ArgoCD 是目前 Kubernetes 生态中最流行的 GitOps 持续交付(CD)工具。它的核心理念是将 Git 仓库视为集群状态的“唯一真理来源”。
ArgoCD 的核心工作原理 :
声明式管理 :你不在集群里手动运行 kubectl ,而是将所有的资源清单(YAML、Helm、Kustomize)存放在 Git 中管理。同步与漂移检测 :ArgoCD 会持续监控 Git 仓库和 EKS 集群。如果两者状态不一致(即发生“漂移”),它会报警或自动将集群恢复到 Git 定义的状态。
在 Kubernetes 集群中安装 ArgoCD # kubectl create namespace argocd namespace/argocd created # kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml --server-side customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io serverside-applied customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io serverside-applied customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io serverside-applied serviceaccount/argocd-application-controller serverside-applied serviceaccount/argocd-applicationset-controller serverside-applied serviceaccount/argocd-dex-server serverside-applied serviceaccount/argocd-notifications-controller serverside-applied serviceaccount/argocd-redis serverside-applied serviceaccount/argocd-repo-server serverside-applied serviceaccount/argocd-server serverside-applied role.rbac.authorization.k8s.io/argocd-application-controller serverside-applied role.rbac.authorization.k8s.io/argocd-applicationset-controller serverside-applied role.rbac.authorization.k8s.io/argocd-dex-server serverside-applied role.rbac.authorization.k8s.io/argocd-notifications-controller serverside-applied role.rbac.authorization.k8s.io/argocd-redis serverside-applied role.rbac.authorization.k8s.io/argocd-server serverside-applied clusterrole.rbac.authorization.k8s.io/argocd-application-controller serverside-applied clusterrole.rbac.authorization.k8s.io/argocd-applicationset-controller serverside-applied clusterrole.rbac.authorization.k8s.io/argocd-server serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-application-controller serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-dex-server serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-redis serverside-applied rolebinding.rbac.authorization.k8s.io/argocd-server serverside-applied clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller serverside-applied clusterrolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller serverside-applied clusterrolebinding.rbac.authorization.k8s.io/argocd-server serverside-applied configmap/argocd-cm serverside-applied configmap/argocd-cmd-params-cm serverside-applied configmap/argocd-gpg-keys-cm serverside-applied configmap/argocd-notifications-cm serverside-applied configmap/argocd-rbac-cm serverside-applied configmap/argocd-ssh-known-hosts-cm serverside-applied configmap/argocd-tls-certs-cm serverside-applied secret/argocd-notifications-secret serverside-applied secret/argocd-secret serverside-applied service/argocd-applicationset-controller serverside-applied service/argocd-dex-server serverside-applied service/argocd-metrics serverside-applied service/argocd-notifications-controller-metrics serverside-applied service/argocd-redis serverside-applied service/argocd-repo-server serverside-applied service/argocd-server serverside-applied service/argocd-server-metrics serverside-applied deployment.apps/argocd-applicationset-controller serverside-applied deployment.apps/argocd-dex-server serverside-applied deployment.apps/argocd-notifications-controller serverside-applied deployment.apps/argocd-redis serverside-applied deployment.apps/argocd-repo-server serverside-applied deployment.apps/argocd-server serverside-applied statefulset.apps/argocd-application-controller serverside-applied networkpolicy.networking.k8s.io/argocd-application-controller-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-applicationset-controller-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-dex-server-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-notifications-controller-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-redis-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-repo-server-network-policy serverside-applied networkpolicy.networking.k8s.io/argocd-server-network-policy serverside-applied
--server-side 选项用于解决可能的报错: The CustomResourceDefinition "applicationsets.argoproj.io" is invalid: metadata.annotations: Too long: may not be more than 262144 bytes
等待 ArgoCD 相关 Pod 运行正常
# kubectl get pods -n argocd NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 6m11s argocd-applicationset-controller-77475dfcf-qzvsf 1/1 Running 1 (3m47s ago) 6m15s argocd-dex-server-6485c5ddf5-4ms4f 1/1 Running 0 6m14s argocd-notifications-controller-758f795776-4n5rb 1/1 Running 0 6m14s argocd-redis-6cc4bb5db5-svpwm 1/1 Running 0 6m13s argocd-repo-server-c76cf57cd-pv8sb 1/1 Running 0 6m12s argocd-server-6f85b59c87-zhmqh 1/1 Running 0 6m12s
创建 Ingress 对外开放 ArgoCD UI,本示例中 IngressClass 为 AWS alb
argocd_ingress.yml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argocd namespace: argocd annotations: alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip spec: ingressClassName: alb rules: - host: argocd.example.com http: paths: - path: / pathType: Prefix backend: service: name: argocd-server port: number: 80
创建并检查 Ingress
# kubectl apply -f argocd_ingress.yml ingress.networking.k8s.io/argocd configured # kubectl get ingresses -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE argocd argocd alb argocd.example.com k8s-argocd-argocd-8e8cb.ap-east-1.elb.amazonaws.com 80 8m22s
ArgoCD Pod 强制开启了 TLS (HTTPS),而 ALB 却在使用 HTTP 进行健康检查。会因为健康检查失败无法访问
在集群中的 Pod 中尝试请求 argocd-server Pod 的地址,可以看到默认返回了重定向到 HTTPS 的响应,ALB 会因为证书问题对 Pod 健康检查失败
# curl -Iv 172.31.68.215:8080 > HEAD / HTTP/1.1 > Host: 172.31.68.215:8080 > User-Agent: curl/8.18.0 > Accept: */* > HTTP/1.1 307 Temporary Redirect Location: https://172.31.68.215:8080/
可以配置 ArgoCD 接受 HTTP 协议请求。 修改 ArgoCD Server 启动参数 ,执行命令 kubectl edit deployment argocd-server -n argocd 编辑 argocd-server 的 Deployment,在启动命令( command )中添加 --insecure 参数。
containers: - args: - /usr/local/bin/argocd-server - --insecure
修改后等待 Pod 自动重启
$ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE argocd argocd-server-6ff754765c-pt5z6 0/1 Running 0 18s
再次观察 ALB 的 Target 健康检查状态
ArgeCD 可以正常访问后,执行以下命令获取初始 admin 账户的密码
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d
