces
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.enable.proxy.extension
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8SCLIENT_RETRY_MAX
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8sclient.retry.max
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.k8sclient.retry.base.backoff
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_API_CONTENT_TYPES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.api.content.types
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.webhook.parallelism.limit
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.new.git.file.globbing
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.scm.root.ca.path
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.allowed.scm.providers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.scm.providers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: applicationsetcontroller.enable.github.api.metrics
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_HYDRATOR_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: hydrator.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SYNC_WITH_REPLACE_ALLOWED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: server.sync.replace.allowed
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz?full=true
|
|
port: 8080
|
|
initialDelaySeconds: 3
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
name: argocd-server
|
|
ports:
|
|
- containerPort: 8080
|
|
- containerPort: 8083
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 3
|
|
periodSeconds: 30
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /app/config/ssh
|
|
name: ssh-known-hosts
|
|
- mountPath: /app/config/tls
|
|
name: tls-certs
|
|
- mountPath: /app/config/server/tls
|
|
name: argocd-repo-server-tls
|
|
- mountPath: /app/config/dex/tls
|
|
name: argocd-dex-server-tls
|
|
- mountPath: /home/argocd
|
|
name: plugins-home
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
- mountPath: /home/argocd/params
|
|
name: argocd-cmd-params-cm
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
serviceAccountName: argocd-server
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: plugins-home
|
|
- emptyDir: {}
|
|
name: tmp
|
|
- configMap:
|
|
name: argocd-ssh-known-hosts-cm
|
|
name: ssh-known-hosts
|
|
- configMap:
|
|
name: argocd-tls-certs-cm
|
|
name: tls-certs
|
|
- name: argocd-repo-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-repo-server-tls
|
|
- name: argocd-dex-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-dex-server-tls
|
|
- configMap:
|
|
items:
|
|
- key: server.profile.enabled
|
|
path: profiler.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
name: argocd-cmd-params-cm
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: application-controller
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-application-controller
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
serviceName: argocd-application-controller
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 100
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/part-of: argocd
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 5
|
|
containers:
|
|
- args:
|
|
- /usr/local/bin/argocd-application-controller
|
|
env:
|
|
- name: REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
- name: GRPC_ENABLE_TXT_SERVICE_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.grpc.enable.txt.service.config
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_CONTROLLER_REPLICAS
|
|
value: "1"
|
|
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: timeout.reconciliation
|
|
name: argocd-cm
|
|
optional: true
|
|
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: timeout.hard.reconciliation
|
|
name: argocd-cm
|
|
optional: true
|
|
- name: ARGOCD_RECONCILIATION_JITTER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: timeout.reconciliation.jitter
|
|
name: argocd-cm
|
|
optional: true
|
|
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.repo.error.grace.period.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: repo.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.repo.server.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.status.processors
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.operation.processors
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.log.format
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.log.level
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: log.format.timestamp
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_QPS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.client.qps
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_BURST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.client.burst
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.client.max.idle.connections
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.tcp.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_KEEPALIVE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.tcp.keepalive
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.tls.handshake.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8S_TCP_IDLE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8s.tcp.idle.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.metrics.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.self.heal.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.self.heal.backoff.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.self.heal.backoff.factor
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.self.heal.backoff.cap.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.self.heal.backoff.cooldown.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_SYNC_WAVE_DELAY
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.sync.wave.delay.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.sync.timeout.seconds
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.repo.server.plaintext
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.repo.server.strict.tls
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.resource.health.persist
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.app.state.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDIS_COMPRESSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.compression
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: REDISDB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: redis.db
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.default.cache.expiration
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.address
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.insecure
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.headers
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: otlp.attrs
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_NAMESPACES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: application.namespaces
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.sharding.algorithm
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.kubectl.parallelism.limit
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8SCLIENT_RETRY_MAX
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8sclient.retry.max
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.k8sclient.retry.base.backoff
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.diff.server.side
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.ignore.normalizer.jq.timeout
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_HYDRATOR_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: hydrator.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.cluster.cache.batch.events.processing
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: controller.cluster.cache.events.processing.interval
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: commit.server
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
- name: KUBECACHEDIR
|
|
value: /tmp/kubecache
|
|
image: quay.io/argoproj/argocd:latest
|
|
imagePullPolicy: Always
|
|
name: argocd-application-controller
|
|
ports:
|
|
- containerPort: 8082
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8082
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /app/config/controller/tls
|
|
name: argocd-repo-server-tls
|
|
- mountPath: /home/argocd
|
|
name: argocd-home
|
|
- mountPath: /home/argocd/params
|
|
name: argocd-cmd-params-cm
|
|
- mountPath: /tmp
|
|
name: argocd-application-controller-tmp
|
|
workingDir: /home/argocd
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
serviceAccountName: argocd-application-controller
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: argocd-home
|
|
- emptyDir: {}
|
|
name: argocd-application-controller-tmp
|
|
- name: argocd-repo-server-tls
|
|
secret:
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
optional: true
|
|
secretName: argocd-repo-server-tls
|
|
- configMap:
|
|
items:
|
|
- key: controller.profile.enabled
|
|
path: profiler.enabled
|
|
name: argocd-cmd-params-cm
|
|
optional: true
|
|
name: argocd-cmd-params-cm
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-server
|
|
spec:
|
|
podManagementPolicy: OrderedReady
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
serviceName: argocd-redis-ha
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/init-config: fd74f7d84e39b3f6eac1d7ce5deb0083e58f218376faf363343d91a0fb4f2563
|
|
labels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
topologyKey: kubernetes.io/hostname
|
|
automountServiceAccountToken: false
|
|
containers:
|
|
- args:
|
|
- /data/conf/redis.conf
|
|
command:
|
|
- redis-server
|
|
env:
|
|
- name: AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
image: public.ecr.aws/docker/library/redis:8.2.3-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- /readonly-config/trigger-failover-if-master.sh
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/redis_liveness.sh
|
|
failureThreshold: 5
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
name: redis
|
|
ports:
|
|
- containerPort: 6379
|
|
name: redis
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/redis_readiness.sh
|
|
failureThreshold: 5
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
startupProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/redis_readiness.sh
|
|
failureThreshold: 5
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
volumeMounts:
|
|
- mountPath: /readonly-config
|
|
name: config
|
|
readOnly: true
|
|
- mountPath: /data
|
|
name: data
|
|
- mountPath: /health
|
|
name: health
|
|
- args:
|
|
- /data/conf/sentinel.conf
|
|
command:
|
|
- redis-sentinel
|
|
env:
|
|
- name: AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
image: public.ecr.aws/docker/library/redis:8.2.3-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
lifecycle:
|
|
postStart:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- sleep 30; redis-cli -p 26379 sentinel reset argocd
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/sentinel_liveness.sh
|
|
failureThreshold: 5
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
name: sentinel
|
|
ports:
|
|
- containerPort: 26379
|
|
name: sentinel
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/sentinel_liveness.sh
|
|
failureThreshold: 5
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 15
|
|
successThreshold: 3
|
|
timeoutSeconds: 15
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
startupProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- /health/sentinel_liveness.sh
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
volumeMounts:
|
|
- mountPath: /data
|
|
name: data
|
|
- mountPath: /health
|
|
name: health
|
|
- args:
|
|
- /readonly-config/fix-split-brain.sh
|
|
command:
|
|
- sh
|
|
env:
|
|
- name: SENTINEL_ID_0
|
|
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
|
|
- name: SENTINEL_ID_1
|
|
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
|
|
- name: SENTINEL_ID_2
|
|
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
|
|
- name: AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
image: public.ecr.aws/docker/library/redis:8.2.3-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
name: split-brain-fix
|
|
resources: {}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /readonly-config
|
|
name: config
|
|
readOnly: true
|
|
- mountPath: /data
|
|
name: data
|
|
initContainers:
|
|
- args:
|
|
- /readonly-config/init.sh
|
|
command:
|
|
- sh
|
|
env:
|
|
- name: SENTINEL_ID_0
|
|
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
|
|
- name: SENTINEL_ID_1
|
|
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
|
|
- name: SENTINEL_ID_2
|
|
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
|
|
- name: AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: auth
|
|
name: argocd-redis
|
|
image: public.ecr.aws/docker/library/redis:8.2.3-alpine
|
|
imagePullPolicy: IfNotPresent
|
|
name: config-init
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /readonly-config
|
|
name: config
|
|
readOnly: true
|
|
- mountPath: /data
|
|
name: data
|
|
securityContext:
|
|
fsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
serviceAccountName: argocd-redis-ha
|
|
terminationGracePeriodSeconds: 60
|
|
volumes:
|
|
- configMap:
|
|
name: argocd-redis-ha-configmap
|
|
name: config
|
|
- configMap:
|
|
defaultMode: 493
|
|
name: argocd-redis-ha-health-configmap
|
|
name: health
|
|
- emptyDir: {}
|
|
name: data
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: application-controller
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-application-controller-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 8082
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: applicationset-controller
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-applicationset-controller-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 7000
|
|
protocol: TCP
|
|
- port: 8080
|
|
protocol: TCP
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: dex-server
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-dex-server-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
ports:
|
|
- port: 5556
|
|
protocol: TCP
|
|
- port: 5557
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 5558
|
|
protocol: TCP
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-dex-server
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: notifications-controller
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-notifications-controller-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 9001
|
|
protocol: TCP
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-proxy-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
ports:
|
|
- port: 6379
|
|
protocol: TCP
|
|
- port: 26379
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 9101
|
|
protocol: TCP
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: redis
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-redis-ha-server-network-policy
|
|
spec:
|
|
egress:
|
|
- ports:
|
|
- port: 6379
|
|
protocol: TCP
|
|
- port: 26379
|
|
protocol: TCP
|
|
to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
- ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha-haproxy
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
ports:
|
|
- port: 6379
|
|
protocol: TCP
|
|
- port: 26379
|
|
protocol: TCP
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-redis-ha
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: repo-server
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-repo-server-network-policy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-application-controller
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-notifications-controller
|
|
- podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-applicationset-controller
|
|
ports:
|
|
- port: 8081
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- port: 8084
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-repo-server
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: server
|
|
app.kubernetes.io/name: argocd-server
|
|
app.kubernetes.io/part-of: argocd
|
|
name: argocd-server-network-policy
|
|
spec:
|
|
ingress:
|
|
- {}
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: argocd-server
|
|
policyTypes:
|
|
- Ingress
|