Argo CD — GitOps 持续部署
GitOps 理念
Git 仓库(期望状态)
│ Argo CD 持续同步
▼
Kubernetes 集群(实际状态)- Git 是唯一真实来源
- 所有变更通过 PR/MR 进行
- 自动检测漂移并同步
安装
bash
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
# 获取初始密码
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
# 访问 UI
kubectl port-forward svc/argocd-server -n argocd 8080:443
# 安装 argocd CLI
curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x argocd && mv argocd /usr/local/bin/
# 登录
argocd login localhost:8080 --username admin --password <password> --insecureApplication 配置
yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io # 删除 App 时级联删除资源
spec:
project: default
source:
repoURL: https://github.com/mycompany/k8s-configs
targetRevision: main
path: apps/my-app/overlays/production
# Helm 方式
# chart: my-app
# helm:
# valueFiles:
# - values-production.yaml
# parameters:
# - name: image.tag
# value: v2.0.0
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true # 自动删除 Git 中不存在的资源
selfHeal: true # 自动修复漂移
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- ApplyOutOfSyncOnly=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3mAppProject(多租户隔离)
yaml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: team-backend
namespace: argocd
spec:
description: 后端团队项目
# 允许的源仓库
sourceRepos:
- https://github.com/mycompany/backend-configs
# 允许部署的目标集群和命名空间
destinations:
- namespace: production
server: https://kubernetes.default.svc
- namespace: staging
server: https://kubernetes.default.svc
# 允许的资源类型
clusterResourceWhitelist:
- group: ""
kind: Namespace
namespaceResourceWhitelist:
- group: apps
kind: Deployment
- group: ""
kind: Service
# RBAC
roles:
- name: developer
policies:
- p, proj:team-backend:developer, applications, get, team-backend/*, allow
- p, proj:team-backend:developer, applications, sync, team-backend/*, allow
groups:
- backend-teamApplicationSet(批量管理)
yaml
# 为每个环境自动创建 Application
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: my-app-environments
namespace: argocd
spec:
generators:
- list:
elements:
- env: dev
namespace: development
revision: develop
- env: staging
namespace: staging
revision: main
- env: production
namespace: production
revision: main
template:
metadata:
name: my-app-{{env}}
spec:
project: default
source:
repoURL: https://github.com/mycompany/k8s-configs
targetRevision: "{{revision}}"
path: apps/my-app/overlays/{{env}}
destination:
server: https://kubernetes.default.svc
namespace: "{{namespace}}"
syncPolicy:
automated:
prune: true
selfHeal: true常用命令
bash
# 查看所有 App
argocd app list
# 查看 App 状态
argocd app get my-app
# 手动同步
argocd app sync my-app
# 回滚到上一版本
argocd app rollback my-app
# 查看同步历史
argocd app history my-app
# 强制同步(覆盖手动修改)
argocd app sync my-app --force
# 暂停自动同步
argocd app set my-app --sync-policy none