This repo sets up OpenShift with Day 2 thingys via Argo CD. It also uses Dex for Authentication with OpenShift.
⚠️ This is based on OpenShift 4.7 deploying Argo CD v2.x using OpenShift GitOps v1.1.x. When in doubt consult the official docs.
First apply the Subscription manifest. Since this repo uses DEX, we'll need to enable that.
cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-gitops-operator
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: openshift-gitops-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
EOFWait for the pods to appear
echo -n "Still waiting" ; until [[ $(oc get pods -n openshift-gitops -o name | wc -l) -ne 0 ]]; do echo -n "."; sleep 3; done; echo ""Give the serviceAccount permission to admin the cluster.
oc adm policy add-cluster-role-to-user cluster-admin -z openshift-gitops-argocd-application-controller -n openshift-gitopsPatch the manifest in order to use Dex and set up the RBAC policy.
oc patch argocd openshift-gitops -n openshift-gitops --type=merge \
-p='{"spec":{"rbac":{"defaultPolicy":"","policy":"g, system:cluster-admins, role:admin\ng, admins, role:admin\ng, developer, role:developer\ng, marketing, role:marketing\n","scopes":"[groups]"},"resourceCustomizations":"bitnami.com/SealedSecret:\n health.lua: |\n hs = {}\n hs.status = \"Healthy\"\n hs.message = \"Controller doesnt report status\"\n return hs\nroute.openshift.io/Route:\n ignoreDifferences: |\n jsonPointers:\n - /spec/host\n","server":{"insecure":true,"route":{"enabled":true,"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}}}'Wait for the deployment rollout
oc rollout status deploy/openshift-gitops-server -n openshift-gitopsTo view the policies set up by the patch
oc get argocd openshift-gitops -n openshift-gitops -o yaml | grep -B 1 -A 6 -w 'defaultPolicy: ""'To get the route
oc get routes openshift-gitops-server -n openshift-gitops -o jsonpath='{.spec.host}{"\n"}'To get the admin password
oc get secret openshift-gitops-cluster -n openshift-gitops -ojsonpath='{.data.admin\.password}' | base64 -d ; echoTo configure your cluster to this repo run
oc apply -k https://github.com/christianh814/openshift-cluster-config/cluster-config/config/overlays/default
This will configure your server with the following.
Cluster Configurations:
- HTPassword Authentication
- Three users:
ocp-admin,ocp-developer, andocp-marketing
- Three users:
- Three Groups created
adminsocp-adminis part ofadmins
developerocp-developeris part ofdeveloper
marketingocp-marketingis part ofmarketing
- ClusterRole/Role Bindings setup
adminsgroup hascluster-adminon OpenShift- The
developergroup hasediton thepricelistnamespace on OpenShift
- Container Security Operator installed
- Pipelines Operator installed
- Sealed Secrets installed
Application Deployments:
- Deploy Pricelist in an ArgoCD project called
pricelist- One
applicationConsisting of...- Frontend Web Application
- Backend Database store
- Job that creates database tables and the such
- The manifests for this app lives in my gitops example repo
- One
ArgoCD Configurations
- ArgoCD is integrated with the OpenShift oAuth
- RBAC Policy
- The
adminsOpenShift group is set up as ArgoCD admins - The
developerOpenShift group is set up as ArgoCD users - ArgoCD admins can see and sync all ArgoCD Applications
- The
- The
cluster-configArgoCD project has all "cluster wide" configurations- Can only be seen/synced by ArgoCD admins
- The
pricelistArgoCD project has all appliaction components to run the Pricelist application- Can be seen/synced by ArgoCD admins or ArgoCD users
- Autosync is turned on
You don't, it's GitOps!
Jokes aside, the idea is to manage your cluster by pull request to the right repo. In a lot of instances, that means many PRs to many repos!