Merge pull request #1258 from rackerlabs/argocd-update

feat(argocd): switch to deploying ArgoCD directly via helm chart

Author: cardoe

apps/appsets/argocd/appset-argocd.yaml

@@ -28,35 +28,22 @@ spec:
     spec:
       project: default
       sources:
+        - repoURL: https://argoproj.github.io/argo-helm
+          chart: argo-cd
+          targetRevision: 8.3.9
+          helm:
+            releaseName: argo-cd
+            valueFiles:
+              - $understack/components/argocd/values.yaml
+              - $deploy/{{.name}}/helm-configs/argocd.yaml
+            ignoreMissingValueFiles: true
         - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}'
           targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}'
-          path: bootstrap/argocd/
-          kustomize:
-            components:
-              - components/sso
-            patches:
-              - target:
-                  kind: ConfigMap
-                  name: argocd-cm
-                patch: |-
-                  - op: replace
-                    path: /data/url
-                    value: https://argocd.{{index .metadata.annotations "dns_zone"}}
-              - target:
-                  kind: Ingress
-                patch: |-
-                  - op: replace
-                    path: /spec/rules/0/host
-                    value: argocd.{{index .metadata.annotations "dns_zone"}}
-                  - op: replace
-                    path: /spec/tls/0/hosts/0
-                    value: argocd.{{index .metadata.annotations "dns_zone"}}
-                  - op: replace
-                    path: '/metadata/annotations/cert-manager.io~1cluster-issuer'
-                    value: understack-cluster-issuer
+          ref: understack
         - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}'
           targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}'
           path: '{{.name}}/manifests/argocd'
+          ref: deploy
       ignoreDifferences:
         - kind: Secret
           namespace: argocd

bootstrap/argocd.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+
+thisdir=$(dirname "$0")
+
+argocd_repo=$(cat "${thisdir}/../apps/appsets/argocd/appset-argocd.yaml" | yq -r '.spec.template.spec.sources[0].repoURL')
+argocd_rev=$(cat "${thisdir}/../apps/appsets/argocd/appset-argocd.yaml" | yq -r '.spec.template.spec.sources[0].targetRevision')
+
+helm repo add argo "${argocd_repo}"
+helm repo update argo
+
+helm template argo-cd argo-cd \
+  --version "${argocd_rev}" \
+  --create-namespace \
+  -f "${thisdir}/../components/argocd/values.yaml" \
+  | kubectl -n argocd apply -f -

bootstrap/argocd/components/sso/external-secret-argocd-sso.yaml

@@ -4,4 +4,3 @@ kind: Kustomization
 
 resources:
 - sealed-secrets/
-- argocd/

bootstrap/argocd/components/sso/kustomization.yaml

@@ -112,14 +112,19 @@ your shell.
 
 ### Populating the infrastructure
 
-TODO: some examples and documentation on how to build out a cluster
+For details on how to configure ArgoCD, see the
+[Management Cluster](./management-cluster.md) page.
 
 ### Bootstrapping ArgoCD and Sealed-Secrets
 
 If you do not have ArgoCD deployed then you can use the following:
 
 ```bash
-kubectl kustomize --enable-helm https://github.com/rackerlabs/understack/bootstrap/ | kubectl apply -f -
+kubectl kustomize --enable-helm \
+  https://github.com/rackerlabs/understack/bootstrap/sealed-secrets/ \
+  | kubectl apply -f -
+cd path_to_understack_repo
+./bootstrap/argocd.sh
 ```
 
 ### Generating secrets

bootstrap/argocd/kustomization.yaml

@@ -13,11 +13,53 @@ approach that UnderStack uses to deploy it's services with ArgoCD is the
 If you already have [ArgoCD][argocd] deployed and available to be used then you
 can skip this section.
 
+### Configuring ArgoCD
+
+To configure ArgoCD you'll need to create a `$DEPLOY_NAME/helm-configs/argocd.yaml`
+in your deploy repo. In there you can configure the DNS name that will be used
+for the Ingress as well as the authentication. An example of which can be:
+
+```yaml title="$DEPLOY_NAME/helm-configs/argocd.yaml"
+global:
+  domain: argocd.your.dns.zone
+
+configs:
+  cm:
+    oidc.config: |-
+      name: SSO
+      issuer: $argocd-sso:issuer
+      clientID: $argocd-sso:client-id
+      clientSecret: $argocd-sso:client-secret
+      requiredIDTokenClaims: {"groups": {"essential": true}}
+      cliClientID: argocdcli
+```
+
+This assumes that you have a `Secret` in the `argocd` namespace called `argocd-sso`
+which has the following keys:
+
+- `issuer`
+- `client-id`
+- `client-secret`
+
+Which will be used for OIDC authentication. See [Configuring Dex](./config-dex.md)
+for information on how to use the [Dex](https://dexidp.io) that is included
+for authentication.
+
+You can also include the following:
+
+```yaml ttile="$DEPLOY_NAME/helm-configs/argocd.yaml"
+extraObjects:
+  - # k8s object like a secret definition
+```
+
+Or any other valid values for the Argo CD Helm Chart.
+
 The following command will do an initial deployment of ArgoCD that can
 then be customized further.
 
 ```bash title="installing ArgoCD"
-kubectl kustomize --enable-helm https://github.com/rackerlabs/understack/bootstrap/argocd/ | kubectl apply -f -
+cd path_to_understack_repo
+./bootstrap/argocd.sh
 ```
 
 ## Configuring your Global and/or Site Cluster in ArgoCD