github.com/argoproj/argo-cd/v3@v3.2.1/manifests/ha/namespace-install-with-hydrator.yaml (about) 1 # This is an auto-generated file. DO NOT EDIT 2 apiVersion: v1 3 kind: ServiceAccount 4 metadata: 5 labels: 6 app.kubernetes.io/component: application-controller 7 app.kubernetes.io/name: argocd-application-controller 8 app.kubernetes.io/part-of: argocd 9 name: argocd-application-controller 10 --- 11 apiVersion: v1 12 kind: ServiceAccount 13 metadata: 14 labels: 15 app.kubernetes.io/component: applicationset-controller 16 app.kubernetes.io/name: argocd-applicationset-controller 17 app.kubernetes.io/part-of: argocd 18 name: argocd-applicationset-controller 19 --- 20 apiVersion: v1 21 kind: ServiceAccount 22 metadata: 23 labels: 24 app.kubernetes.io/component: commit-server 25 app.kubernetes.io/name: argocd-commit-server 26 app.kubernetes.io/part-of: argocd 27 name: argocd-commit-server 28 --- 29 apiVersion: v1 30 kind: ServiceAccount 31 metadata: 32 labels: 33 app.kubernetes.io/component: dex-server 34 app.kubernetes.io/name: argocd-dex-server 35 app.kubernetes.io/part-of: argocd 36 name: argocd-dex-server 37 --- 38 apiVersion: v1 39 kind: ServiceAccount 40 metadata: 41 labels: 42 app.kubernetes.io/component: notifications-controller 43 app.kubernetes.io/name: argocd-notifications-controller 44 app.kubernetes.io/part-of: argocd 45 name: argocd-notifications-controller 46 --- 47 apiVersion: v1 48 kind: ServiceAccount 49 metadata: 50 labels: 51 app.kubernetes.io/component: redis 52 app.kubernetes.io/name: argocd-redis-ha 53 app.kubernetes.io/part-of: argocd 54 name: argocd-redis-ha 55 secrets: 56 - name: argocd-redis 57 --- 58 apiVersion: v1 59 kind: ServiceAccount 60 metadata: 61 labels: 62 app.kubernetes.io/component: redis 63 app.kubernetes.io/name: argocd-redis-ha-haproxy 64 app.kubernetes.io/part-of: argocd 65 name: argocd-redis-ha-haproxy 66 --- 67 apiVersion: v1 68 kind: ServiceAccount 69 metadata: 70 labels: 71 app.kubernetes.io/component: repo-server 72 app.kubernetes.io/name: argocd-repo-server 73 app.kubernetes.io/part-of: argocd 74 name: argocd-repo-server 75 --- 76 apiVersion: v1 77 kind: ServiceAccount 78 metadata: 79 labels: 80 app.kubernetes.io/component: server 81 app.kubernetes.io/name: argocd-server 82 app.kubernetes.io/part-of: argocd 83 name: argocd-server 84 --- 85 apiVersion: rbac.authorization.k8s.io/v1 86 kind: Role 87 metadata: 88 labels: 89 app.kubernetes.io/component: application-controller 90 app.kubernetes.io/name: argocd-application-controller 91 app.kubernetes.io/part-of: argocd 92 name: argocd-application-controller 93 rules: 94 - apiGroups: 95 - "" 96 resources: 97 - secrets 98 - configmaps 99 verbs: 100 - get 101 - list 102 - watch 103 - apiGroups: 104 - argoproj.io 105 resources: 106 - applications 107 - applicationsets 108 - appprojects 109 verbs: 110 - create 111 - get 112 - list 113 - watch 114 - update 115 - patch 116 - delete 117 - apiGroups: 118 - "" 119 resources: 120 - events 121 verbs: 122 - create 123 - list 124 - apiGroups: 125 - apps 126 resources: 127 - deployments 128 verbs: 129 - get 130 - list 131 - watch 132 --- 133 apiVersion: rbac.authorization.k8s.io/v1 134 kind: Role 135 metadata: 136 labels: 137 app.kubernetes.io/component: applicationset-controller 138 app.kubernetes.io/name: argocd-applicationset-controller 139 app.kubernetes.io/part-of: argocd 140 name: argocd-applicationset-controller 141 rules: 142 - apiGroups: 143 - argoproj.io 144 resources: 145 - applications 146 - applicationsets 147 - applicationsets/finalizers 148 verbs: 149 - create 150 - delete 151 - get 152 - list 153 - patch 154 - update 155 - watch 156 - apiGroups: 157 - argoproj.io 158 resources: 159 - appprojects 160 verbs: 161 - get 162 - list 163 - watch 164 - apiGroups: 165 - argoproj.io 166 resources: 167 - applicationsets/status 168 verbs: 169 - get 170 - patch 171 - update 172 - apiGroups: 173 - "" 174 resources: 175 - events 176 verbs: 177 - create 178 - get 179 - list 180 - patch 181 - watch 182 - apiGroups: 183 - "" 184 resources: 185 - secrets 186 - configmaps 187 verbs: 188 - get 189 - list 190 - watch 191 - apiGroups: 192 - coordination.k8s.io 193 resources: 194 - leases 195 verbs: 196 - create 197 - apiGroups: 198 - coordination.k8s.io 199 resourceNames: 200 - 58ac56fa.applicationsets.argoproj.io 201 resources: 202 - leases 203 verbs: 204 - get 205 - update 206 - create 207 --- 208 apiVersion: rbac.authorization.k8s.io/v1 209 kind: Role 210 metadata: 211 labels: 212 app.kubernetes.io/component: dex-server 213 app.kubernetes.io/name: argocd-dex-server 214 app.kubernetes.io/part-of: argocd 215 name: argocd-dex-server 216 rules: 217 - apiGroups: 218 - "" 219 resources: 220 - secrets 221 - configmaps 222 verbs: 223 - get 224 - list 225 - watch 226 --- 227 apiVersion: rbac.authorization.k8s.io/v1 228 kind: Role 229 metadata: 230 labels: 231 app.kubernetes.io/component: notifications-controller 232 app.kubernetes.io/name: argocd-notifications-controller 233 app.kubernetes.io/part-of: argocd 234 name: argocd-notifications-controller 235 rules: 236 - apiGroups: 237 - argoproj.io 238 resources: 239 - applications 240 - appprojects 241 verbs: 242 - get 243 - list 244 - watch 245 - update 246 - patch 247 - apiGroups: 248 - "" 249 resources: 250 - configmaps 251 - secrets 252 verbs: 253 - list 254 - watch 255 - apiGroups: 256 - "" 257 resourceNames: 258 - argocd-notifications-cm 259 resources: 260 - configmaps 261 verbs: 262 - get 263 - apiGroups: 264 - "" 265 resourceNames: 266 - argocd-notifications-secret 267 resources: 268 - secrets 269 verbs: 270 - get 271 --- 272 apiVersion: rbac.authorization.k8s.io/v1 273 kind: Role 274 metadata: 275 labels: 276 app.kubernetes.io/component: redis 277 app.kubernetes.io/name: argocd-redis-ha 278 app.kubernetes.io/part-of: argocd 279 name: argocd-redis-ha 280 rules: 281 - apiGroups: 282 - "" 283 resources: 284 - endpoints 285 verbs: 286 - get 287 --- 288 apiVersion: rbac.authorization.k8s.io/v1 289 kind: Role 290 metadata: 291 labels: 292 app.kubernetes.io/component: redis 293 app.kubernetes.io/name: argocd-redis-ha 294 app.kubernetes.io/part-of: argocd 295 name: argocd-redis-ha-haproxy 296 rules: 297 - apiGroups: 298 - "" 299 resources: 300 - secrets 301 verbs: 302 - create 303 - apiGroups: 304 - "" 305 resourceNames: 306 - argocd-redis 307 resources: 308 - secrets 309 verbs: 310 - get 311 - apiGroups: 312 - "" 313 resources: 314 - endpoints 315 verbs: 316 - get 317 --- 318 apiVersion: rbac.authorization.k8s.io/v1 319 kind: Role 320 metadata: 321 labels: 322 app.kubernetes.io/component: server 323 app.kubernetes.io/name: argocd-server 324 app.kubernetes.io/part-of: argocd 325 name: argocd-server 326 rules: 327 - apiGroups: 328 - "" 329 resources: 330 - secrets 331 - configmaps 332 verbs: 333 - create 334 - get 335 - list 336 - watch 337 - update 338 - patch 339 - delete 340 - apiGroups: 341 - argoproj.io 342 resources: 343 - applications 344 - appprojects 345 - applicationsets 346 verbs: 347 - create 348 - get 349 - list 350 - watch 351 - update 352 - delete 353 - patch 354 - apiGroups: 355 - "" 356 resources: 357 - events 358 verbs: 359 - create 360 - list 361 --- 362 apiVersion: rbac.authorization.k8s.io/v1 363 kind: RoleBinding 364 metadata: 365 labels: 366 app.kubernetes.io/component: application-controller 367 app.kubernetes.io/name: argocd-application-controller 368 app.kubernetes.io/part-of: argocd 369 name: argocd-application-controller 370 roleRef: 371 apiGroup: rbac.authorization.k8s.io 372 kind: Role 373 name: argocd-application-controller 374 subjects: 375 - kind: ServiceAccount 376 name: argocd-application-controller 377 --- 378 apiVersion: rbac.authorization.k8s.io/v1 379 kind: RoleBinding 380 metadata: 381 labels: 382 app.kubernetes.io/component: applicationset-controller 383 app.kubernetes.io/name: argocd-applicationset-controller 384 app.kubernetes.io/part-of: argocd 385 name: argocd-applicationset-controller 386 roleRef: 387 apiGroup: rbac.authorization.k8s.io 388 kind: Role 389 name: argocd-applicationset-controller 390 subjects: 391 - kind: ServiceAccount 392 name: argocd-applicationset-controller 393 --- 394 apiVersion: rbac.authorization.k8s.io/v1 395 kind: RoleBinding 396 metadata: 397 labels: 398 app.kubernetes.io/component: dex-server 399 app.kubernetes.io/name: argocd-dex-server 400 app.kubernetes.io/part-of: argocd 401 name: argocd-dex-server 402 roleRef: 403 apiGroup: rbac.authorization.k8s.io 404 kind: Role 405 name: argocd-dex-server 406 subjects: 407 - kind: ServiceAccount 408 name: argocd-dex-server 409 --- 410 apiVersion: rbac.authorization.k8s.io/v1 411 kind: RoleBinding 412 metadata: 413 labels: 414 app.kubernetes.io/component: notifications-controller 415 app.kubernetes.io/name: argocd-notifications-controller 416 app.kubernetes.io/part-of: argocd 417 name: argocd-notifications-controller 418 roleRef: 419 apiGroup: rbac.authorization.k8s.io 420 kind: Role 421 name: argocd-notifications-controller 422 subjects: 423 - kind: ServiceAccount 424 name: argocd-notifications-controller 425 --- 426 apiVersion: rbac.authorization.k8s.io/v1 427 kind: RoleBinding 428 metadata: 429 labels: 430 app.kubernetes.io/component: redis 431 app.kubernetes.io/name: argocd-redis-ha 432 app.kubernetes.io/part-of: argocd 433 name: argocd-redis-ha 434 roleRef: 435 apiGroup: rbac.authorization.k8s.io 436 kind: Role 437 name: argocd-redis-ha 438 subjects: 439 - kind: ServiceAccount 440 name: argocd-redis-ha 441 --- 442 apiVersion: rbac.authorization.k8s.io/v1 443 kind: RoleBinding 444 metadata: 445 labels: 446 app.kubernetes.io/component: redis 447 app.kubernetes.io/name: argocd-redis-ha 448 app.kubernetes.io/part-of: argocd 449 name: argocd-redis-ha-haproxy 450 roleRef: 451 apiGroup: rbac.authorization.k8s.io 452 kind: Role 453 name: argocd-redis-ha-haproxy 454 subjects: 455 - kind: ServiceAccount 456 name: argocd-redis-ha-haproxy 457 --- 458 apiVersion: rbac.authorization.k8s.io/v1 459 kind: RoleBinding 460 metadata: 461 labels: 462 app.kubernetes.io/component: server 463 app.kubernetes.io/name: argocd-server 464 app.kubernetes.io/part-of: argocd 465 name: argocd-server 466 roleRef: 467 apiGroup: rbac.authorization.k8s.io 468 kind: Role 469 name: argocd-server 470 subjects: 471 - kind: ServiceAccount 472 name: argocd-server 473 --- 474 apiVersion: v1 475 data: 476 resource.customizations.ignoreResourceUpdates.ConfigMap: | 477 jqPathExpressions: 478 # Ignore the cluster-autoscaler status 479 - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"' 480 # Ignore the annotation of the legacy Leases election 481 - '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"' 482 resource.customizations.ignoreResourceUpdates.Endpoints: | 483 jsonPointers: 484 - /metadata 485 - /subsets 486 resource.customizations.ignoreResourceUpdates.all: | 487 jsonPointers: 488 - /status 489 resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: | 490 jqPathExpressions: 491 - '.metadata.annotations."deployment.kubernetes.io/desired-replicas"' 492 - '.metadata.annotations."deployment.kubernetes.io/max-replicas"' 493 - '.metadata.annotations."rollout.argoproj.io/desired-replicas"' 494 resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | 495 jqPathExpressions: 496 - '.metadata.annotations."notified.notifications.argoproj.io"' 497 - '.metadata.annotations."argocd.argoproj.io/refresh"' 498 - '.metadata.annotations."argocd.argoproj.io/hydrate"' 499 - '.operation' 500 resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: | 501 jqPathExpressions: 502 - '.metadata.annotations."notified.notifications.argoproj.io"' 503 resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: | 504 jqPathExpressions: 505 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"' 506 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"' 507 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"' 508 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"' 509 resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: | 510 jsonPointers: 511 - /metadata 512 - /endpoints 513 - /ports 514 resource.exclusions: | 515 ### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter 516 - apiGroups: 517 - '' 518 - discovery.k8s.io 519 kinds: 520 - Endpoints 521 - EndpointSlice 522 ### Internal Kubernetes resources excluded reduce the number of watched events 523 - apiGroups: 524 - coordination.k8s.io 525 kinds: 526 - Lease 527 ### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events 528 - apiGroups: 529 - authentication.k8s.io 530 - authorization.k8s.io 531 kinds: 532 - SelfSubjectReview 533 - TokenReview 534 - LocalSubjectAccessReview 535 - SelfSubjectAccessReview 536 - SelfSubjectRulesReview 537 - SubjectAccessReview 538 ### Intermediate Certificate Request excluded reduce the number of watched events 539 - apiGroups: 540 - certificates.k8s.io 541 kinds: 542 - CertificateSigningRequest 543 - apiGroups: 544 - cert-manager.io 545 kinds: 546 - CertificateRequest 547 ### Cilium internal resources excluded reduce the number of watched events and UI Clutter 548 - apiGroups: 549 - cilium.io 550 kinds: 551 - CiliumIdentity 552 - CiliumEndpoint 553 - CiliumEndpointSlice 554 ### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance 555 - apiGroups: 556 - kyverno.io 557 - reports.kyverno.io 558 - wgpolicyk8s.io 559 kinds: 560 - PolicyReport 561 - ClusterPolicyReport 562 - EphemeralReport 563 - ClusterEphemeralReport 564 - AdmissionReport 565 - ClusterAdmissionReport 566 - BackgroundScanReport 567 - ClusterBackgroundScanReport 568 - UpdateRequest 569 kind: ConfigMap 570 metadata: 571 labels: 572 app.kubernetes.io/name: argocd-cm 573 app.kubernetes.io/part-of: argocd 574 name: argocd-cm 575 --- 576 apiVersion: v1 577 data: 578 redis.server: argocd-redis-ha-haproxy:6379 579 kind: ConfigMap 580 metadata: 581 labels: 582 app.kubernetes.io/name: argocd-cmd-params-cm 583 app.kubernetes.io/part-of: argocd 584 name: argocd-cmd-params-cm 585 --- 586 apiVersion: v1 587 kind: ConfigMap 588 metadata: 589 labels: 590 app.kubernetes.io/name: argocd-gpg-keys-cm 591 app.kubernetes.io/part-of: argocd 592 name: argocd-gpg-keys-cm 593 --- 594 apiVersion: v1 595 kind: ConfigMap 596 metadata: 597 labels: 598 app.kubernetes.io/component: notifications-controller 599 app.kubernetes.io/name: argocd-notifications-controller 600 app.kubernetes.io/part-of: argocd 601 name: argocd-notifications-cm 602 --- 603 apiVersion: v1 604 kind: ConfigMap 605 metadata: 606 labels: 607 app.kubernetes.io/name: argocd-rbac-cm 608 app.kubernetes.io/part-of: argocd 609 name: argocd-rbac-cm 610 --- 611 apiVersion: v1 612 data: 613 fix-split-brain.sh: | 614 HOSTNAME="$(hostname)" 615 INDEX="${HOSTNAME##*-}" 616 SENTINEL_PORT=26379 617 ANNOUNCE_IP='' 618 MASTER='' 619 MASTER_GROUP="argocd" 620 QUORUM="2" 621 REDIS_CONF=/data/conf/redis.conf 622 REDIS_PORT=6379 623 REDIS_TLS_PORT= 624 SENTINEL_CONF=/data/conf/sentinel.conf 625 SENTINEL_TLS_PORT= 626 SERVICE=argocd-redis-ha 627 SENTINEL_TLS_REPLICATION_ENABLED=false 628 REDIS_TLS_REPLICATION_ENABLED=false 629 630 ROLE='' 631 REDIS_MASTER='' 632 633 set -eu 634 sentinel_get_master() { 635 set +e 636 if [ "$SENTINEL_PORT" -eq 0 ]; then 637 redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 638 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 639 else 640 redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 641 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 642 fi 643 set -e 644 } 645 646 sentinel_get_master_retry() { 647 master='' 648 retry=${1} 649 sleep=3 650 for i in $(seq 1 "${retry}"); do 651 master=$(sentinel_get_master) 652 if [ -n "${master}" ]; then 653 break 654 fi 655 sleep $((sleep + i)) 656 done 657 echo "${master}" 658 } 659 660 identify_master() { 661 echo "Identifying redis master (get-master-addr-by-name).." 662 echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" 663 MASTER="$(sentinel_get_master_retry 3)" 664 if [ -n "${MASTER}" ]; then 665 echo " $(date) Found redis master (${MASTER})" 666 else 667 echo " $(date) Did not find redis master (${MASTER})" 668 fi 669 } 670 671 sentinel_update() { 672 echo "Updating sentinel config.." 673 echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" 674 eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" 675 echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" 676 sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" 677 if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then 678 echo " redis master (${1}:${REDIS_TLS_PORT})" 679 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 680 else 681 echo " redis master (${1}:${REDIS_PORT})" 682 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 683 fi 684 echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} 685 if [ "$SENTINEL_PORT" -eq 0 ]; then 686 echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" 687 echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} 688 else 689 echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" 690 echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} 691 fi 692 } 693 694 redis_update() { 695 echo "Updating redis config.." 696 if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then 697 echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" 698 echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" 699 echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} 700 else 701 echo " we are slave of redis master (${1}:${REDIS_PORT})" 702 echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" 703 echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} 704 fi 705 echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} 706 } 707 708 copy_config() { 709 echo "Copying default redis config.." 710 echo " to '${REDIS_CONF}'" 711 cp /readonly-config/redis.conf "${REDIS_CONF}" 712 echo "Copying default sentinel config.." 713 echo " to '${SENTINEL_CONF}'" 714 cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" 715 } 716 717 setup_defaults() { 718 echo "Setting up defaults.." 719 echo " using statefulset index (${INDEX})" 720 if [ "${INDEX}" = "0" ]; then 721 echo "Setting this pod as master for redis and sentinel.." 722 echo " using announce (${ANNOUNCE_IP})" 723 redis_update "${ANNOUNCE_IP}" 724 sentinel_update "${ANNOUNCE_IP}" 725 echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" 726 sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" 727 else 728 echo "Getting redis master ip.." 729 echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" 730 DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" 731 if [ -z "${DEFAULT_MASTER}" ]; then 732 echo "Error: Unable to resolve redis master (getent hosts)." 733 exit 1 734 fi 735 echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" 736 echo "Setting default slave config for redis and sentinel.." 737 echo " using master ip (${DEFAULT_MASTER})" 738 redis_update "${DEFAULT_MASTER}" 739 sentinel_update "${DEFAULT_MASTER}" 740 fi 741 } 742 743 redis_ping() { 744 set +e 745 if [ "$REDIS_PORT" -eq 0 ]; then 746 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping 747 else 748 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping 749 fi 750 set -e 751 } 752 753 redis_ping_retry() { 754 ping='' 755 retry=${1} 756 sleep=3 757 for i in $(seq 1 "${retry}"); do 758 if [ "$(redis_ping)" = "PONG" ]; then 759 ping='PONG' 760 break 761 fi 762 sleep $((sleep + i)) 763 MASTER=$(sentinel_get_master) 764 done 765 echo "${ping}" 766 } 767 768 find_master() { 769 echo "Verifying redis master.." 770 if [ "$REDIS_PORT" -eq 0 ]; then 771 echo " ping (${MASTER}:${REDIS_TLS_PORT})" 772 else 773 echo " ping (${MASTER}:${REDIS_PORT})" 774 fi 775 if [ "$(redis_ping_retry 3)" != "PONG" ]; then 776 echo " $(date) Can't ping redis master (${MASTER})" 777 echo "Attempting to force failover (sentinel failover).." 778 779 if [ "$SENTINEL_PORT" -eq 0 ]; then 780 echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 781 if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 782 echo " $(date) Failover returned with 'NOGOODSLAVE'" 783 echo "Setting defaults for this pod.." 784 setup_defaults 785 return 0 786 fi 787 else 788 echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 789 if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 790 echo " $(date) Failover returned with 'NOGOODSLAVE'" 791 echo "Setting defaults for this pod.." 792 setup_defaults 793 return 0 794 fi 795 fi 796 797 echo "Hold on for 10sec" 798 sleep 10 799 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." 800 if [ "$SENTINEL_PORT" -eq 0 ]; then 801 echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 802 else 803 echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 804 fi 805 MASTER="$(sentinel_get_master)" 806 if [ "${MASTER}" ]; then 807 echo " $(date) Found redis master (${MASTER})" 808 echo "Updating redis and sentinel config.." 809 sentinel_update "${MASTER}" 810 redis_update "${MASTER}" 811 else 812 echo "$(date) Error: Could not failover, exiting..." 813 exit 1 814 fi 815 else 816 echo " $(date) Found reachable redis master (${MASTER})" 817 echo "Updating redis and sentinel config.." 818 sentinel_update "${MASTER}" 819 redis_update "${MASTER}" 820 fi 821 } 822 823 redis_ro_update() { 824 echo "Updating read-only redis config.." 825 echo " redis.conf set 'replica-priority 0'" 826 echo "replica-priority 0" >> ${REDIS_CONF} 827 } 828 829 getent_hosts() { 830 index=${1:-${INDEX}} 831 service="${SERVICE}-announce-${index}" 832 host=$(getent hosts "${service}") 833 echo "${host}" 834 } 835 836 identify_announce_ip() { 837 echo "Identify announce ip for this pod.." 838 echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" 839 ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') 840 echo " identified announce (${ANNOUNCE_IP})" 841 } 842 843 redis_role() { 844 set +e 845 if [ "$REDIS_PORT" -eq 0 ]; then 846 ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//') 847 else 848 ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//') 849 fi 850 set -e 851 } 852 853 identify_redis_master() { 854 set +e 855 if [ "$REDIS_PORT" -eq 0 ]; then 856 REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//') 857 else 858 REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//') 859 fi 860 set -e 861 } 862 863 reinit() { 864 set +e 865 sh /readonly-config/init.sh 866 867 if [ "$REDIS_PORT" -eq 0 ]; then 868 echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key 869 else 870 echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" 871 fi 872 set -e 873 } 874 875 identify_announce_ip 876 877 while [ -z "${ANNOUNCE_IP}" ]; do 878 echo "Error: Could not resolve the announce ip for this pod." 879 sleep 30 880 identify_announce_ip 881 done 882 883 trap "exit 0" TERM 884 while true; do 885 sleep 60 886 887 # where is redis master 888 identify_master 889 890 if [ "$MASTER" = "$ANNOUNCE_IP" ]; then 891 redis_role 892 if [ "$ROLE" != "master" ]; then 893 echo "waiting for redis to become master" 894 sleep 10 895 identify_master 896 redis_role 897 echo "Redis role is $ROLE, expected role is master. No need to reinitialize." 898 if [ "$ROLE" != "master" ]; then 899 echo "Redis role is $ROLE, expected role is master, reinitializing" 900 reinit 901 fi 902 fi 903 elif [ "${MASTER}" ]; then 904 identify_redis_master 905 if [ "$REDIS_MASTER" != "$MASTER" ]; then 906 echo "Redis master and local master are not the same. waiting." 907 sleep 10 908 identify_master 909 identify_redis_master 910 echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}. No need to reinitialize." 911 if [ "${REDIS_MASTER}" != "${MASTER}" ]; then 912 echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}, reinitializing" 913 reinit 914 fi 915 fi 916 fi 917 done 918 haproxy.cfg: "defaults REDIS\n mode tcp\n timeout connect 4s\n timeout server 919 6m\n timeout client 6m\n timeout check 2s\n\nlisten health_check_http_url\n 920 \ bind :8888 \n mode http\n monitor-uri /healthz\n option dontlognull\n# 921 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n 922 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 923 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 924 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE0\n tcp-check send QUIT\\r\\n\n 925 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 926 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n# 927 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n 928 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 929 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 930 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE1\n tcp-check send QUIT\\r\\n\n 931 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 932 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n# 933 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n 934 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 935 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 936 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE2\n tcp-check send QUIT\\r\\n\n 937 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 938 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n# 939 decide redis backend to use\n#master\nfrontend ft_redis_master\n bind :6379 \n 940 \ use_backend bk_redis_master\n# Check all redis servers to see if they think 941 they are master\nbackend bk_redis_master\n mode tcp\n option tcp-check\n tcp-check 942 connect\n tcp-check send \"AUTH ${AUTH}\"\\r\\n\n tcp-check expect string +OK\n 943 \ tcp-check send PING\\r\\n\n tcp-check expect string +PONG\n tcp-check send 944 info\\ replication\\r\\n\n tcp-check expect string role:master\n tcp-check send 945 QUIT\\r\\n\n tcp-check expect string +OK\n use-server R0 if { srv_is_up(R0) 946 } { nbsrv(check_if_redis_is_master_0) ge 2 }\n server R0 argocd-redis-ha-announce-0:6379 947 check inter 3s fall 1 rise 1\n use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) 948 ge 2 }\n server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 949 1\n use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 950 2 }\n server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\nfrontend 951 stats\n mode http\n bind :9101 \n http-request use-service prometheus-exporter 952 if { path /metrics }\n stats enable\n stats uri /stats\n stats refresh 10s\n# 953 Additional configuration\nglobal\n maxconn 4096\n" 954 haproxy_init.sh: | 955 HAPROXY_CONF=/data/haproxy.cfg 956 cp /readonly/haproxy.cfg "$HAPROXY_CONF" 957 for loop in $(seq 1 10); do 958 getent hosts argocd-redis-ha-announce-0 && break 959 echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1 960 done 961 ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }') 962 if [ -z "$ANNOUNCE_IP0" ]; then 963 echo "Could not resolve the announce ip for argocd-redis-ha-announce-0" 964 exit 1 965 fi 966 sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF" 967 for loop in $(seq 1 10); do 968 getent hosts argocd-redis-ha-announce-1 && break 969 echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1 970 done 971 ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }') 972 if [ -z "$ANNOUNCE_IP1" ]; then 973 echo "Could not resolve the announce ip for argocd-redis-ha-announce-1" 974 exit 1 975 fi 976 sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF" 977 for loop in $(seq 1 10); do 978 getent hosts argocd-redis-ha-announce-2 && break 979 echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1 980 done 981 ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }') 982 if [ -z "$ANNOUNCE_IP2" ]; then 983 echo "Could not resolve the announce ip for argocd-redis-ha-announce-2" 984 exit 1 985 fi 986 sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF" 987 init.sh: | 988 echo "$(date) Start..." 989 HOSTNAME="$(hostname)" 990 INDEX="${HOSTNAME##*-}" 991 SENTINEL_PORT=26379 992 ANNOUNCE_IP='' 993 MASTER='' 994 MASTER_GROUP="argocd" 995 QUORUM="2" 996 REDIS_CONF=/data/conf/redis.conf 997 REDIS_PORT=6379 998 REDIS_TLS_PORT= 999 SENTINEL_CONF=/data/conf/sentinel.conf 1000 SENTINEL_TLS_PORT= 1001 SERVICE=argocd-redis-ha 1002 SENTINEL_TLS_REPLICATION_ENABLED=false 1003 REDIS_TLS_REPLICATION_ENABLED=false 1004 1005 set -eu 1006 sentinel_get_master() { 1007 set +e 1008 if [ "$SENTINEL_PORT" -eq 0 ]; then 1009 redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 1010 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 1011 else 1012 redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 1013 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 1014 fi 1015 set -e 1016 } 1017 1018 sentinel_get_master_retry() { 1019 master='' 1020 retry=${1} 1021 sleep=3 1022 for i in $(seq 1 "${retry}"); do 1023 master=$(sentinel_get_master) 1024 if [ -n "${master}" ]; then 1025 break 1026 fi 1027 sleep $((sleep + i)) 1028 done 1029 echo "${master}" 1030 } 1031 1032 identify_master() { 1033 echo "Identifying redis master (get-master-addr-by-name).." 1034 echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" 1035 MASTER="$(sentinel_get_master_retry 3)" 1036 if [ -n "${MASTER}" ]; then 1037 echo " $(date) Found redis master (${MASTER})" 1038 else 1039 echo " $(date) Did not find redis master (${MASTER})" 1040 fi 1041 } 1042 1043 sentinel_update() { 1044 echo "Updating sentinel config.." 1045 echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" 1046 eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" 1047 echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" 1048 sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" 1049 if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then 1050 echo " redis master (${1}:${REDIS_TLS_PORT})" 1051 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 1052 else 1053 echo " redis master (${1}:${REDIS_PORT})" 1054 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 1055 fi 1056 echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} 1057 if [ "$SENTINEL_PORT" -eq 0 ]; then 1058 echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" 1059 echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} 1060 else 1061 echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" 1062 echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} 1063 fi 1064 } 1065 1066 redis_update() { 1067 echo "Updating redis config.." 1068 if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then 1069 echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" 1070 echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" 1071 echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} 1072 else 1073 echo " we are slave of redis master (${1}:${REDIS_PORT})" 1074 echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" 1075 echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} 1076 fi 1077 echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} 1078 } 1079 1080 copy_config() { 1081 echo "Copying default redis config.." 1082 echo " to '${REDIS_CONF}'" 1083 cp /readonly-config/redis.conf "${REDIS_CONF}" 1084 echo "Copying default sentinel config.." 1085 echo " to '${SENTINEL_CONF}'" 1086 cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" 1087 } 1088 1089 setup_defaults() { 1090 echo "Setting up defaults.." 1091 echo " using statefulset index (${INDEX})" 1092 if [ "${INDEX}" = "0" ]; then 1093 echo "Setting this pod as master for redis and sentinel.." 1094 echo " using announce (${ANNOUNCE_IP})" 1095 redis_update "${ANNOUNCE_IP}" 1096 sentinel_update "${ANNOUNCE_IP}" 1097 echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" 1098 sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" 1099 else 1100 echo "Getting redis master ip.." 1101 echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" 1102 DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" 1103 if [ -z "${DEFAULT_MASTER}" ]; then 1104 echo "Error: Unable to resolve redis master (getent hosts)." 1105 exit 1 1106 fi 1107 echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" 1108 echo "Setting default slave config for redis and sentinel.." 1109 echo " using master ip (${DEFAULT_MASTER})" 1110 redis_update "${DEFAULT_MASTER}" 1111 sentinel_update "${DEFAULT_MASTER}" 1112 fi 1113 } 1114 1115 redis_ping() { 1116 set +e 1117 if [ "$REDIS_PORT" -eq 0 ]; then 1118 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping 1119 else 1120 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping 1121 fi 1122 set -e 1123 } 1124 1125 redis_ping_retry() { 1126 ping='' 1127 retry=${1} 1128 sleep=3 1129 for i in $(seq 1 "${retry}"); do 1130 if [ "$(redis_ping)" = "PONG" ]; then 1131 ping='PONG' 1132 break 1133 fi 1134 sleep $((sleep + i)) 1135 MASTER=$(sentinel_get_master) 1136 done 1137 echo "${ping}" 1138 } 1139 1140 find_master() { 1141 echo "Verifying redis master.." 1142 if [ "$REDIS_PORT" -eq 0 ]; then 1143 echo " ping (${MASTER}:${REDIS_TLS_PORT})" 1144 else 1145 echo " ping (${MASTER}:${REDIS_PORT})" 1146 fi 1147 if [ "$(redis_ping_retry 3)" != "PONG" ]; then 1148 echo " $(date) Can't ping redis master (${MASTER})" 1149 echo "Attempting to force failover (sentinel failover).." 1150 1151 if [ "$SENTINEL_PORT" -eq 0 ]; then 1152 echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 1153 if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 1154 echo " $(date) Failover returned with 'NOGOODSLAVE'" 1155 echo "Setting defaults for this pod.." 1156 setup_defaults 1157 return 0 1158 fi 1159 else 1160 echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 1161 if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 1162 echo " $(date) Failover returned with 'NOGOODSLAVE'" 1163 echo "Setting defaults for this pod.." 1164 setup_defaults 1165 return 0 1166 fi 1167 fi 1168 1169 echo "Hold on for 10sec" 1170 sleep 10 1171 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." 1172 if [ "$SENTINEL_PORT" -eq 0 ]; then 1173 echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 1174 else 1175 echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 1176 fi 1177 MASTER="$(sentinel_get_master)" 1178 if [ "${MASTER}" ]; then 1179 echo " $(date) Found redis master (${MASTER})" 1180 echo "Updating redis and sentinel config.." 1181 sentinel_update "${MASTER}" 1182 redis_update "${MASTER}" 1183 else 1184 echo "$(date) Error: Could not failover, exiting..." 1185 exit 1 1186 fi 1187 else 1188 echo " $(date) Found reachable redis master (${MASTER})" 1189 echo "Updating redis and sentinel config.." 1190 sentinel_update "${MASTER}" 1191 redis_update "${MASTER}" 1192 fi 1193 } 1194 1195 redis_ro_update() { 1196 echo "Updating read-only redis config.." 1197 echo " redis.conf set 'replica-priority 0'" 1198 echo "replica-priority 0" >> ${REDIS_CONF} 1199 } 1200 1201 getent_hosts() { 1202 index=${1:-${INDEX}} 1203 service="${SERVICE}-announce-${index}" 1204 host=$(getent hosts "${service}") 1205 echo "${host}" 1206 } 1207 1208 identify_announce_ip() { 1209 echo "Identify announce ip for this pod.." 1210 echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" 1211 ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') 1212 echo " identified announce (${ANNOUNCE_IP})" 1213 } 1214 1215 mkdir -p /data/conf/ 1216 1217 echo "Initializing config.." 1218 copy_config 1219 1220 # where is redis master 1221 identify_master 1222 1223 identify_announce_ip 1224 1225 if [ -z "${ANNOUNCE_IP}" ]; then 1226 "Error: Could not resolve the announce ip for this pod" 1227 exit 1 1228 elif [ "${MASTER}" ]; then 1229 find_master 1230 else 1231 setup_defaults 1232 fi 1233 1234 if [ "${AUTH:-}" ]; then 1235 echo "Setting redis auth values.." 1236 ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g'); 1237 sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}" 1238 fi 1239 1240 if [ "${SENTINELAUTH:-}" ]; then 1241 echo "Setting sentinel auth values" 1242 ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g'); 1243 sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF" 1244 fi 1245 1246 echo "$(date) Ready..." 1247 redis.conf: | 1248 dir "/data" 1249 port 6379 1250 rename-command FLUSHDB "" 1251 rename-command FLUSHALL "" 1252 bind 0.0.0.0 1253 maxmemory 0 1254 maxmemory-policy volatile-lru 1255 min-replicas-max-lag 5 1256 min-replicas-to-write 1 1257 rdbchecksum yes 1258 rdbcompression yes 1259 repl-diskless-sync yes 1260 save "" 1261 requirepass replace-default-auth 1262 masterauth replace-default-auth 1263 sentinel.conf: | 1264 dir "/data" 1265 port 26379 1266 bind 0.0.0.0 1267 sentinel down-after-milliseconds argocd 10000 1268 sentinel failover-timeout argocd 180000 1269 maxclients 10000 1270 sentinel parallel-syncs argocd 5 1271 sentinel auth-pass argocd replace-default-auth 1272 trigger-failover-if-master.sh: | 1273 get_redis_role() { 1274 is_master=$( 1275 redis-cli \ 1276 -a "${AUTH}" --no-auth-warning \ 1277 -h localhost \ 1278 -p 6379 \ 1279 info | grep -c 'role:master' || true 1280 ) 1281 } 1282 get_redis_role 1283 if [[ "$is_master" -eq 1 ]]; then 1284 echo "This node is currently master, we trigger a failover." 1285 response=$( 1286 redis-cli \ 1287 -h localhost \ 1288 -p 26379 \ 1289 SENTINEL failover argocd 1290 ) 1291 if [[ "$response" != "OK" ]] ; then 1292 echo "$response" 1293 exit 1 1294 fi 1295 timeout=30 1296 while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do 1297 sleep 1 1298 get_redis_role 1299 timeout=$((timeout - 1)) 1300 done 1301 echo "Failover successful" 1302 fi 1303 kind: ConfigMap 1304 metadata: 1305 labels: 1306 app.kubernetes.io/component: redis 1307 app.kubernetes.io/name: argocd-redis-ha 1308 app.kubernetes.io/part-of: argocd 1309 name: argocd-redis-ha-configmap 1310 --- 1311 apiVersion: v1 1312 data: 1313 redis_liveness.sh: | 1314 response=$( 1315 redis-cli \ 1316 -a "${AUTH}" --no-auth-warning \ 1317 -h localhost \ 1318 -p 6379 \ 1319 ping 1320 ) 1321 echo "response=$response" 1322 case $response in 1323 PONG|LOADING*) ;; 1324 *) exit 1 ;; 1325 esac 1326 exit 0 1327 redis_readiness.sh: | 1328 response=$( 1329 redis-cli \ 1330 -a "${AUTH}" --no-auth-warning \ 1331 -h localhost \ 1332 -p 6379 \ 1333 ping 1334 ) 1335 if [ "$response" != "PONG" ] ; then 1336 echo "ping=$response" 1337 exit 1 1338 fi 1339 1340 response=$( 1341 redis-cli \ 1342 -a "${AUTH}" --no-auth-warning \ 1343 -h localhost \ 1344 -p 6379 \ 1345 role 1346 ) 1347 role=$( echo "$response" | sed "1!d" ) 1348 if [ "$role" = "master" ]; then 1349 echo "role=$role" 1350 exit 0 1351 elif [ "$role" = "slave" ]; then 1352 repl=$( echo "$response" | sed "4!d" ) 1353 echo "role=$role; repl=$repl" 1354 if [ "$repl" = "connected" ]; then 1355 exit 0 1356 else 1357 exit 1 1358 fi 1359 else 1360 echo "role=$role" 1361 exit 1 1362 fi 1363 sentinel_liveness.sh: | 1364 response=$( 1365 redis-cli \ 1366 -h localhost \ 1367 -p 26379 \ 1368 ping 1369 ) 1370 if [ "$response" != "PONG" ]; then 1371 echo "$response" 1372 exit 1 1373 fi 1374 echo "response=$response" 1375 kind: ConfigMap 1376 metadata: 1377 labels: 1378 app.kubernetes.io/component: redis 1379 app.kubernetes.io/name: argocd-redis-ha 1380 app.kubernetes.io/part-of: argocd 1381 name: argocd-redis-ha-health-configmap 1382 --- 1383 apiVersion: v1 1384 data: 1385 ssh_known_hosts: | 1386 # This file was automatically generated by hack/update-ssh-known-hosts.sh. DO NOT EDIT 1387 [ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 1388 [ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 1389 [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 1390 bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= 1391 bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO 1392 bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= 1393 github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 1394 github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 1395 github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 1396 gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= 1397 gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf 1398 gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 1399 ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 1400 vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 1401 kind: ConfigMap 1402 metadata: 1403 labels: 1404 app.kubernetes.io/name: argocd-ssh-known-hosts-cm 1405 app.kubernetes.io/part-of: argocd 1406 name: argocd-ssh-known-hosts-cm 1407 --- 1408 apiVersion: v1 1409 kind: ConfigMap 1410 metadata: 1411 labels: 1412 app.kubernetes.io/name: argocd-tls-certs-cm 1413 app.kubernetes.io/part-of: argocd 1414 name: argocd-tls-certs-cm 1415 --- 1416 apiVersion: v1 1417 kind: Secret 1418 metadata: 1419 labels: 1420 app.kubernetes.io/component: notifications-controller 1421 app.kubernetes.io/name: argocd-notifications-controller 1422 app.kubernetes.io/part-of: argocd 1423 name: argocd-notifications-secret 1424 type: Opaque 1425 --- 1426 apiVersion: v1 1427 kind: Secret 1428 metadata: 1429 labels: 1430 app.kubernetes.io/name: argocd-secret 1431 app.kubernetes.io/part-of: argocd 1432 name: argocd-secret 1433 type: Opaque 1434 --- 1435 apiVersion: v1 1436 kind: Service 1437 metadata: 1438 labels: 1439 app.kubernetes.io/component: applicationset-controller 1440 app.kubernetes.io/name: argocd-applicationset-controller 1441 app.kubernetes.io/part-of: argocd 1442 name: argocd-applicationset-controller 1443 spec: 1444 ports: 1445 - name: webhook 1446 port: 7000 1447 protocol: TCP 1448 targetPort: webhook 1449 - name: metrics 1450 port: 8080 1451 protocol: TCP 1452 targetPort: metrics 1453 selector: 1454 app.kubernetes.io/name: argocd-applicationset-controller 1455 --- 1456 apiVersion: v1 1457 kind: Service 1458 metadata: 1459 labels: 1460 app.kubernetes.io/component: commit-server 1461 app.kubernetes.io/name: argocd-commit-server 1462 app.kubernetes.io/part-of: argocd 1463 name: argocd-commit-server 1464 spec: 1465 ports: 1466 - name: server 1467 port: 8086 1468 protocol: TCP 1469 targetPort: 8086 1470 - name: metrics 1471 port: 8087 1472 protocol: TCP 1473 targetPort: 8087 1474 selector: 1475 app.kubernetes.io/name: argocd-commit-server 1476 --- 1477 apiVersion: v1 1478 kind: Service 1479 metadata: 1480 labels: 1481 app.kubernetes.io/component: dex-server 1482 app.kubernetes.io/name: argocd-dex-server 1483 app.kubernetes.io/part-of: argocd 1484 name: argocd-dex-server 1485 spec: 1486 ports: 1487 - appProtocol: TCP 1488 name: http 1489 port: 5556 1490 protocol: TCP 1491 targetPort: 5556 1492 - name: grpc 1493 port: 5557 1494 protocol: TCP 1495 targetPort: 5557 1496 - name: metrics 1497 port: 5558 1498 protocol: TCP 1499 targetPort: 5558 1500 selector: 1501 app.kubernetes.io/name: argocd-dex-server 1502 --- 1503 apiVersion: v1 1504 kind: Service 1505 metadata: 1506 labels: 1507 app.kubernetes.io/component: metrics 1508 app.kubernetes.io/name: argocd-metrics 1509 app.kubernetes.io/part-of: argocd 1510 name: argocd-metrics 1511 spec: 1512 ports: 1513 - name: metrics 1514 port: 8082 1515 protocol: TCP 1516 targetPort: 8082 1517 selector: 1518 app.kubernetes.io/name: argocd-application-controller 1519 --- 1520 apiVersion: v1 1521 kind: Service 1522 metadata: 1523 labels: 1524 app.kubernetes.io/component: notifications-controller 1525 app.kubernetes.io/name: argocd-notifications-controller-metrics 1526 app.kubernetes.io/part-of: argocd 1527 name: argocd-notifications-controller-metrics 1528 spec: 1529 ports: 1530 - name: metrics 1531 port: 9001 1532 protocol: TCP 1533 targetPort: 9001 1534 selector: 1535 app.kubernetes.io/name: argocd-notifications-controller 1536 --- 1537 apiVersion: v1 1538 kind: Service 1539 metadata: 1540 labels: 1541 app.kubernetes.io/component: redis 1542 app.kubernetes.io/name: argocd-redis-ha 1543 app.kubernetes.io/part-of: argocd 1544 name: argocd-redis-ha 1545 spec: 1546 clusterIP: None 1547 ports: 1548 - name: tcp-server 1549 port: 6379 1550 protocol: TCP 1551 targetPort: redis 1552 - name: tcp-sentinel 1553 port: 26379 1554 protocol: TCP 1555 targetPort: sentinel 1556 selector: 1557 app.kubernetes.io/name: argocd-redis-ha 1558 type: ClusterIP 1559 --- 1560 apiVersion: v1 1561 kind: Service 1562 metadata: 1563 labels: 1564 app.kubernetes.io/component: redis 1565 app.kubernetes.io/name: argocd-redis-ha 1566 app.kubernetes.io/part-of: argocd 1567 name: argocd-redis-ha-announce-0 1568 spec: 1569 ports: 1570 - name: tcp-server 1571 port: 6379 1572 protocol: TCP 1573 targetPort: redis 1574 - name: tcp-sentinel 1575 port: 26379 1576 protocol: TCP 1577 targetPort: sentinel 1578 publishNotReadyAddresses: true 1579 selector: 1580 app.kubernetes.io/name: argocd-redis-ha 1581 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0 1582 type: ClusterIP 1583 --- 1584 apiVersion: v1 1585 kind: Service 1586 metadata: 1587 labels: 1588 app.kubernetes.io/component: redis 1589 app.kubernetes.io/name: argocd-redis-ha 1590 app.kubernetes.io/part-of: argocd 1591 name: argocd-redis-ha-announce-1 1592 spec: 1593 ports: 1594 - name: tcp-server 1595 port: 6379 1596 protocol: TCP 1597 targetPort: redis 1598 - name: tcp-sentinel 1599 port: 26379 1600 protocol: TCP 1601 targetPort: sentinel 1602 publishNotReadyAddresses: true 1603 selector: 1604 app.kubernetes.io/name: argocd-redis-ha 1605 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1 1606 type: ClusterIP 1607 --- 1608 apiVersion: v1 1609 kind: Service 1610 metadata: 1611 labels: 1612 app.kubernetes.io/component: redis 1613 app.kubernetes.io/name: argocd-redis-ha 1614 app.kubernetes.io/part-of: argocd 1615 name: argocd-redis-ha-announce-2 1616 spec: 1617 ports: 1618 - name: tcp-server 1619 port: 6379 1620 protocol: TCP 1621 targetPort: redis 1622 - name: tcp-sentinel 1623 port: 26379 1624 protocol: TCP 1625 targetPort: sentinel 1626 publishNotReadyAddresses: true 1627 selector: 1628 app.kubernetes.io/name: argocd-redis-ha 1629 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2 1630 type: ClusterIP 1631 --- 1632 apiVersion: v1 1633 kind: Service 1634 metadata: 1635 labels: 1636 app.kubernetes.io/component: redis 1637 app.kubernetes.io/name: argocd-redis-ha-haproxy 1638 app.kubernetes.io/part-of: argocd 1639 name: argocd-redis-ha-haproxy 1640 spec: 1641 ports: 1642 - name: tcp-haproxy 1643 port: 6379 1644 protocol: TCP 1645 targetPort: redis 1646 - name: http-exporter-port 1647 port: 9101 1648 protocol: TCP 1649 targetPort: metrics-port 1650 selector: 1651 app.kubernetes.io/name: argocd-redis-ha-haproxy 1652 type: ClusterIP 1653 --- 1654 apiVersion: v1 1655 kind: Service 1656 metadata: 1657 labels: 1658 app.kubernetes.io/component: repo-server 1659 app.kubernetes.io/name: argocd-repo-server 1660 app.kubernetes.io/part-of: argocd 1661 name: argocd-repo-server 1662 spec: 1663 ports: 1664 - name: server 1665 port: 8081 1666 protocol: TCP 1667 targetPort: 8081 1668 - name: metrics 1669 port: 8084 1670 protocol: TCP 1671 targetPort: 8084 1672 selector: 1673 app.kubernetes.io/name: argocd-repo-server 1674 --- 1675 apiVersion: v1 1676 kind: Service 1677 metadata: 1678 labels: 1679 app.kubernetes.io/component: server 1680 app.kubernetes.io/name: argocd-server 1681 app.kubernetes.io/part-of: argocd 1682 name: argocd-server 1683 spec: 1684 ports: 1685 - name: http 1686 port: 80 1687 protocol: TCP 1688 targetPort: 8080 1689 - name: https 1690 port: 443 1691 protocol: TCP 1692 targetPort: 8080 1693 selector: 1694 app.kubernetes.io/name: argocd-server 1695 --- 1696 apiVersion: v1 1697 kind: Service 1698 metadata: 1699 labels: 1700 app.kubernetes.io/component: server 1701 app.kubernetes.io/name: argocd-server-metrics 1702 app.kubernetes.io/part-of: argocd 1703 name: argocd-server-metrics 1704 spec: 1705 ports: 1706 - name: metrics 1707 port: 8083 1708 protocol: TCP 1709 targetPort: 8083 1710 selector: 1711 app.kubernetes.io/name: argocd-server 1712 --- 1713 apiVersion: apps/v1 1714 kind: Deployment 1715 metadata: 1716 labels: 1717 app.kubernetes.io/component: applicationset-controller 1718 app.kubernetes.io/name: argocd-applicationset-controller 1719 app.kubernetes.io/part-of: argocd 1720 name: argocd-applicationset-controller 1721 spec: 1722 selector: 1723 matchLabels: 1724 app.kubernetes.io/name: argocd-applicationset-controller 1725 template: 1726 metadata: 1727 labels: 1728 app.kubernetes.io/name: argocd-applicationset-controller 1729 spec: 1730 containers: 1731 - args: 1732 - /usr/local/bin/argocd-applicationset-controller 1733 env: 1734 - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS 1735 valueFrom: 1736 configMapKeyRef: 1737 key: applicationsetcontroller.global.preserved.annotations 1738 name: argocd-cmd-params-cm 1739 optional: true 1740 - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS 1741 valueFrom: 1742 configMapKeyRef: 1743 key: applicationsetcontroller.global.preserved.labels 1744 name: argocd-cmd-params-cm 1745 optional: true 1746 - name: NAMESPACE 1747 valueFrom: 1748 fieldRef: 1749 fieldPath: metadata.namespace 1750 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION 1751 valueFrom: 1752 configMapKeyRef: 1753 key: applicationsetcontroller.enable.leader.election 1754 name: argocd-cmd-params-cm 1755 optional: true 1756 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER 1757 valueFrom: 1758 configMapKeyRef: 1759 key: repo.server 1760 name: argocd-cmd-params-cm 1761 optional: true 1762 - name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY 1763 valueFrom: 1764 configMapKeyRef: 1765 key: applicationsetcontroller.policy 1766 name: argocd-cmd-params-cm 1767 optional: true 1768 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE 1769 valueFrom: 1770 configMapKeyRef: 1771 key: applicationsetcontroller.enable.policy.override 1772 name: argocd-cmd-params-cm 1773 optional: true 1774 - name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG 1775 valueFrom: 1776 configMapKeyRef: 1777 key: applicationsetcontroller.debug 1778 name: argocd-cmd-params-cm 1779 optional: true 1780 - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT 1781 valueFrom: 1782 configMapKeyRef: 1783 key: applicationsetcontroller.log.format 1784 name: argocd-cmd-params-cm 1785 optional: true 1786 - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL 1787 valueFrom: 1788 configMapKeyRef: 1789 key: applicationsetcontroller.log.level 1790 name: argocd-cmd-params-cm 1791 optional: true 1792 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 1793 valueFrom: 1794 configMapKeyRef: 1795 key: log.format.timestamp 1796 name: argocd-cmd-params-cm 1797 optional: true 1798 - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN 1799 valueFrom: 1800 configMapKeyRef: 1801 key: applicationsetcontroller.dryrun 1802 name: argocd-cmd-params-cm 1803 optional: true 1804 - name: ARGOCD_GIT_MODULES_ENABLED 1805 valueFrom: 1806 configMapKeyRef: 1807 key: applicationsetcontroller.enable.git.submodule 1808 name: argocd-cmd-params-cm 1809 optional: true 1810 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS 1811 valueFrom: 1812 configMapKeyRef: 1813 key: applicationsetcontroller.enable.progressive.syncs 1814 name: argocd-cmd-params-cm 1815 optional: true 1816 - name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE 1817 valueFrom: 1818 configMapKeyRef: 1819 key: applicationsetcontroller.enable.tokenref.strict.mode 1820 name: argocd-cmd-params-cm 1821 optional: true 1822 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING 1823 valueFrom: 1824 configMapKeyRef: 1825 key: applicationsetcontroller.enable.new.git.file.globbing 1826 name: argocd-cmd-params-cm 1827 optional: true 1828 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT 1829 valueFrom: 1830 configMapKeyRef: 1831 key: applicationsetcontroller.repo.server.plaintext 1832 name: argocd-cmd-params-cm 1833 optional: true 1834 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS 1835 valueFrom: 1836 configMapKeyRef: 1837 key: applicationsetcontroller.repo.server.strict.tls 1838 name: argocd-cmd-params-cm 1839 optional: true 1840 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS 1841 valueFrom: 1842 configMapKeyRef: 1843 key: applicationsetcontroller.repo.server.timeout.seconds 1844 name: argocd-cmd-params-cm 1845 optional: true 1846 - name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS 1847 valueFrom: 1848 configMapKeyRef: 1849 key: applicationsetcontroller.concurrent.reconciliations.max 1850 name: argocd-cmd-params-cm 1851 optional: true 1852 - name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES 1853 valueFrom: 1854 configMapKeyRef: 1855 key: applicationsetcontroller.namespaces 1856 name: argocd-cmd-params-cm 1857 optional: true 1858 - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH 1859 valueFrom: 1860 configMapKeyRef: 1861 key: applicationsetcontroller.scm.root.ca.path 1862 name: argocd-cmd-params-cm 1863 optional: true 1864 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS 1865 valueFrom: 1866 configMapKeyRef: 1867 key: applicationsetcontroller.allowed.scm.providers 1868 name: argocd-cmd-params-cm 1869 optional: true 1870 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS 1871 valueFrom: 1872 configMapKeyRef: 1873 key: applicationsetcontroller.enable.scm.providers 1874 name: argocd-cmd-params-cm 1875 optional: true 1876 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS 1877 valueFrom: 1878 configMapKeyRef: 1879 key: applicationsetcontroller.enable.github.api.metrics 1880 name: argocd-cmd-params-cm 1881 optional: true 1882 - name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT 1883 valueFrom: 1884 configMapKeyRef: 1885 key: applicationsetcontroller.webhook.parallelism.limit 1886 name: argocd-cmd-params-cm 1887 optional: true 1888 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER 1889 valueFrom: 1890 configMapKeyRef: 1891 key: applicationsetcontroller.requeue.after 1892 name: argocd-cmd-params-cm 1893 optional: true 1894 - name: ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT 1895 valueFrom: 1896 configMapKeyRef: 1897 key: applicationsetcontroller.status.max.resources.count 1898 name: argocd-cmd-params-cm 1899 optional: true 1900 image: quay.io/argoproj/argocd:v3.2.1 1901 imagePullPolicy: Always 1902 name: argocd-applicationset-controller 1903 ports: 1904 - containerPort: 7000 1905 name: webhook 1906 - containerPort: 8080 1907 name: metrics 1908 securityContext: 1909 allowPrivilegeEscalation: false 1910 capabilities: 1911 drop: 1912 - ALL 1913 readOnlyRootFilesystem: true 1914 runAsNonRoot: true 1915 seccompProfile: 1916 type: RuntimeDefault 1917 volumeMounts: 1918 - mountPath: /app/config/ssh 1919 name: ssh-known-hosts 1920 - mountPath: /app/config/tls 1921 name: tls-certs 1922 - mountPath: /app/config/gpg/source 1923 name: gpg-keys 1924 - mountPath: /app/config/gpg/keys 1925 name: gpg-keyring 1926 - mountPath: /tmp 1927 name: tmp 1928 - mountPath: /app/config/reposerver/tls 1929 name: argocd-repo-server-tls 1930 - mountPath: /home/argocd/params 1931 name: argocd-cmd-params-cm 1932 nodeSelector: 1933 kubernetes.io/os: linux 1934 serviceAccountName: argocd-applicationset-controller 1935 volumes: 1936 - configMap: 1937 name: argocd-ssh-known-hosts-cm 1938 name: ssh-known-hosts 1939 - configMap: 1940 name: argocd-tls-certs-cm 1941 name: tls-certs 1942 - configMap: 1943 name: argocd-gpg-keys-cm 1944 name: gpg-keys 1945 - emptyDir: {} 1946 name: gpg-keyring 1947 - emptyDir: {} 1948 name: tmp 1949 - name: argocd-repo-server-tls 1950 secret: 1951 items: 1952 - key: tls.crt 1953 path: tls.crt 1954 - key: tls.key 1955 path: tls.key 1956 - key: ca.crt 1957 path: ca.crt 1958 optional: true 1959 secretName: argocd-repo-server-tls 1960 - configMap: 1961 items: 1962 - key: applicationsetcontroller.profile.enabled 1963 path: profiler.enabled 1964 name: argocd-cmd-params-cm 1965 optional: true 1966 name: argocd-cmd-params-cm 1967 --- 1968 apiVersion: apps/v1 1969 kind: Deployment 1970 metadata: 1971 labels: 1972 app.kubernetes.io/component: commit-server 1973 app.kubernetes.io/name: argocd-commit-server 1974 app.kubernetes.io/part-of: argocd 1975 name: argocd-commit-server 1976 spec: 1977 selector: 1978 matchLabels: 1979 app.kubernetes.io/name: argocd-commit-server 1980 template: 1981 metadata: 1982 labels: 1983 app.kubernetes.io/name: argocd-commit-server 1984 spec: 1985 affinity: 1986 podAntiAffinity: 1987 preferredDuringSchedulingIgnoredDuringExecution: 1988 - podAffinityTerm: 1989 labelSelector: 1990 matchLabels: 1991 app.kubernetes.io/name: argocd-commit-server 1992 topologyKey: kubernetes.io/hostname 1993 weight: 100 1994 - podAffinityTerm: 1995 labelSelector: 1996 matchLabels: 1997 app.kubernetes.io/part-of: argocd 1998 topologyKey: kubernetes.io/hostname 1999 weight: 5 2000 automountServiceAccountToken: false 2001 containers: 2002 - args: 2003 - /usr/local/bin/argocd-commit-server 2004 env: 2005 - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS 2006 valueFrom: 2007 configMapKeyRef: 2008 key: commitserver.listen.address 2009 name: argocd-cmd-params-cm 2010 optional: true 2011 - name: ARGOCD_COMMIT_SERVER_METRICS_LISTEN_ADDRESS 2012 valueFrom: 2013 configMapKeyRef: 2014 key: commitserver.metrics.listen.address 2015 name: argocd-cmd-params-cm 2016 optional: true 2017 - name: ARGOCD_COMMIT_SERVER_LOGFORMAT 2018 valueFrom: 2019 configMapKeyRef: 2020 key: commitserver.log.format 2021 name: argocd-cmd-params-cm 2022 optional: true 2023 - name: ARGOCD_COMMIT_SERVER_LOGLEVEL 2024 valueFrom: 2025 configMapKeyRef: 2026 key: commitserver.log.level 2027 name: argocd-cmd-params-cm 2028 optional: true 2029 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2030 valueFrom: 2031 configMapKeyRef: 2032 key: log.format.timestamp 2033 name: argocd-cmd-params-cm 2034 optional: true 2035 image: quay.io/argoproj/argocd:v3.2.1 2036 imagePullPolicy: Always 2037 livenessProbe: 2038 failureThreshold: 3 2039 httpGet: 2040 path: /healthz?full=true 2041 port: 8087 2042 initialDelaySeconds: 30 2043 periodSeconds: 30 2044 timeoutSeconds: 5 2045 name: argocd-commit-server 2046 ports: 2047 - containerPort: 8086 2048 - containerPort: 8087 2049 readinessProbe: 2050 httpGet: 2051 path: /healthz 2052 port: 8087 2053 initialDelaySeconds: 5 2054 periodSeconds: 10 2055 securityContext: 2056 allowPrivilegeEscalation: false 2057 capabilities: 2058 drop: 2059 - ALL 2060 readOnlyRootFilesystem: true 2061 runAsNonRoot: true 2062 seccompProfile: 2063 type: RuntimeDefault 2064 volumeMounts: 2065 - mountPath: /app/config/ssh 2066 name: ssh-known-hosts 2067 - mountPath: /app/config/tls 2068 name: tls-certs 2069 - mountPath: /app/config/gpg/source 2070 name: gpg-keys 2071 - mountPath: /app/config/gpg/keys 2072 name: gpg-keyring 2073 - mountPath: /tmp 2074 name: tmp 2075 serviceAccountName: argocd-commit-server 2076 volumes: 2077 - configMap: 2078 name: argocd-ssh-known-hosts-cm 2079 name: ssh-known-hosts 2080 - configMap: 2081 name: argocd-tls-certs-cm 2082 name: tls-certs 2083 - configMap: 2084 name: argocd-gpg-keys-cm 2085 name: gpg-keys 2086 - emptyDir: {} 2087 name: gpg-keyring 2088 - emptyDir: {} 2089 name: tmp 2090 - name: argocd-commit-server-tls 2091 secret: 2092 items: 2093 - key: tls.crt 2094 path: tls.crt 2095 - key: tls.key 2096 path: tls.key 2097 - key: ca.crt 2098 path: ca.crt 2099 optional: true 2100 secretName: argocd-commit-server-tls 2101 --- 2102 apiVersion: apps/v1 2103 kind: Deployment 2104 metadata: 2105 labels: 2106 app.kubernetes.io/component: dex-server 2107 app.kubernetes.io/name: argocd-dex-server 2108 app.kubernetes.io/part-of: argocd 2109 name: argocd-dex-server 2110 spec: 2111 selector: 2112 matchLabels: 2113 app.kubernetes.io/name: argocd-dex-server 2114 template: 2115 metadata: 2116 labels: 2117 app.kubernetes.io/name: argocd-dex-server 2118 spec: 2119 affinity: 2120 podAntiAffinity: 2121 preferredDuringSchedulingIgnoredDuringExecution: 2122 - podAffinityTerm: 2123 labelSelector: 2124 matchLabels: 2125 app.kubernetes.io/part-of: argocd 2126 topologyKey: kubernetes.io/hostname 2127 weight: 5 2128 containers: 2129 - command: 2130 - /shared/argocd-dex 2131 - rundex 2132 env: 2133 - name: ARGOCD_DEX_SERVER_LOGFORMAT 2134 valueFrom: 2135 configMapKeyRef: 2136 key: dexserver.log.format 2137 name: argocd-cmd-params-cm 2138 optional: true 2139 - name: ARGOCD_DEX_SERVER_LOGLEVEL 2140 valueFrom: 2141 configMapKeyRef: 2142 key: dexserver.log.level 2143 name: argocd-cmd-params-cm 2144 optional: true 2145 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2146 valueFrom: 2147 configMapKeyRef: 2148 key: log.format.timestamp 2149 name: argocd-cmd-params-cm 2150 optional: true 2151 - name: ARGOCD_DEX_SERVER_DISABLE_TLS 2152 valueFrom: 2153 configMapKeyRef: 2154 key: dexserver.disable.tls 2155 name: argocd-cmd-params-cm 2156 optional: true 2157 image: ghcr.io/dexidp/dex:v2.43.0 2158 imagePullPolicy: Always 2159 name: dex 2160 ports: 2161 - containerPort: 5556 2162 - containerPort: 5557 2163 - containerPort: 5558 2164 securityContext: 2165 allowPrivilegeEscalation: false 2166 capabilities: 2167 drop: 2168 - ALL 2169 readOnlyRootFilesystem: true 2170 runAsNonRoot: true 2171 seccompProfile: 2172 type: RuntimeDefault 2173 volumeMounts: 2174 - mountPath: /shared 2175 name: static-files 2176 - mountPath: /tmp 2177 name: dexconfig 2178 - mountPath: /tls 2179 name: argocd-dex-server-tls 2180 initContainers: 2181 - command: 2182 - /bin/cp 2183 - -n 2184 - /usr/local/bin/argocd 2185 - /shared/argocd-dex 2186 image: quay.io/argoproj/argocd:v3.2.1 2187 imagePullPolicy: Always 2188 name: copyutil 2189 securityContext: 2190 allowPrivilegeEscalation: false 2191 capabilities: 2192 drop: 2193 - ALL 2194 readOnlyRootFilesystem: true 2195 runAsNonRoot: true 2196 seccompProfile: 2197 type: RuntimeDefault 2198 volumeMounts: 2199 - mountPath: /shared 2200 name: static-files 2201 - mountPath: /tmp 2202 name: dexconfig 2203 nodeSelector: 2204 kubernetes.io/os: linux 2205 serviceAccountName: argocd-dex-server 2206 volumes: 2207 - emptyDir: {} 2208 name: static-files 2209 - emptyDir: {} 2210 name: dexconfig 2211 - name: argocd-dex-server-tls 2212 secret: 2213 items: 2214 - key: tls.crt 2215 path: tls.crt 2216 - key: tls.key 2217 path: tls.key 2218 - key: ca.crt 2219 path: ca.crt 2220 optional: true 2221 secretName: argocd-dex-server-tls 2222 --- 2223 apiVersion: apps/v1 2224 kind: Deployment 2225 metadata: 2226 labels: 2227 app.kubernetes.io/component: notifications-controller 2228 app.kubernetes.io/name: argocd-notifications-controller 2229 app.kubernetes.io/part-of: argocd 2230 name: argocd-notifications-controller 2231 spec: 2232 selector: 2233 matchLabels: 2234 app.kubernetes.io/name: argocd-notifications-controller 2235 strategy: 2236 type: Recreate 2237 template: 2238 metadata: 2239 labels: 2240 app.kubernetes.io/name: argocd-notifications-controller 2241 spec: 2242 containers: 2243 - args: 2244 - /usr/local/bin/argocd-notifications 2245 env: 2246 - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT 2247 valueFrom: 2248 configMapKeyRef: 2249 key: notificationscontroller.log.format 2250 name: argocd-cmd-params-cm 2251 optional: true 2252 - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL 2253 valueFrom: 2254 configMapKeyRef: 2255 key: notificationscontroller.log.level 2256 name: argocd-cmd-params-cm 2257 optional: true 2258 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2259 valueFrom: 2260 configMapKeyRef: 2261 key: log.format.timestamp 2262 name: argocd-cmd-params-cm 2263 optional: true 2264 - name: ARGOCD_APPLICATION_NAMESPACES 2265 valueFrom: 2266 configMapKeyRef: 2267 key: application.namespaces 2268 name: argocd-cmd-params-cm 2269 optional: true 2270 - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED 2271 valueFrom: 2272 configMapKeyRef: 2273 key: notificationscontroller.selfservice.enabled 2274 name: argocd-cmd-params-cm 2275 optional: true 2276 - name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT 2277 valueFrom: 2278 configMapKeyRef: 2279 key: notificationscontroller.repo.server.plaintext 2280 name: argocd-cmd-params-cm 2281 optional: true 2282 image: quay.io/argoproj/argocd:v3.2.1 2283 imagePullPolicy: Always 2284 livenessProbe: 2285 tcpSocket: 2286 port: 9001 2287 name: argocd-notifications-controller 2288 securityContext: 2289 allowPrivilegeEscalation: false 2290 capabilities: 2291 drop: 2292 - ALL 2293 readOnlyRootFilesystem: true 2294 volumeMounts: 2295 - mountPath: /app/config/tls 2296 name: tls-certs 2297 - mountPath: /app/config/reposerver/tls 2298 name: argocd-repo-server-tls 2299 workingDir: /app 2300 nodeSelector: 2301 kubernetes.io/os: linux 2302 securityContext: 2303 runAsNonRoot: true 2304 seccompProfile: 2305 type: RuntimeDefault 2306 serviceAccountName: argocd-notifications-controller 2307 volumes: 2308 - configMap: 2309 name: argocd-tls-certs-cm 2310 name: tls-certs 2311 - name: argocd-repo-server-tls 2312 secret: 2313 items: 2314 - key: tls.crt 2315 path: tls.crt 2316 - key: tls.key 2317 path: tls.key 2318 - key: ca.crt 2319 path: ca.crt 2320 optional: true 2321 secretName: argocd-repo-server-tls 2322 --- 2323 apiVersion: apps/v1 2324 kind: Deployment 2325 metadata: 2326 labels: 2327 app.kubernetes.io/component: redis 2328 app.kubernetes.io/name: argocd-redis-ha-haproxy 2329 app.kubernetes.io/part-of: argocd 2330 name: argocd-redis-ha-haproxy 2331 spec: 2332 replicas: 3 2333 revisionHistoryLimit: 1 2334 selector: 2335 matchLabels: 2336 app.kubernetes.io/name: argocd-redis-ha-haproxy 2337 strategy: 2338 type: RollingUpdate 2339 template: 2340 metadata: 2341 annotations: 2342 checksum/config: cd6508bdf9819601c454d0cc491fb77a209e3a88761d92514d105b6681829953 2343 prometheus.io/path: /metrics 2344 prometheus.io/port: "9101" 2345 prometheus.io/scrape: "true" 2346 labels: 2347 app.kubernetes.io/name: argocd-redis-ha-haproxy 2348 name: argocd-redis-ha-haproxy 2349 spec: 2350 affinity: 2351 podAntiAffinity: 2352 requiredDuringSchedulingIgnoredDuringExecution: 2353 - labelSelector: 2354 matchLabels: 2355 app.kubernetes.io/name: argocd-redis-ha-haproxy 2356 topologyKey: kubernetes.io/hostname 2357 automountServiceAccountToken: true 2358 containers: 2359 - env: 2360 - name: AUTH 2361 valueFrom: 2362 secretKeyRef: 2363 key: auth 2364 name: argocd-redis 2365 image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine 2366 imagePullPolicy: IfNotPresent 2367 lifecycle: {} 2368 livenessProbe: 2369 httpGet: 2370 path: /healthz 2371 port: probe 2372 initialDelaySeconds: 5 2373 periodSeconds: 3 2374 name: haproxy 2375 ports: 2376 - containerPort: 8888 2377 name: probe 2378 - containerPort: 6379 2379 name: redis 2380 - containerPort: 9101 2381 name: metrics-port 2382 readinessProbe: 2383 httpGet: 2384 path: /healthz 2385 port: probe 2386 initialDelaySeconds: 5 2387 periodSeconds: 3 2388 securityContext: 2389 allowPrivilegeEscalation: false 2390 capabilities: 2391 drop: 2392 - ALL 2393 readOnlyRootFilesystem: true 2394 seccompProfile: 2395 type: RuntimeDefault 2396 volumeMounts: 2397 - mountPath: /usr/local/etc/haproxy 2398 name: data 2399 - mountPath: /run/haproxy 2400 name: shared-socket 2401 initContainers: 2402 - command: 2403 - argocd 2404 - admin 2405 - redis-initial-password 2406 image: quay.io/argoproj/argocd:v3.2.1 2407 imagePullPolicy: IfNotPresent 2408 name: secret-init 2409 securityContext: 2410 allowPrivilegeEscalation: false 2411 capabilities: 2412 drop: 2413 - ALL 2414 readOnlyRootFilesystem: true 2415 runAsNonRoot: true 2416 seccompProfile: 2417 type: RuntimeDefault 2418 - args: 2419 - /readonly/haproxy_init.sh 2420 command: 2421 - sh 2422 image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine 2423 imagePullPolicy: IfNotPresent 2424 name: config-init 2425 securityContext: 2426 allowPrivilegeEscalation: false 2427 capabilities: 2428 drop: 2429 - ALL 2430 readOnlyRootFilesystem: true 2431 seccompProfile: 2432 type: RuntimeDefault 2433 volumeMounts: 2434 - mountPath: /readonly 2435 name: config-volume 2436 readOnly: true 2437 - mountPath: /data 2438 name: data 2439 securityContext: 2440 fsGroup: 99 2441 runAsNonRoot: true 2442 runAsUser: 99 2443 serviceAccountName: argocd-redis-ha-haproxy 2444 volumes: 2445 - configMap: 2446 name: argocd-redis-ha-configmap 2447 name: config-volume 2448 - emptyDir: {} 2449 name: shared-socket 2450 - emptyDir: {} 2451 name: data 2452 --- 2453 apiVersion: apps/v1 2454 kind: Deployment 2455 metadata: 2456 labels: 2457 app.kubernetes.io/component: repo-server 2458 app.kubernetes.io/name: argocd-repo-server 2459 app.kubernetes.io/part-of: argocd 2460 name: argocd-repo-server 2461 spec: 2462 replicas: 2 2463 selector: 2464 matchLabels: 2465 app.kubernetes.io/name: argocd-repo-server 2466 template: 2467 metadata: 2468 labels: 2469 app.kubernetes.io/name: argocd-repo-server 2470 spec: 2471 affinity: 2472 podAntiAffinity: 2473 preferredDuringSchedulingIgnoredDuringExecution: 2474 - podAffinityTerm: 2475 labelSelector: 2476 matchLabels: 2477 app.kubernetes.io/name: argocd-repo-server 2478 topologyKey: topology.kubernetes.io/zone 2479 weight: 100 2480 requiredDuringSchedulingIgnoredDuringExecution: 2481 - labelSelector: 2482 matchLabels: 2483 app.kubernetes.io/name: argocd-repo-server 2484 topologyKey: kubernetes.io/hostname 2485 automountServiceAccountToken: false 2486 containers: 2487 - args: 2488 - /usr/local/bin/argocd-repo-server 2489 env: 2490 - name: REDIS_PASSWORD 2491 valueFrom: 2492 secretKeyRef: 2493 key: auth 2494 name: argocd-redis 2495 - name: ARGOCD_RECONCILIATION_TIMEOUT 2496 valueFrom: 2497 configMapKeyRef: 2498 key: timeout.reconciliation 2499 name: argocd-cm 2500 optional: true 2501 - name: ARGOCD_REPO_SERVER_LOGFORMAT 2502 valueFrom: 2503 configMapKeyRef: 2504 key: reposerver.log.format 2505 name: argocd-cmd-params-cm 2506 optional: true 2507 - name: ARGOCD_REPO_SERVER_LOGLEVEL 2508 valueFrom: 2509 configMapKeyRef: 2510 key: reposerver.log.level 2511 name: argocd-cmd-params-cm 2512 optional: true 2513 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2514 valueFrom: 2515 configMapKeyRef: 2516 key: log.format.timestamp 2517 name: argocd-cmd-params-cm 2518 optional: true 2519 - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT 2520 valueFrom: 2521 configMapKeyRef: 2522 key: reposerver.parallelism.limit 2523 name: argocd-cmd-params-cm 2524 optional: true 2525 - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS 2526 valueFrom: 2527 configMapKeyRef: 2528 key: reposerver.listen.address 2529 name: argocd-cmd-params-cm 2530 optional: true 2531 - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS 2532 valueFrom: 2533 configMapKeyRef: 2534 key: reposerver.metrics.listen.address 2535 name: argocd-cmd-params-cm 2536 optional: true 2537 - name: ARGOCD_REPO_SERVER_DISABLE_TLS 2538 valueFrom: 2539 configMapKeyRef: 2540 key: reposerver.disable.tls 2541 name: argocd-cmd-params-cm 2542 optional: true 2543 - name: ARGOCD_TLS_MIN_VERSION 2544 valueFrom: 2545 configMapKeyRef: 2546 key: reposerver.tls.minversion 2547 name: argocd-cmd-params-cm 2548 optional: true 2549 - name: ARGOCD_TLS_MAX_VERSION 2550 valueFrom: 2551 configMapKeyRef: 2552 key: reposerver.tls.maxversion 2553 name: argocd-cmd-params-cm 2554 optional: true 2555 - name: ARGOCD_TLS_CIPHERS 2556 valueFrom: 2557 configMapKeyRef: 2558 key: reposerver.tls.ciphers 2559 name: argocd-cmd-params-cm 2560 optional: true 2561 - name: ARGOCD_REPO_CACHE_EXPIRATION 2562 valueFrom: 2563 configMapKeyRef: 2564 key: reposerver.repo.cache.expiration 2565 name: argocd-cmd-params-cm 2566 optional: true 2567 - name: REDIS_SERVER 2568 valueFrom: 2569 configMapKeyRef: 2570 key: redis.server 2571 name: argocd-cmd-params-cm 2572 optional: true 2573 - name: REDIS_COMPRESSION 2574 valueFrom: 2575 configMapKeyRef: 2576 key: redis.compression 2577 name: argocd-cmd-params-cm 2578 optional: true 2579 - name: REDISDB 2580 valueFrom: 2581 configMapKeyRef: 2582 key: redis.db 2583 name: argocd-cmd-params-cm 2584 optional: true 2585 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 2586 valueFrom: 2587 configMapKeyRef: 2588 key: reposerver.default.cache.expiration 2589 name: argocd-cmd-params-cm 2590 optional: true 2591 - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS 2592 valueFrom: 2593 configMapKeyRef: 2594 key: otlp.address 2595 name: argocd-cmd-params-cm 2596 optional: true 2597 - name: ARGOCD_REPO_SERVER_OTLP_INSECURE 2598 valueFrom: 2599 configMapKeyRef: 2600 key: otlp.insecure 2601 name: argocd-cmd-params-cm 2602 optional: true 2603 - name: ARGOCD_REPO_SERVER_OTLP_HEADERS 2604 valueFrom: 2605 configMapKeyRef: 2606 key: otlp.headers 2607 name: argocd-cmd-params-cm 2608 optional: true 2609 - name: ARGOCD_REPO_SERVER_OTLP_ATTRS 2610 valueFrom: 2611 configMapKeyRef: 2612 key: otlp.attrs 2613 name: argocd-cmd-params-cm 2614 optional: true 2615 - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE 2616 valueFrom: 2617 configMapKeyRef: 2618 key: reposerver.max.combined.directory.manifests.size 2619 name: argocd-cmd-params-cm 2620 optional: true 2621 - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS 2622 valueFrom: 2623 configMapKeyRef: 2624 key: reposerver.plugin.tar.exclusions 2625 name: argocd-cmd-params-cm 2626 optional: true 2627 - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS 2628 valueFrom: 2629 configMapKeyRef: 2630 key: reposerver.plugin.use.manifest.generate.paths 2631 name: argocd-cmd-params-cm 2632 optional: true 2633 - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS 2634 valueFrom: 2635 configMapKeyRef: 2636 key: reposerver.allow.oob.symlinks 2637 name: argocd-cmd-params-cm 2638 optional: true 2639 - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE 2640 valueFrom: 2641 configMapKeyRef: 2642 key: reposerver.streamed.manifest.max.tar.size 2643 name: argocd-cmd-params-cm 2644 optional: true 2645 - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE 2646 valueFrom: 2647 configMapKeyRef: 2648 key: reposerver.streamed.manifest.max.extracted.size 2649 name: argocd-cmd-params-cm 2650 optional: true 2651 - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE 2652 valueFrom: 2653 configMapKeyRef: 2654 key: reposerver.helm.manifest.max.extracted.size 2655 name: argocd-cmd-params-cm 2656 optional: true 2657 - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE 2658 valueFrom: 2659 configMapKeyRef: 2660 key: reposerver.disable.helm.manifest.max.extracted.size 2661 name: argocd-cmd-params-cm 2662 optional: true 2663 - name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE 2664 valueFrom: 2665 configMapKeyRef: 2666 key: reposerver.oci.manifest.max.extracted.size 2667 name: argocd-cmd-params-cm 2668 optional: true 2669 - name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE 2670 valueFrom: 2671 configMapKeyRef: 2672 key: reposerver.disable.oci.manifest.max.extracted.size 2673 name: argocd-cmd-params-cm 2674 optional: true 2675 - name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES 2676 valueFrom: 2677 configMapKeyRef: 2678 key: reposerver.oci.layer.media.types 2679 name: argocd-cmd-params-cm 2680 optional: true 2681 - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT 2682 valueFrom: 2683 configMapKeyRef: 2684 key: reposerver.revision.cache.lock.timeout 2685 name: argocd-cmd-params-cm 2686 optional: true 2687 - name: ARGOCD_GIT_MODULES_ENABLED 2688 valueFrom: 2689 configMapKeyRef: 2690 key: reposerver.enable.git.submodule 2691 name: argocd-cmd-params-cm 2692 optional: true 2693 - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT 2694 valueFrom: 2695 configMapKeyRef: 2696 key: reposerver.git.lsremote.parallelism.limit 2697 name: argocd-cmd-params-cm 2698 optional: true 2699 - name: ARGOCD_GIT_REQUEST_TIMEOUT 2700 valueFrom: 2701 configMapKeyRef: 2702 key: reposerver.git.request.timeout 2703 name: argocd-cmd-params-cm 2704 optional: true 2705 - name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG 2706 valueFrom: 2707 configMapKeyRef: 2708 key: reposerver.enable.builtin.git.config 2709 name: argocd-cmd-params-cm 2710 optional: true 2711 - name: ARGOCD_GRPC_MAX_SIZE_MB 2712 valueFrom: 2713 configMapKeyRef: 2714 key: reposerver.grpc.max.size 2715 name: argocd-cmd-params-cm 2716 optional: true 2717 - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES 2718 valueFrom: 2719 configMapKeyRef: 2720 key: reposerver.include.hidden.directories 2721 name: argocd-cmd-params-cm 2722 optional: true 2723 - name: HELM_CACHE_HOME 2724 value: /helm-working-dir 2725 - name: HELM_CONFIG_HOME 2726 value: /helm-working-dir 2727 - name: HELM_DATA_HOME 2728 value: /helm-working-dir 2729 image: quay.io/argoproj/argocd:v3.2.1 2730 imagePullPolicy: Always 2731 livenessProbe: 2732 failureThreshold: 3 2733 httpGet: 2734 path: /healthz?full=true 2735 port: 8084 2736 initialDelaySeconds: 30 2737 periodSeconds: 30 2738 timeoutSeconds: 5 2739 name: argocd-repo-server 2740 ports: 2741 - containerPort: 8081 2742 - containerPort: 8084 2743 readinessProbe: 2744 httpGet: 2745 path: /healthz 2746 port: 8084 2747 initialDelaySeconds: 5 2748 periodSeconds: 10 2749 securityContext: 2750 allowPrivilegeEscalation: false 2751 capabilities: 2752 drop: 2753 - ALL 2754 readOnlyRootFilesystem: true 2755 runAsNonRoot: true 2756 seccompProfile: 2757 type: RuntimeDefault 2758 volumeMounts: 2759 - mountPath: /app/config/ssh 2760 name: ssh-known-hosts 2761 - mountPath: /app/config/tls 2762 name: tls-certs 2763 - mountPath: /app/config/gpg/source 2764 name: gpg-keys 2765 - mountPath: /app/config/gpg/keys 2766 name: gpg-keyring 2767 - mountPath: /app/config/reposerver/tls 2768 name: argocd-repo-server-tls 2769 - mountPath: /tmp 2770 name: tmp 2771 - mountPath: /helm-working-dir 2772 name: helm-working-dir 2773 - mountPath: /home/argocd/cmp-server/plugins 2774 name: plugins 2775 initContainers: 2776 - command: 2777 - /bin/cp 2778 - -n 2779 - /usr/local/bin/argocd 2780 - /var/run/argocd/argocd-cmp-server 2781 image: quay.io/argoproj/argocd:v3.2.1 2782 name: copyutil 2783 securityContext: 2784 allowPrivilegeEscalation: false 2785 capabilities: 2786 drop: 2787 - ALL 2788 readOnlyRootFilesystem: true 2789 runAsNonRoot: true 2790 seccompProfile: 2791 type: RuntimeDefault 2792 volumeMounts: 2793 - mountPath: /var/run/argocd 2794 name: var-files 2795 nodeSelector: 2796 kubernetes.io/os: linux 2797 serviceAccountName: argocd-repo-server 2798 volumes: 2799 - configMap: 2800 name: argocd-ssh-known-hosts-cm 2801 name: ssh-known-hosts 2802 - configMap: 2803 name: argocd-tls-certs-cm 2804 name: tls-certs 2805 - configMap: 2806 name: argocd-gpg-keys-cm 2807 name: gpg-keys 2808 - emptyDir: {} 2809 name: gpg-keyring 2810 - emptyDir: {} 2811 name: tmp 2812 - emptyDir: {} 2813 name: helm-working-dir 2814 - name: argocd-repo-server-tls 2815 secret: 2816 items: 2817 - key: tls.crt 2818 path: tls.crt 2819 - key: tls.key 2820 path: tls.key 2821 - key: ca.crt 2822 path: ca.crt 2823 optional: true 2824 secretName: argocd-repo-server-tls 2825 - emptyDir: {} 2826 name: var-files 2827 - emptyDir: {} 2828 name: plugins 2829 --- 2830 apiVersion: apps/v1 2831 kind: Deployment 2832 metadata: 2833 labels: 2834 app.kubernetes.io/component: server 2835 app.kubernetes.io/name: argocd-server 2836 app.kubernetes.io/part-of: argocd 2837 name: argocd-server 2838 spec: 2839 replicas: 2 2840 selector: 2841 matchLabels: 2842 app.kubernetes.io/name: argocd-server 2843 template: 2844 metadata: 2845 labels: 2846 app.kubernetes.io/name: argocd-server 2847 spec: 2848 affinity: 2849 podAntiAffinity: 2850 preferredDuringSchedulingIgnoredDuringExecution: 2851 - podAffinityTerm: 2852 labelSelector: 2853 matchLabels: 2854 app.kubernetes.io/name: argocd-server 2855 topologyKey: topology.kubernetes.io/zone 2856 weight: 100 2857 requiredDuringSchedulingIgnoredDuringExecution: 2858 - labelSelector: 2859 matchLabels: 2860 app.kubernetes.io/name: argocd-server 2861 topologyKey: kubernetes.io/hostname 2862 containers: 2863 - args: 2864 - /usr/local/bin/argocd-server 2865 env: 2866 - name: ARGOCD_API_SERVER_REPLICAS 2867 value: "2" 2868 - name: REDIS_PASSWORD 2869 valueFrom: 2870 secretKeyRef: 2871 key: auth 2872 name: argocd-redis 2873 - name: ARGOCD_SERVER_INSECURE 2874 valueFrom: 2875 configMapKeyRef: 2876 key: server.insecure 2877 name: argocd-cmd-params-cm 2878 optional: true 2879 - name: ARGOCD_SERVER_BASEHREF 2880 valueFrom: 2881 configMapKeyRef: 2882 key: server.basehref 2883 name: argocd-cmd-params-cm 2884 optional: true 2885 - name: ARGOCD_SERVER_ROOTPATH 2886 valueFrom: 2887 configMapKeyRef: 2888 key: server.rootpath 2889 name: argocd-cmd-params-cm 2890 optional: true 2891 - name: ARGOCD_SERVER_LOGFORMAT 2892 valueFrom: 2893 configMapKeyRef: 2894 key: server.log.format 2895 name: argocd-cmd-params-cm 2896 optional: true 2897 - name: ARGOCD_SERVER_LOG_LEVEL 2898 valueFrom: 2899 configMapKeyRef: 2900 key: server.log.level 2901 name: argocd-cmd-params-cm 2902 optional: true 2903 - name: ARGOCD_SERVER_REPO_SERVER 2904 valueFrom: 2905 configMapKeyRef: 2906 key: repo.server 2907 name: argocd-cmd-params-cm 2908 optional: true 2909 - name: ARGOCD_SERVER_DEX_SERVER 2910 valueFrom: 2911 configMapKeyRef: 2912 key: server.dex.server 2913 name: argocd-cmd-params-cm 2914 optional: true 2915 - name: ARGOCD_SERVER_DISABLE_AUTH 2916 valueFrom: 2917 configMapKeyRef: 2918 key: server.disable.auth 2919 name: argocd-cmd-params-cm 2920 optional: true 2921 - name: ARGOCD_SERVER_ENABLE_GZIP 2922 valueFrom: 2923 configMapKeyRef: 2924 key: server.enable.gzip 2925 name: argocd-cmd-params-cm 2926 optional: true 2927 - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS 2928 valueFrom: 2929 configMapKeyRef: 2930 key: server.repo.server.timeout.seconds 2931 name: argocd-cmd-params-cm 2932 optional: true 2933 - name: ARGOCD_SERVER_X_FRAME_OPTIONS 2934 valueFrom: 2935 configMapKeyRef: 2936 key: server.x.frame.options 2937 name: argocd-cmd-params-cm 2938 optional: true 2939 - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY 2940 valueFrom: 2941 configMapKeyRef: 2942 key: server.content.security.policy 2943 name: argocd-cmd-params-cm 2944 optional: true 2945 - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT 2946 valueFrom: 2947 configMapKeyRef: 2948 key: server.repo.server.plaintext 2949 name: argocd-cmd-params-cm 2950 optional: true 2951 - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS 2952 valueFrom: 2953 configMapKeyRef: 2954 key: server.repo.server.strict.tls 2955 name: argocd-cmd-params-cm 2956 optional: true 2957 - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT 2958 valueFrom: 2959 configMapKeyRef: 2960 key: server.dex.server.plaintext 2961 name: argocd-cmd-params-cm 2962 optional: true 2963 - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS 2964 valueFrom: 2965 configMapKeyRef: 2966 key: server.dex.server.strict.tls 2967 name: argocd-cmd-params-cm 2968 optional: true 2969 - name: ARGOCD_TLS_MIN_VERSION 2970 valueFrom: 2971 configMapKeyRef: 2972 key: server.tls.minversion 2973 name: argocd-cmd-params-cm 2974 optional: true 2975 - name: ARGOCD_TLS_MAX_VERSION 2976 valueFrom: 2977 configMapKeyRef: 2978 key: server.tls.maxversion 2979 name: argocd-cmd-params-cm 2980 optional: true 2981 - name: ARGOCD_TLS_CIPHERS 2982 valueFrom: 2983 configMapKeyRef: 2984 key: server.tls.ciphers 2985 name: argocd-cmd-params-cm 2986 optional: true 2987 - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION 2988 valueFrom: 2989 configMapKeyRef: 2990 key: server.connection.status.cache.expiration 2991 name: argocd-cmd-params-cm 2992 optional: true 2993 - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION 2994 valueFrom: 2995 configMapKeyRef: 2996 key: server.oidc.cache.expiration 2997 name: argocd-cmd-params-cm 2998 optional: true 2999 - name: ARGOCD_SERVER_STATIC_ASSETS 3000 valueFrom: 3001 configMapKeyRef: 3002 key: server.staticassets 3003 name: argocd-cmd-params-cm 3004 optional: true 3005 - name: ARGOCD_APP_STATE_CACHE_EXPIRATION 3006 valueFrom: 3007 configMapKeyRef: 3008 key: server.app.state.cache.expiration 3009 name: argocd-cmd-params-cm 3010 optional: true 3011 - name: REDIS_SERVER 3012 valueFrom: 3013 configMapKeyRef: 3014 key: redis.server 3015 name: argocd-cmd-params-cm 3016 optional: true 3017 - name: REDIS_COMPRESSION 3018 valueFrom: 3019 configMapKeyRef: 3020 key: redis.compression 3021 name: argocd-cmd-params-cm 3022 optional: true 3023 - name: REDISDB 3024 valueFrom: 3025 configMapKeyRef: 3026 key: redis.db 3027 name: argocd-cmd-params-cm 3028 optional: true 3029 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 3030 valueFrom: 3031 configMapKeyRef: 3032 key: server.default.cache.expiration 3033 name: argocd-cmd-params-cm 3034 optional: true 3035 - name: ARGOCD_MAX_COOKIE_NUMBER 3036 valueFrom: 3037 configMapKeyRef: 3038 key: server.http.cookie.maxnumber 3039 name: argocd-cmd-params-cm 3040 optional: true 3041 - name: ARGOCD_SERVER_LISTEN_ADDRESS 3042 valueFrom: 3043 configMapKeyRef: 3044 key: server.listen.address 3045 name: argocd-cmd-params-cm 3046 optional: true 3047 - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS 3048 valueFrom: 3049 configMapKeyRef: 3050 key: server.metrics.listen.address 3051 name: argocd-cmd-params-cm 3052 optional: true 3053 - name: ARGOCD_SERVER_OTLP_ADDRESS 3054 valueFrom: 3055 configMapKeyRef: 3056 key: otlp.address 3057 name: argocd-cmd-params-cm 3058 optional: true 3059 - name: ARGOCD_SERVER_OTLP_INSECURE 3060 valueFrom: 3061 configMapKeyRef: 3062 key: otlp.insecure 3063 name: argocd-cmd-params-cm 3064 optional: true 3065 - name: ARGOCD_SERVER_OTLP_HEADERS 3066 valueFrom: 3067 configMapKeyRef: 3068 key: otlp.headers 3069 name: argocd-cmd-params-cm 3070 optional: true 3071 - name: ARGOCD_SERVER_OTLP_ATTRS 3072 valueFrom: 3073 configMapKeyRef: 3074 key: otlp.attrs 3075 name: argocd-cmd-params-cm 3076 optional: true 3077 - name: ARGOCD_APPLICATION_NAMESPACES 3078 valueFrom: 3079 configMapKeyRef: 3080 key: application.namespaces 3081 name: argocd-cmd-params-cm 3082 optional: true 3083 - name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION 3084 valueFrom: 3085 configMapKeyRef: 3086 key: server.enable.proxy.extension 3087 name: argocd-cmd-params-cm 3088 optional: true 3089 - name: ARGOCD_K8SCLIENT_RETRY_MAX 3090 valueFrom: 3091 configMapKeyRef: 3092 key: server.k8sclient.retry.max 3093 name: argocd-cmd-params-cm 3094 optional: true 3095 - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF 3096 valueFrom: 3097 configMapKeyRef: 3098 key: server.k8sclient.retry.base.backoff 3099 name: argocd-cmd-params-cm 3100 optional: true 3101 - name: ARGOCD_API_CONTENT_TYPES 3102 valueFrom: 3103 configMapKeyRef: 3104 key: server.api.content.types 3105 name: argocd-cmd-params-cm 3106 optional: true 3107 - name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT 3108 valueFrom: 3109 configMapKeyRef: 3110 key: server.webhook.parallelism.limit 3111 name: argocd-cmd-params-cm 3112 optional: true 3113 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING 3114 valueFrom: 3115 configMapKeyRef: 3116 key: applicationsetcontroller.enable.new.git.file.globbing 3117 name: argocd-cmd-params-cm 3118 optional: true 3119 - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH 3120 valueFrom: 3121 configMapKeyRef: 3122 key: applicationsetcontroller.scm.root.ca.path 3123 name: argocd-cmd-params-cm 3124 optional: true 3125 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS 3126 valueFrom: 3127 configMapKeyRef: 3128 key: applicationsetcontroller.allowed.scm.providers 3129 name: argocd-cmd-params-cm 3130 optional: true 3131 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS 3132 valueFrom: 3133 configMapKeyRef: 3134 key: applicationsetcontroller.enable.scm.providers 3135 name: argocd-cmd-params-cm 3136 optional: true 3137 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS 3138 valueFrom: 3139 configMapKeyRef: 3140 key: applicationsetcontroller.enable.github.api.metrics 3141 name: argocd-cmd-params-cm 3142 optional: true 3143 - name: ARGOCD_HYDRATOR_ENABLED 3144 valueFrom: 3145 configMapKeyRef: 3146 key: hydrator.enabled 3147 name: argocd-cmd-params-cm 3148 optional: true 3149 - name: ARGOCD_SYNC_WITH_REPLACE_ALLOWED 3150 valueFrom: 3151 configMapKeyRef: 3152 key: server.sync.replace.allowed 3153 name: argocd-cmd-params-cm 3154 optional: true 3155 image: quay.io/argoproj/argocd:v3.2.1 3156 imagePullPolicy: Always 3157 livenessProbe: 3158 httpGet: 3159 path: /healthz?full=true 3160 port: 8080 3161 initialDelaySeconds: 3 3162 periodSeconds: 30 3163 timeoutSeconds: 5 3164 name: argocd-server 3165 ports: 3166 - containerPort: 8080 3167 - containerPort: 8083 3168 readinessProbe: 3169 httpGet: 3170 path: /healthz 3171 port: 8080 3172 initialDelaySeconds: 3 3173 periodSeconds: 30 3174 securityContext: 3175 allowPrivilegeEscalation: false 3176 capabilities: 3177 drop: 3178 - ALL 3179 readOnlyRootFilesystem: true 3180 runAsNonRoot: true 3181 seccompProfile: 3182 type: RuntimeDefault 3183 volumeMounts: 3184 - mountPath: /app/config/ssh 3185 name: ssh-known-hosts 3186 - mountPath: /app/config/tls 3187 name: tls-certs 3188 - mountPath: /app/config/server/tls 3189 name: argocd-repo-server-tls 3190 - mountPath: /app/config/dex/tls 3191 name: argocd-dex-server-tls 3192 - mountPath: /home/argocd 3193 name: plugins-home 3194 - mountPath: /tmp 3195 name: tmp 3196 - mountPath: /home/argocd/params 3197 name: argocd-cmd-params-cm 3198 nodeSelector: 3199 kubernetes.io/os: linux 3200 serviceAccountName: argocd-server 3201 volumes: 3202 - emptyDir: {} 3203 name: plugins-home 3204 - emptyDir: {} 3205 name: tmp 3206 - configMap: 3207 name: argocd-ssh-known-hosts-cm 3208 name: ssh-known-hosts 3209 - configMap: 3210 name: argocd-tls-certs-cm 3211 name: tls-certs 3212 - name: argocd-repo-server-tls 3213 secret: 3214 items: 3215 - key: tls.crt 3216 path: tls.crt 3217 - key: tls.key 3218 path: tls.key 3219 - key: ca.crt 3220 path: ca.crt 3221 optional: true 3222 secretName: argocd-repo-server-tls 3223 - name: argocd-dex-server-tls 3224 secret: 3225 items: 3226 - key: tls.crt 3227 path: tls.crt 3228 - key: ca.crt 3229 path: ca.crt 3230 optional: true 3231 secretName: argocd-dex-server-tls 3232 - configMap: 3233 items: 3234 - key: server.profile.enabled 3235 path: profiler.enabled 3236 name: argocd-cmd-params-cm 3237 optional: true 3238 name: argocd-cmd-params-cm 3239 --- 3240 apiVersion: apps/v1 3241 kind: StatefulSet 3242 metadata: 3243 labels: 3244 app.kubernetes.io/component: application-controller 3245 app.kubernetes.io/name: argocd-application-controller 3246 app.kubernetes.io/part-of: argocd 3247 name: argocd-application-controller 3248 spec: 3249 replicas: 1 3250 selector: 3251 matchLabels: 3252 app.kubernetes.io/name: argocd-application-controller 3253 serviceName: argocd-application-controller 3254 template: 3255 metadata: 3256 labels: 3257 app.kubernetes.io/name: argocd-application-controller 3258 spec: 3259 affinity: 3260 podAntiAffinity: 3261 preferredDuringSchedulingIgnoredDuringExecution: 3262 - podAffinityTerm: 3263 labelSelector: 3264 matchLabels: 3265 app.kubernetes.io/name: argocd-application-controller 3266 topologyKey: kubernetes.io/hostname 3267 weight: 100 3268 - podAffinityTerm: 3269 labelSelector: 3270 matchLabels: 3271 app.kubernetes.io/part-of: argocd 3272 topologyKey: kubernetes.io/hostname 3273 weight: 5 3274 containers: 3275 - args: 3276 - /usr/local/bin/argocd-application-controller 3277 env: 3278 - name: REDIS_PASSWORD 3279 valueFrom: 3280 secretKeyRef: 3281 key: auth 3282 name: argocd-redis 3283 - name: ARGOCD_CONTROLLER_REPLICAS 3284 value: "1" 3285 - name: ARGOCD_RECONCILIATION_TIMEOUT 3286 valueFrom: 3287 configMapKeyRef: 3288 key: timeout.reconciliation 3289 name: argocd-cm 3290 optional: true 3291 - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT 3292 valueFrom: 3293 configMapKeyRef: 3294 key: timeout.hard.reconciliation 3295 name: argocd-cm 3296 optional: true 3297 - name: ARGOCD_RECONCILIATION_JITTER 3298 valueFrom: 3299 configMapKeyRef: 3300 key: timeout.reconciliation.jitter 3301 name: argocd-cm 3302 optional: true 3303 - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS 3304 valueFrom: 3305 configMapKeyRef: 3306 key: controller.repo.error.grace.period.seconds 3307 name: argocd-cmd-params-cm 3308 optional: true 3309 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER 3310 valueFrom: 3311 configMapKeyRef: 3312 key: repo.server 3313 name: argocd-cmd-params-cm 3314 optional: true 3315 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS 3316 valueFrom: 3317 configMapKeyRef: 3318 key: controller.repo.server.timeout.seconds 3319 name: argocd-cmd-params-cm 3320 optional: true 3321 - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS 3322 valueFrom: 3323 configMapKeyRef: 3324 key: controller.status.processors 3325 name: argocd-cmd-params-cm 3326 optional: true 3327 - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS 3328 valueFrom: 3329 configMapKeyRef: 3330 key: controller.operation.processors 3331 name: argocd-cmd-params-cm 3332 optional: true 3333 - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT 3334 valueFrom: 3335 configMapKeyRef: 3336 key: controller.log.format 3337 name: argocd-cmd-params-cm 3338 optional: true 3339 - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL 3340 valueFrom: 3341 configMapKeyRef: 3342 key: controller.log.level 3343 name: argocd-cmd-params-cm 3344 optional: true 3345 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 3346 valueFrom: 3347 configMapKeyRef: 3348 key: log.format.timestamp 3349 name: argocd-cmd-params-cm 3350 optional: true 3351 - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION 3352 valueFrom: 3353 configMapKeyRef: 3354 key: controller.metrics.cache.expiration 3355 name: argocd-cmd-params-cm 3356 optional: true 3357 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS 3358 valueFrom: 3359 configMapKeyRef: 3360 key: controller.self.heal.timeout.seconds 3361 name: argocd-cmd-params-cm 3362 optional: true 3363 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS 3364 valueFrom: 3365 configMapKeyRef: 3366 key: controller.self.heal.backoff.timeout.seconds 3367 name: argocd-cmd-params-cm 3368 optional: true 3369 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR 3370 valueFrom: 3371 configMapKeyRef: 3372 key: controller.self.heal.backoff.factor 3373 name: argocd-cmd-params-cm 3374 optional: true 3375 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS 3376 valueFrom: 3377 configMapKeyRef: 3378 key: controller.self.heal.backoff.cap.seconds 3379 name: argocd-cmd-params-cm 3380 optional: true 3381 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS 3382 valueFrom: 3383 configMapKeyRef: 3384 key: controller.self.heal.backoff.cooldown.seconds 3385 name: argocd-cmd-params-cm 3386 optional: true 3387 - name: ARGOCD_SYNC_WAVE_DELAY 3388 valueFrom: 3389 configMapKeyRef: 3390 key: controller.sync.wave.delay.seconds 3391 name: argocd-cmd-params-cm 3392 optional: true 3393 - name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT 3394 valueFrom: 3395 configMapKeyRef: 3396 key: controller.sync.timeout.seconds 3397 name: argocd-cmd-params-cm 3398 optional: true 3399 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT 3400 valueFrom: 3401 configMapKeyRef: 3402 key: controller.repo.server.plaintext 3403 name: argocd-cmd-params-cm 3404 optional: true 3405 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS 3406 valueFrom: 3407 configMapKeyRef: 3408 key: controller.repo.server.strict.tls 3409 name: argocd-cmd-params-cm 3410 optional: true 3411 - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH 3412 valueFrom: 3413 configMapKeyRef: 3414 key: controller.resource.health.persist 3415 name: argocd-cmd-params-cm 3416 optional: true 3417 - name: ARGOCD_APP_STATE_CACHE_EXPIRATION 3418 valueFrom: 3419 configMapKeyRef: 3420 key: controller.app.state.cache.expiration 3421 name: argocd-cmd-params-cm 3422 optional: true 3423 - name: REDIS_SERVER 3424 valueFrom: 3425 configMapKeyRef: 3426 key: redis.server 3427 name: argocd-cmd-params-cm 3428 optional: true 3429 - name: REDIS_COMPRESSION 3430 valueFrom: 3431 configMapKeyRef: 3432 key: redis.compression 3433 name: argocd-cmd-params-cm 3434 optional: true 3435 - name: REDISDB 3436 valueFrom: 3437 configMapKeyRef: 3438 key: redis.db 3439 name: argocd-cmd-params-cm 3440 optional: true 3441 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 3442 valueFrom: 3443 configMapKeyRef: 3444 key: controller.default.cache.expiration 3445 name: argocd-cmd-params-cm 3446 optional: true 3447 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS 3448 valueFrom: 3449 configMapKeyRef: 3450 key: otlp.address 3451 name: argocd-cmd-params-cm 3452 optional: true 3453 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE 3454 valueFrom: 3455 configMapKeyRef: 3456 key: otlp.insecure 3457 name: argocd-cmd-params-cm 3458 optional: true 3459 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS 3460 valueFrom: 3461 configMapKeyRef: 3462 key: otlp.headers 3463 name: argocd-cmd-params-cm 3464 optional: true 3465 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS 3466 valueFrom: 3467 configMapKeyRef: 3468 key: otlp.attrs 3469 name: argocd-cmd-params-cm 3470 optional: true 3471 - name: ARGOCD_APPLICATION_NAMESPACES 3472 valueFrom: 3473 configMapKeyRef: 3474 key: application.namespaces 3475 name: argocd-cmd-params-cm 3476 optional: true 3477 - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM 3478 valueFrom: 3479 configMapKeyRef: 3480 key: controller.sharding.algorithm 3481 name: argocd-cmd-params-cm 3482 optional: true 3483 - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT 3484 valueFrom: 3485 configMapKeyRef: 3486 key: controller.kubectl.parallelism.limit 3487 name: argocd-cmd-params-cm 3488 optional: true 3489 - name: ARGOCD_K8SCLIENT_RETRY_MAX 3490 valueFrom: 3491 configMapKeyRef: 3492 key: controller.k8sclient.retry.max 3493 name: argocd-cmd-params-cm 3494 optional: true 3495 - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF 3496 valueFrom: 3497 configMapKeyRef: 3498 key: controller.k8sclient.retry.base.backoff 3499 name: argocd-cmd-params-cm 3500 optional: true 3501 - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF 3502 valueFrom: 3503 configMapKeyRef: 3504 key: controller.diff.server.side 3505 name: argocd-cmd-params-cm 3506 optional: true 3507 - name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT 3508 valueFrom: 3509 configMapKeyRef: 3510 key: controller.ignore.normalizer.jq.timeout 3511 name: argocd-cmd-params-cm 3512 optional: true 3513 - name: ARGOCD_HYDRATOR_ENABLED 3514 valueFrom: 3515 configMapKeyRef: 3516 key: hydrator.enabled 3517 name: argocd-cmd-params-cm 3518 optional: true 3519 - name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING 3520 valueFrom: 3521 configMapKeyRef: 3522 key: controller.cluster.cache.batch.events.processing 3523 name: argocd-cmd-params-cm 3524 optional: true 3525 - name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL 3526 valueFrom: 3527 configMapKeyRef: 3528 key: controller.cluster.cache.events.processing.interval 3529 name: argocd-cmd-params-cm 3530 optional: true 3531 - name: ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER 3532 valueFrom: 3533 configMapKeyRef: 3534 key: commit.server 3535 name: argocd-cmd-params-cm 3536 optional: true 3537 - name: KUBECACHEDIR 3538 value: /tmp/kubecache 3539 image: quay.io/argoproj/argocd:v3.2.1 3540 imagePullPolicy: Always 3541 name: argocd-application-controller 3542 ports: 3543 - containerPort: 8082 3544 readinessProbe: 3545 httpGet: 3546 path: /healthz 3547 port: 8082 3548 initialDelaySeconds: 5 3549 periodSeconds: 10 3550 securityContext: 3551 allowPrivilegeEscalation: false 3552 capabilities: 3553 drop: 3554 - ALL 3555 readOnlyRootFilesystem: true 3556 runAsNonRoot: true 3557 seccompProfile: 3558 type: RuntimeDefault 3559 volumeMounts: 3560 - mountPath: /app/config/controller/tls 3561 name: argocd-repo-server-tls 3562 - mountPath: /home/argocd 3563 name: argocd-home 3564 - mountPath: /home/argocd/params 3565 name: argocd-cmd-params-cm 3566 - mountPath: /tmp 3567 name: argocd-application-controller-tmp 3568 workingDir: /home/argocd 3569 nodeSelector: 3570 kubernetes.io/os: linux 3571 serviceAccountName: argocd-application-controller 3572 volumes: 3573 - emptyDir: {} 3574 name: argocd-home 3575 - emptyDir: {} 3576 name: argocd-application-controller-tmp 3577 - name: argocd-repo-server-tls 3578 secret: 3579 items: 3580 - key: tls.crt 3581 path: tls.crt 3582 - key: tls.key 3583 path: tls.key 3584 - key: ca.crt 3585 path: ca.crt 3586 optional: true 3587 secretName: argocd-repo-server-tls 3588 - configMap: 3589 items: 3590 - key: controller.profile.enabled 3591 path: profiler.enabled 3592 name: argocd-cmd-params-cm 3593 optional: true 3594 name: argocd-cmd-params-cm 3595 --- 3596 apiVersion: apps/v1 3597 kind: StatefulSet 3598 metadata: 3599 labels: 3600 app.kubernetes.io/component: redis 3601 app.kubernetes.io/name: argocd-redis-ha 3602 app.kubernetes.io/part-of: argocd 3603 name: argocd-redis-ha-server 3604 spec: 3605 podManagementPolicy: OrderedReady 3606 replicas: 3 3607 selector: 3608 matchLabels: 3609 app.kubernetes.io/name: argocd-redis-ha 3610 serviceName: argocd-redis-ha 3611 template: 3612 metadata: 3613 annotations: 3614 checksum/init-config: fd74f7d84e39b3f6eac1d7ce5deb0083e58f218376faf363343d91a0fb4f2563 3615 labels: 3616 app.kubernetes.io/name: argocd-redis-ha 3617 spec: 3618 affinity: 3619 podAntiAffinity: 3620 requiredDuringSchedulingIgnoredDuringExecution: 3621 - labelSelector: 3622 matchLabels: 3623 app.kubernetes.io/name: argocd-redis-ha 3624 topologyKey: kubernetes.io/hostname 3625 automountServiceAccountToken: false 3626 containers: 3627 - args: 3628 - /data/conf/redis.conf 3629 command: 3630 - redis-server 3631 env: 3632 - name: AUTH 3633 valueFrom: 3634 secretKeyRef: 3635 key: auth 3636 name: argocd-redis 3637 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3638 imagePullPolicy: IfNotPresent 3639 lifecycle: 3640 preStop: 3641 exec: 3642 command: 3643 - /bin/sh 3644 - /readonly-config/trigger-failover-if-master.sh 3645 livenessProbe: 3646 exec: 3647 command: 3648 - sh 3649 - -c 3650 - /health/redis_liveness.sh 3651 failureThreshold: 5 3652 initialDelaySeconds: 30 3653 periodSeconds: 15 3654 successThreshold: 1 3655 timeoutSeconds: 15 3656 name: redis 3657 ports: 3658 - containerPort: 6379 3659 name: redis 3660 readinessProbe: 3661 exec: 3662 command: 3663 - sh 3664 - -c 3665 - /health/redis_readiness.sh 3666 failureThreshold: 5 3667 initialDelaySeconds: 30 3668 periodSeconds: 15 3669 successThreshold: 1 3670 timeoutSeconds: 15 3671 securityContext: 3672 allowPrivilegeEscalation: false 3673 capabilities: 3674 drop: 3675 - ALL 3676 readOnlyRootFilesystem: true 3677 seccompProfile: 3678 type: RuntimeDefault 3679 startupProbe: 3680 exec: 3681 command: 3682 - sh 3683 - -c 3684 - /health/redis_readiness.sh 3685 failureThreshold: 5 3686 initialDelaySeconds: 30 3687 periodSeconds: 15 3688 successThreshold: 1 3689 timeoutSeconds: 15 3690 volumeMounts: 3691 - mountPath: /readonly-config 3692 name: config 3693 readOnly: true 3694 - mountPath: /data 3695 name: data 3696 - mountPath: /health 3697 name: health 3698 - args: 3699 - /data/conf/sentinel.conf 3700 command: 3701 - redis-sentinel 3702 env: 3703 - name: AUTH 3704 valueFrom: 3705 secretKeyRef: 3706 key: auth 3707 name: argocd-redis 3708 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3709 imagePullPolicy: IfNotPresent 3710 lifecycle: 3711 postStart: 3712 exec: 3713 command: 3714 - /bin/sh 3715 - -c 3716 - sleep 30; redis-cli -p 26379 sentinel reset argocd 3717 livenessProbe: 3718 exec: 3719 command: 3720 - sh 3721 - -c 3722 - /health/sentinel_liveness.sh 3723 failureThreshold: 5 3724 initialDelaySeconds: 30 3725 periodSeconds: 15 3726 successThreshold: 1 3727 timeoutSeconds: 15 3728 name: sentinel 3729 ports: 3730 - containerPort: 26379 3731 name: sentinel 3732 readinessProbe: 3733 exec: 3734 command: 3735 - sh 3736 - -c 3737 - /health/sentinel_liveness.sh 3738 failureThreshold: 5 3739 initialDelaySeconds: 30 3740 periodSeconds: 15 3741 successThreshold: 3 3742 timeoutSeconds: 15 3743 securityContext: 3744 allowPrivilegeEscalation: false 3745 capabilities: 3746 drop: 3747 - ALL 3748 readOnlyRootFilesystem: true 3749 seccompProfile: 3750 type: RuntimeDefault 3751 startupProbe: 3752 exec: 3753 command: 3754 - sh 3755 - -c 3756 - /health/sentinel_liveness.sh 3757 failureThreshold: 3 3758 initialDelaySeconds: 5 3759 periodSeconds: 10 3760 successThreshold: 1 3761 timeoutSeconds: 15 3762 volumeMounts: 3763 - mountPath: /data 3764 name: data 3765 - mountPath: /health 3766 name: health 3767 - args: 3768 - /readonly-config/fix-split-brain.sh 3769 command: 3770 - sh 3771 env: 3772 - name: SENTINEL_ID_0 3773 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 3774 - name: SENTINEL_ID_1 3775 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 3776 - name: SENTINEL_ID_2 3777 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca 3778 - name: AUTH 3779 valueFrom: 3780 secretKeyRef: 3781 key: auth 3782 name: argocd-redis 3783 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3784 imagePullPolicy: IfNotPresent 3785 name: split-brain-fix 3786 resources: {} 3787 securityContext: 3788 allowPrivilegeEscalation: false 3789 capabilities: 3790 drop: 3791 - ALL 3792 readOnlyRootFilesystem: true 3793 seccompProfile: 3794 type: RuntimeDefault 3795 volumeMounts: 3796 - mountPath: /readonly-config 3797 name: config 3798 readOnly: true 3799 - mountPath: /data 3800 name: data 3801 initContainers: 3802 - args: 3803 - /readonly-config/init.sh 3804 command: 3805 - sh 3806 env: 3807 - name: SENTINEL_ID_0 3808 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 3809 - name: SENTINEL_ID_1 3810 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 3811 - name: SENTINEL_ID_2 3812 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca 3813 - name: AUTH 3814 valueFrom: 3815 secretKeyRef: 3816 key: auth 3817 name: argocd-redis 3818 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3819 imagePullPolicy: IfNotPresent 3820 name: config-init 3821 securityContext: 3822 allowPrivilegeEscalation: false 3823 capabilities: 3824 drop: 3825 - ALL 3826 readOnlyRootFilesystem: true 3827 seccompProfile: 3828 type: RuntimeDefault 3829 volumeMounts: 3830 - mountPath: /readonly-config 3831 name: config 3832 readOnly: true 3833 - mountPath: /data 3834 name: data 3835 securityContext: 3836 fsGroup: 1000 3837 runAsNonRoot: true 3838 runAsUser: 1000 3839 serviceAccountName: argocd-redis-ha 3840 terminationGracePeriodSeconds: 60 3841 volumes: 3842 - configMap: 3843 name: argocd-redis-ha-configmap 3844 name: config 3845 - configMap: 3846 defaultMode: 493 3847 name: argocd-redis-ha-health-configmap 3848 name: health 3849 - emptyDir: {} 3850 name: data 3851 updateStrategy: 3852 type: RollingUpdate 3853 --- 3854 apiVersion: networking.k8s.io/v1 3855 kind: NetworkPolicy 3856 metadata: 3857 labels: 3858 app.kubernetes.io/component: application-controller 3859 app.kubernetes.io/name: argocd-application-controller 3860 app.kubernetes.io/part-of: argocd 3861 name: argocd-application-controller-network-policy 3862 spec: 3863 ingress: 3864 - from: 3865 - namespaceSelector: {} 3866 ports: 3867 - port: 8082 3868 podSelector: 3869 matchLabels: 3870 app.kubernetes.io/name: argocd-application-controller 3871 policyTypes: 3872 - Ingress 3873 --- 3874 apiVersion: networking.k8s.io/v1 3875 kind: NetworkPolicy 3876 metadata: 3877 labels: 3878 app.kubernetes.io/component: applicationset-controller 3879 app.kubernetes.io/name: argocd-applicationset-controller 3880 app.kubernetes.io/part-of: argocd 3881 name: argocd-applicationset-controller-network-policy 3882 spec: 3883 ingress: 3884 - from: 3885 - namespaceSelector: {} 3886 ports: 3887 - port: 7000 3888 protocol: TCP 3889 - port: 8080 3890 protocol: TCP 3891 podSelector: 3892 matchLabels: 3893 app.kubernetes.io/name: argocd-applicationset-controller 3894 policyTypes: 3895 - Ingress 3896 --- 3897 apiVersion: networking.k8s.io/v1 3898 kind: NetworkPolicy 3899 metadata: 3900 labels: 3901 app.kubernetes.io/component: commit-server 3902 app.kubernetes.io/name: argocd-commit-server 3903 app.kubernetes.io/part-of: argocd 3904 name: argocd-commit-server-network-policy 3905 spec: 3906 ingress: 3907 - from: 3908 - podSelector: 3909 matchLabels: 3910 app.kubernetes.io/name: argocd-application-controller 3911 ports: 3912 - port: 8086 3913 protocol: TCP 3914 - from: 3915 - namespaceSelector: {} 3916 ports: 3917 - port: 8087 3918 podSelector: 3919 matchLabels: 3920 app.kubernetes.io/name: argocd-commit-server 3921 policyTypes: 3922 - Ingress 3923 --- 3924 apiVersion: networking.k8s.io/v1 3925 kind: NetworkPolicy 3926 metadata: 3927 labels: 3928 app.kubernetes.io/component: dex-server 3929 app.kubernetes.io/name: argocd-dex-server 3930 app.kubernetes.io/part-of: argocd 3931 name: argocd-dex-server-network-policy 3932 spec: 3933 ingress: 3934 - from: 3935 - podSelector: 3936 matchLabels: 3937 app.kubernetes.io/name: argocd-server 3938 ports: 3939 - port: 5556 3940 protocol: TCP 3941 - port: 5557 3942 protocol: TCP 3943 - from: 3944 - namespaceSelector: {} 3945 ports: 3946 - port: 5558 3947 protocol: TCP 3948 podSelector: 3949 matchLabels: 3950 app.kubernetes.io/name: argocd-dex-server 3951 policyTypes: 3952 - Ingress 3953 --- 3954 apiVersion: networking.k8s.io/v1 3955 kind: NetworkPolicy 3956 metadata: 3957 labels: 3958 app.kubernetes.io/component: notifications-controller 3959 app.kubernetes.io/name: argocd-notifications-controller 3960 app.kubernetes.io/part-of: argocd 3961 name: argocd-notifications-controller-network-policy 3962 spec: 3963 ingress: 3964 - from: 3965 - namespaceSelector: {} 3966 ports: 3967 - port: 9001 3968 protocol: TCP 3969 podSelector: 3970 matchLabels: 3971 app.kubernetes.io/name: argocd-notifications-controller 3972 policyTypes: 3973 - Ingress 3974 --- 3975 apiVersion: networking.k8s.io/v1 3976 kind: NetworkPolicy 3977 metadata: 3978 labels: 3979 app.kubernetes.io/component: redis 3980 app.kubernetes.io/name: argocd-redis-ha-haproxy 3981 app.kubernetes.io/part-of: argocd 3982 name: argocd-redis-ha-proxy-network-policy 3983 spec: 3984 ingress: 3985 - from: 3986 - podSelector: 3987 matchLabels: 3988 app.kubernetes.io/name: argocd-server 3989 - podSelector: 3990 matchLabels: 3991 app.kubernetes.io/name: argocd-repo-server 3992 - podSelector: 3993 matchLabels: 3994 app.kubernetes.io/name: argocd-application-controller 3995 ports: 3996 - port: 6379 3997 protocol: TCP 3998 - port: 26379 3999 protocol: TCP 4000 - from: 4001 - namespaceSelector: {} 4002 ports: 4003 - port: 9101 4004 protocol: TCP 4005 podSelector: 4006 matchLabels: 4007 app.kubernetes.io/name: argocd-redis-ha-haproxy 4008 policyTypes: 4009 - Ingress 4010 --- 4011 apiVersion: networking.k8s.io/v1 4012 kind: NetworkPolicy 4013 metadata: 4014 labels: 4015 app.kubernetes.io/component: redis 4016 app.kubernetes.io/name: argocd-redis-ha 4017 app.kubernetes.io/part-of: argocd 4018 name: argocd-redis-ha-server-network-policy 4019 spec: 4020 egress: 4021 - ports: 4022 - port: 6379 4023 protocol: TCP 4024 - port: 26379 4025 protocol: TCP 4026 to: 4027 - podSelector: 4028 matchLabels: 4029 app.kubernetes.io/name: argocd-redis-ha 4030 - ports: 4031 - port: 53 4032 protocol: UDP 4033 - port: 53 4034 protocol: TCP 4035 ingress: 4036 - from: 4037 - podSelector: 4038 matchLabels: 4039 app.kubernetes.io/name: argocd-redis-ha-haproxy 4040 - podSelector: 4041 matchLabels: 4042 app.kubernetes.io/name: argocd-redis-ha 4043 ports: 4044 - port: 6379 4045 protocol: TCP 4046 - port: 26379 4047 protocol: TCP 4048 podSelector: 4049 matchLabels: 4050 app.kubernetes.io/name: argocd-redis-ha 4051 policyTypes: 4052 - Ingress 4053 - Egress 4054 --- 4055 apiVersion: networking.k8s.io/v1 4056 kind: NetworkPolicy 4057 metadata: 4058 labels: 4059 app.kubernetes.io/component: repo-server 4060 app.kubernetes.io/name: argocd-repo-server 4061 app.kubernetes.io/part-of: argocd 4062 name: argocd-repo-server-network-policy 4063 spec: 4064 ingress: 4065 - from: 4066 - podSelector: 4067 matchLabels: 4068 app.kubernetes.io/name: argocd-server 4069 - podSelector: 4070 matchLabels: 4071 app.kubernetes.io/name: argocd-application-controller 4072 - podSelector: 4073 matchLabels: 4074 app.kubernetes.io/name: argocd-notifications-controller 4075 - podSelector: 4076 matchLabels: 4077 app.kubernetes.io/name: argocd-applicationset-controller 4078 ports: 4079 - port: 8081 4080 protocol: TCP 4081 - from: 4082 - namespaceSelector: {} 4083 ports: 4084 - port: 8084 4085 podSelector: 4086 matchLabels: 4087 app.kubernetes.io/name: argocd-repo-server 4088 policyTypes: 4089 - Ingress 4090 --- 4091 apiVersion: networking.k8s.io/v1 4092 kind: NetworkPolicy 4093 metadata: 4094 labels: 4095 app.kubernetes.io/component: server 4096 app.kubernetes.io/name: argocd-server 4097 app.kubernetes.io/part-of: argocd 4098 name: argocd-server-network-policy 4099 spec: 4100 ingress: 4101 - {} 4102 podSelector: 4103 matchLabels: 4104 app.kubernetes.io/name: argocd-server 4105 policyTypes: 4106 - Ingress