argocd for homepage #46
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mrsimonemms
force-pushed
the
sje/homepage-argo
branch
from
11fd678 to
a0df0c8
Compare
Execution result of "run-all plan" in "stacks/prod"time=2024-12-07T16:00:17Z level=info msg=The stack at /github/workspace/stacks/prod will be processed in the following order for command plan:
Group 1
- Module /github/workspace/stacks/prod/hetzner
Group 2
- Module /github/workspace/stacks/prod/kubernetes
time=2024-12-07T16:00:17Z level=info msg=Downloading Terraform configurations from file:///github/workspace/modules/hetzner into /github/workspace/stacks/prod/hetzner/.terragrunt-cache/7n5v_ZVOv4gLIvn-SLBHuU7F7OI/B-HSI5LUu0nLTnyopQYP4SLEkoU prefix=[/github/workspace/stacks/prod/hetzner]
Initializing the backend...
Successfully configured the backend "remote"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Downloading git::https://github.com/mrsimonemms/terraform-module-k3s.git for k3s...
- k3s in .terraform/modules/k3s
Initializing provider plugins...
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of loafoe/ssh from the dependency lock file
- Reusing previous version of hetznercloud/hcloud from the dependency lock file
- Installing loafoe/ssh v2.7.0...
- Installed loafoe/ssh v2.7.0 (self-signed, key ID C0E4EB79E9E6A23D)
- Installing hetznercloud/hcloud v1.48.0...
- Installed hetznercloud/hcloud v1.48.0 (signed by a HashiCorp partner, key ID 5219EACB3A77198B)
- Installing hashicorp/local v2.5.1...
- Installed hashicorp/local v2.5.1 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has been successfully initialized!
hcloud_network.network: Refreshing state... [id=10413081]
hcloud_ssh_key.server: Refreshing state... [id=25131178]
hcloud_placement_group.workers["pool1"]: Refreshing state... [id=429453]
hcloud_network_subnet.subnet: Refreshing state... [id=10413081-10.0.0.0/16]
hcloud_firewall.firewall: Refreshing state... [id=1770789]
hcloud_server.workers[1]: Refreshing state... [id=57022845]
hcloud_server.workers[0]: Refreshing state... [id=57022846]
hcloud_server.manager[0]: Refreshing state... [id=57022844]
ssh_resource.manager_ready[0]: Refreshing state... [id=266009643222535787]
ssh_resource.workers_ready[0]: Refreshing state... [id=4758645813048099301]
ssh_resource.workers_ready[1]: Refreshing state... [id=5173846884381462416]
module.k3s.ssh_resource.initial_manager: Refreshing state... [id=2040114188094779463]
module.k3s.ssh_sensitive_resource.join_token: Refreshing state... [id=8255481980412624120]
module.k3s.ssh_sensitive_resource.kubeconfig: Refreshing state... [id=8722689972288319664]
local_sensitive_file.kubeconfig: Refreshing state... [id=b9ce1133ffa6b8c5673f3bb67a66682c8254f13e]
module.k3s.ssh_resource.install_workers["prod-k3s-pool1-1"]: Refreshing state... [id=1896653667597762284]
module.k3s.ssh_resource.install_workers["prod-k3s-pool1-0"]: Refreshing state... [id=8983981291330125096]
module.k3s.ssh_resource.drain_workers["prod-k3s-pool1-0"]: Refreshing state... [id=4667545361436438762]
module.k3s.ssh_resource.drain_workers["prod-k3s-pool1-1"]: Refreshing state... [id=3379358854354887979]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# local_sensitive_file.kubeconfig will be created
+ resource "local_sensitive_file" "kubeconfig" {
+ content = (sensitive value)
+ content_base64sha256 = (known after apply)
+ content_base64sha512 = (known after apply)
+ content_md5 = (known after apply)
+ content_sha1 = (known after apply)
+ content_sha256 = (known after apply)
+ content_sha512 = (known after apply)
+ directory_permission = "0755"
+ file_permission = "0600"
+ filename = "/github/workspace/.kubeconfig"
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
time=2024-12-07T16:00:23Z level=info msg=Downloading Terraform configurations from file:///github/workspace/modules/kubernetes into /github/workspace/stacks/prod/kubernetes/.terragrunt-cache/-HGVTuUtXSFDQCN7IIesL6CulRY/z4vfL_CY3720zQ-fo9fFtb8YbxA prefix=[/github/workspace/stacks/prod/kubernetes]
Initializing the backend...
Successfully configured the backend "remote"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Reusing previous version of hashicorp/helm from the dependency lock file
- Reusing previous version of infisical/infisical from the dependency lock file
- Reusing previous version of hashicorp/kubernetes from the dependency lock file
- Installing hashicorp/helm v2.14.1...
- Installed hashicorp/helm v2.14.1 (signed by HashiCorp)
- Installing infisical/infisical v0.12.4...
- Installed infisical/infisical v0.12.4 (self-signed, key ID 2513406FB39E8BB6)
- Installing hashicorp/kubernetes v2.31.0...
- Installed hashicorp/kubernetes v2.31.0 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has been successfully initialized!
kubernetes_namespace_v1.external_secrets: Refreshing state... [id=external-secrets]
kubernetes_secret_v1.hcloud: Refreshing state... [id=kube-system/hcloud]
kubernetes_namespace_v1.metallb: Refreshing state... [id=metallb-system]
kubernetes_namespace_v1.argocd: Refreshing state... [id=argocd]
data.infisical_secrets.common_secrets: Reading...
data.infisical_secrets.common_secrets: Read complete after 0s
kubernetes_secret_v1.oidc_secret: Refreshing state... [id=argocd/oidc]
kubernetes_secret_v1.infisical: Refreshing state... [id=external-secrets/infisical]
helm_release.hcloud_csi: Refreshing state... [id=hcsi]
helm_release.hcloud_ccm: Refreshing state... [id=hccm]
data.kubernetes_nodes.cluster: Reading...
helm_release.argocd: Refreshing state... [id=argocd]
data.kubernetes_nodes.cluster: Read complete after 0s [id=01c219a4294384e7f91ad4a684e22f09819f168701e0cc8581e98f0513929737]
kubernetes_config_map_v1.metallb: Refreshing state... [id=metallb-system/nodes]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# helm_release.argocd will be updated in-place
~ resource "helm_release" "argocd" {
id = "argocd"
~ metadata = [
- {
- app_version = "v2.13.1"
- chart = "argo-cd"
- first_deployed = 1733089447
- last_deployed = 1733508233
- name = "argocd"
- namespace = "argocd"
- notes = <<-EOT
In order to access the server UI you have the following options:
1. kubectl port-forward service/argocd-server -n argocd 8080:443
and then open the browser on http://localhost:8080 and accept the certificate
2. enable ingress in the values file `server.ingress.enabled` and either
- Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
- Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
After reaching the UI the first time you can login using Dex or OIDC.
Redis can be accessed via port 6379 and Sentinel can be accessed via port 26379 on the following DNS name from within your cluster:
argocd-redis-ha.argocd.svc.cluster.local
To connect to your Redis server:
1. To retrieve the redis password:
echo $(kubectl get secret argocd-redis-ha -o "jsonpath={.data['auth']}" | base64 --decode)
2. Connect to the Redis master pod that you can use as a client. By default the argocd-redis-ha-server-0 pod is configured as the master:
kubectl exec -it argocd-redis-ha-server-0 -n argocd -c redis -- sh
3. Connect using the Redis CLI (inside container):
redis-cli -a <REDIS-PASS-FROM-SECRET>
EOT
- revision = 3
- values = jsonencode(
{
- configs = {
- cm = {
- "admin.enabled" = false
- "oidc.config" = <<-EOT
"clientID": "$oidc:clientId"
"clientSecret": "$oidc:clientSecret"
"issuer": "https://oidc.simonemms.com"
"name": "OIDC"
EOT
- "oidc.tls.insecure.skip.verify" = false
- "statusbadge.enabled" = true
- url = "https://argocd.simonemms.com"
}
- params = {
- "server.insecure" = true
}
- rbac = {
- create = true
- "policy.csv" = <<-EOT
p, role:org-admin, applications, *, *, allow
p, role:org-admin, applicationsets, *, *, allow
p, role:org-admin, clusters, *, *, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, repositories, *, *, allow
p, role:org-admin, accounts, *, *, allow
p, role:org-admin, certificates, *, *, allow
p, role:org-admin, gpgkeys, *, *, allow
p, role:org-admin, logs, *, *, allow
p, role:org-admin, exec, *, *, allow
p, role:org-admin, extensions, *, *, allow
g, mrsimonemmsorg:home-admin, role:org-admin
EOT
}
}
- controller = {
- emptyDir = {
- sizeLimit = "500Mi"
}
}
- dex = {
- enabled = false
}
- global = {
- addPrometheusAnnotations = true
- deploymentAnnotations = {
- "secret.reloader.stakater.com/reload" = "oidc"
}
- domain = "argocd.simonemms.com"
}
- redis-ha = {
- enabled = true
}
- repoServer = {
- autoscaling = {
- enabled = true
- minReplicas = 2
}
}
- server = {
- autoscaling = {
- enabled = true
- minReplicas = 2
}
- ingress = {
- annotations = {
- "cert-manager.io/cluster-issuer" = "letsencrypt"
- "gethomepage.dev/description" = "Get stuff done with Kubernetes!"
- "gethomepage.dev/enabled" = "true"
- "gethomepage.dev/group" = "Cluster"
- "gethomepage.dev/icon" = "argocd"
- "gethomepage.dev/name" = "ArgoCD"
- "kubernetes.io/tls-acme" = "true"
- "nginx.ingress.kubernetes.io/backend-protocol" = "HTTP"
- "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
}
- enabled = true
- extraTLS = [
- {
- hosts = [
- "argocd.simonemms.com",
]
- secretName = "argocd-tls"
},
]
- ingressClassName = "nginx"
- tls = true
}
}
}
)
- version = "7.7.6"
},
] -> (known after apply)
name = "argocd"
~ values = [
~ <<-EOT
global:
addPrometheusAnnotations: true
deploymentAnnotations:
secret.reloader.stakater.com/reload: oidc
domain: argocd.simonemms.com
controller:
emptyDir:
sizeLimit: 500Mi
redis-ha:
enabled: true
repoServer:
autoscaling:
enabled: true
minReplicas: 2
dex:
enabled: false
server:
autoscaling:
enabled: true
minReplicas: 2
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTP
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
gethomepage.dev/description: Get stuff done with Kubernetes!
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Cluster
gethomepage.dev/icon: argocd
gethomepage.dev/name: ArgoCD
+ gethomepage.dev/widget.type: argocd
+ gethomepage.dev/widget.url: http://argocd-server.argocd.svc.cluster.local
+ gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_ARGOCD_KEY}}"
tls: true
extraTLS:
- hosts:
- argocd.simonemms.com
secretName: argocd-tls
configs:
cm:
admin.enabled: false
oidc.config: |-
"clientID": "$oidc:clientId"
"clientSecret": "$oidc:clientSecret"
"issuer": "https://oidc.simonemms.com"
"name": "OIDC"
oidc.tls.insecure.skip.verify: false
statusbadge.enabled: true
url: https://argocd.simonemms.com
+ "accounts.homepage": "apiKey"
+
params:
server.insecure: true
rbac:
create: true
policy.csv: |
p, role:org-admin, applications, *, *, allow
p, role:org-admin, applicationsets, *, *, allow
p, role:org-admin, clusters, *, *, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, repositories, *, *, allow
p, role:org-admin, accounts, *, *, allow
p, role:org-admin, certificates, *, *, allow
p, role:org-admin, gpgkeys, *, *, allow
p, role:org-admin, logs, *, *, allow
p, role:org-admin, exec, *, *, allow
p, role:org-admin, extensions, *, *, allow
g, mrsimonemmsorg:home-admin, role:org-admin
+ g, homepage, role:readonly
EOT,
]
# (26 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related Issue(s)
Fixes #
How to test