- Deploy a master instance of argocd if you do not already have one. This is deployed into the
master-argocdproject.
helm upgrade --install bootstrap -f bootstrap-master/values-bootstrap.yaml bootstrap --create-namespace --namespace labs-bootstrap
- Login to your ArgoCD master and run to create a new project to manage deployments in the Lab's namespace along with the repositories to be allowed pull from:
argocd login $(oc get route argocd-server --template='{{ .spec.host }}' -n master-argocd):443 --sso --insecure
argocd proj create bootstrap-journey \
-d https://kubernetes.default.svc,master-argocd \
-d https://kubernetes.default.svc,labs-ci-cd \
-d https://kubernetes.default.svc,labs-dev \
-d https://kubernetes.default.svc,labs-test \
-d https://kubernetes.default.svc,labs-staging \
-d https://kubernetes.default.svc,labs-pm \
-d https://kubernetes.default.svc,labs-cluster-ops \
-s https://github.com/rht-labs/ubiquitous-journey.git \
-s https://github.com/rht-labs/refactored-adventure.git \
-s https://github.com/redhat-cop/helm-charts.git- You will require elevated permissions in the master argocd project:
argocd proj allow-cluster-resource bootstrap-journey "*" "*"- Create your ArgoCD App for
bootrstrapin yourmaster-argocdnamespace and sync it!
argocd app create bootstrap-journey \
--project bootstrap-journey \
--dest-namespace master-argocd \
--dest-server https://kubernetes.default.svc \
--repo https://github.com/rht-labs/ubiquitous-journey.git \
--sync-policy automated \
--path "bootstrap" \
--values "values-bootstrap.yaml"- Your new ArgoCD instance should spin up. You can now connect your
ubiquitous-journeyorexample-deploymentto it by following the instructions above.
There are two main roles in argocd, the argocd-server role is used in the ArgoCD UI, and the argocd-application-controller role is used by the server pods:
- oc edit clusterrole argocd-server
- oc edit clusterrole argocd-application-controller
By default we give argocd cluster-admin privileges. We usually want this for the master-argocd but not for any children argo's such as argocd in the labs-ci-cd namespace.
The chart supports restricting the argocd-application-controller cluster role binding to the default ClusterRole installed by the operator which is:
kind: ClusterRole
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- nonResourceURLs:
- '*'
verbs:
- get
- listWe can set the namespaceRoleBinding.enabled flag in Step 4 above, by doing:
# 4. Create your ArgoCD App for `bootrstrap` in your `master-argocd` namespace and sync it!
argocd app create bootstrap-journey \
--project bootstrap-journey \
--dest-namespace master-argocd \
--dest-server https://kubernetes.default.svc \
--repo https://github.com/rht-labs/ubiquitous-journey.git \
--sync-policy automated \
--path "bootstrap" \
--helm-set argocd-operator.namespaceRoleBinding.enabled=true \
--values "values-bootstrap.yaml"We can test that we can't do cluster-admin type things (like install cluster operators), for example this will fail:
oc project labs-ci-cd
argocd login $(oc get route argocd-server --template='{{ .spec.host }}' -n labs-ci-cd):443 --sso --insecure
argocd app create tekton \
--repo https://github.com/rht-labs/refactored-adventure.git \
--path tekton/base \
--dest-server https://kubernetes.default.svc \
--dest-namespace openshift-operators \
--revision master \
--sync-policy automatedWith an error:
subscriptions.operators.coreos.com is forbidden: User "system:serviceaccount:labs-ci-cd:argocd-argocd-application-controller" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators"You can install the tekton app in the master-argocd instance though.
If you restrict the children, you will also want to control which adult users and groups have admin/edit RBAC onto the master-argocd and labs-bootstrap projects accordingly!