argocd to argocd

argocd/.gitignore

@@ -1,4 +0,0 @@
-argocd.yml
-repo-credentials.yml
-id_*
-ssh_known_hosts

argocd/README.md

@@ -36,23 +36,17 @@ done
 find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
 ```
 
-### Repository secrets
-1. Generate keys locally with `ssh-keygen -f argo`
-2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys
-3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo.
 
-## Argo Deployment
-To deploy ArgoCD itself:
+## Cold start
+Normally ArgoCD deploys itself. Deploy ArgoCD out-of-bounds:
 
 ```bash
-helm repo add argo-cd https://argoproj.github.io/argo-helm
-kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions
-kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
-
-helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
-kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd
-
-kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller
+kustomize build . --enable-helm | kubectl apply -f -
 ```
 
-WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start.
+ArgoCD dependencies:
+- dragonfly (database)
+- passmower (auth)
+- traefik
+- #TODO: network...
+- gitea

argocd/applications/argocd-applications.yaml

@@ -1,5 +1,20 @@
 ---
 apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  namespace: argocd
+  name: k-space.ee
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'
+---
+apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: argocd-applications

argocd/applications/argocd.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: argocd
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true

argocd/deploy_key.pub

@@ -1,2 +0,0 @@
-# used for git.k-space: k-space/kube, secretspace/kube, secretspace/members
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee

argocd/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: argocd
+
+helmCharts:
+- includeCRDs: true
+  name: &name argo-cd
+  releaseName: *name
+  repo: https://argoproj.github.io/argo-helm/
+  valuesFile: values.yaml
+  version: 9.2.4
+
+resources:
+  - ./redis.yaml
+  - ./oidc-auth.yaml
+  - ./monitoring.yaml
+  - ./applications/argocd-applications.yaml
+  - ssh://git@git.k-space.ee/secretspace/kube/argocd # deploy key, used at k-space/kube, secretspace/kube, secretspace/members

argocd/oidc-auth.yaml

@@ -21,18 +21,7 @@ spec:
     - openid
     - profile
   pkce: false
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  namespace: argocd
-  name: k-space.ee
-spec:
-  clusterResourceWhitelist:
-    - group: '*'
-      kind: '*'
-  destinations:
-    - namespace: '*'
-      server: '*'
-  sourceRepos:
-    - '*'
+  secretMetadata:
+    labels:
+      # Required, else ArgoCD will "Config referenced but key does not exist in secret"
+      app.kubernetes.io/part-of: argocd

argocd/values.yaml

@@ -99,8 +99,6 @@ configs:
          - profile
          - email
          - groups
-  secret:
-    createSecret: false
   ssh:
     knownHosts: |
         # Copy-pasted from `ssh-keyscan git.k-space.ee`