github.com/argoproj/argo-cd/v3@v3.2.1/manifests/ha/namespace-install.yaml (about) 1 # This is an auto-generated file. DO NOT EDIT 2 apiVersion: v1 3 kind: ServiceAccount 4 metadata: 5 labels: 6 app.kubernetes.io/component: application-controller 7 app.kubernetes.io/name: argocd-application-controller 8 app.kubernetes.io/part-of: argocd 9 name: argocd-application-controller 10 --- 11 apiVersion: v1 12 kind: ServiceAccount 13 metadata: 14 labels: 15 app.kubernetes.io/component: applicationset-controller 16 app.kubernetes.io/name: argocd-applicationset-controller 17 app.kubernetes.io/part-of: argocd 18 name: argocd-applicationset-controller 19 --- 20 apiVersion: v1 21 kind: ServiceAccount 22 metadata: 23 labels: 24 app.kubernetes.io/component: dex-server 25 app.kubernetes.io/name: argocd-dex-server 26 app.kubernetes.io/part-of: argocd 27 name: argocd-dex-server 28 --- 29 apiVersion: v1 30 kind: ServiceAccount 31 metadata: 32 labels: 33 app.kubernetes.io/component: notifications-controller 34 app.kubernetes.io/name: argocd-notifications-controller 35 app.kubernetes.io/part-of: argocd 36 name: argocd-notifications-controller 37 --- 38 apiVersion: v1 39 kind: ServiceAccount 40 metadata: 41 labels: 42 app.kubernetes.io/component: redis 43 app.kubernetes.io/name: argocd-redis-ha 44 app.kubernetes.io/part-of: argocd 45 name: argocd-redis-ha 46 secrets: 47 - name: argocd-redis 48 --- 49 apiVersion: v1 50 kind: ServiceAccount 51 metadata: 52 labels: 53 app.kubernetes.io/component: redis 54 app.kubernetes.io/name: argocd-redis-ha-haproxy 55 app.kubernetes.io/part-of: argocd 56 name: argocd-redis-ha-haproxy 57 --- 58 apiVersion: v1 59 kind: ServiceAccount 60 metadata: 61 labels: 62 app.kubernetes.io/component: repo-server 63 app.kubernetes.io/name: argocd-repo-server 64 app.kubernetes.io/part-of: argocd 65 name: argocd-repo-server 66 --- 67 apiVersion: v1 68 kind: ServiceAccount 69 metadata: 70 labels: 71 app.kubernetes.io/component: server 72 app.kubernetes.io/name: argocd-server 73 app.kubernetes.io/part-of: argocd 74 name: argocd-server 75 --- 76 apiVersion: rbac.authorization.k8s.io/v1 77 kind: Role 78 metadata: 79 labels: 80 app.kubernetes.io/component: application-controller 81 app.kubernetes.io/name: argocd-application-controller 82 app.kubernetes.io/part-of: argocd 83 name: argocd-application-controller 84 rules: 85 - apiGroups: 86 - "" 87 resources: 88 - secrets 89 - configmaps 90 verbs: 91 - get 92 - list 93 - watch 94 - apiGroups: 95 - argoproj.io 96 resources: 97 - applications 98 - applicationsets 99 - appprojects 100 verbs: 101 - create 102 - get 103 - list 104 - watch 105 - update 106 - patch 107 - delete 108 - apiGroups: 109 - "" 110 resources: 111 - events 112 verbs: 113 - create 114 - list 115 - apiGroups: 116 - apps 117 resources: 118 - deployments 119 verbs: 120 - get 121 - list 122 - watch 123 --- 124 apiVersion: rbac.authorization.k8s.io/v1 125 kind: Role 126 metadata: 127 labels: 128 app.kubernetes.io/component: applicationset-controller 129 app.kubernetes.io/name: argocd-applicationset-controller 130 app.kubernetes.io/part-of: argocd 131 name: argocd-applicationset-controller 132 rules: 133 - apiGroups: 134 - argoproj.io 135 resources: 136 - applications 137 - applicationsets 138 - applicationsets/finalizers 139 verbs: 140 - create 141 - delete 142 - get 143 - list 144 - patch 145 - update 146 - watch 147 - apiGroups: 148 - argoproj.io 149 resources: 150 - appprojects 151 verbs: 152 - get 153 - list 154 - watch 155 - apiGroups: 156 - argoproj.io 157 resources: 158 - applicationsets/status 159 verbs: 160 - get 161 - patch 162 - update 163 - apiGroups: 164 - "" 165 resources: 166 - events 167 verbs: 168 - create 169 - get 170 - list 171 - patch 172 - watch 173 - apiGroups: 174 - "" 175 resources: 176 - secrets 177 - configmaps 178 verbs: 179 - get 180 - list 181 - watch 182 - apiGroups: 183 - coordination.k8s.io 184 resources: 185 - leases 186 verbs: 187 - create 188 - apiGroups: 189 - coordination.k8s.io 190 resourceNames: 191 - 58ac56fa.applicationsets.argoproj.io 192 resources: 193 - leases 194 verbs: 195 - get 196 - update 197 - create 198 --- 199 apiVersion: rbac.authorization.k8s.io/v1 200 kind: Role 201 metadata: 202 labels: 203 app.kubernetes.io/component: dex-server 204 app.kubernetes.io/name: argocd-dex-server 205 app.kubernetes.io/part-of: argocd 206 name: argocd-dex-server 207 rules: 208 - apiGroups: 209 - "" 210 resources: 211 - secrets 212 - configmaps 213 verbs: 214 - get 215 - list 216 - watch 217 --- 218 apiVersion: rbac.authorization.k8s.io/v1 219 kind: Role 220 metadata: 221 labels: 222 app.kubernetes.io/component: notifications-controller 223 app.kubernetes.io/name: argocd-notifications-controller 224 app.kubernetes.io/part-of: argocd 225 name: argocd-notifications-controller 226 rules: 227 - apiGroups: 228 - argoproj.io 229 resources: 230 - applications 231 - appprojects 232 verbs: 233 - get 234 - list 235 - watch 236 - update 237 - patch 238 - apiGroups: 239 - "" 240 resources: 241 - configmaps 242 - secrets 243 verbs: 244 - list 245 - watch 246 - apiGroups: 247 - "" 248 resourceNames: 249 - argocd-notifications-cm 250 resources: 251 - configmaps 252 verbs: 253 - get 254 - apiGroups: 255 - "" 256 resourceNames: 257 - argocd-notifications-secret 258 resources: 259 - secrets 260 verbs: 261 - get 262 --- 263 apiVersion: rbac.authorization.k8s.io/v1 264 kind: Role 265 metadata: 266 labels: 267 app.kubernetes.io/component: redis 268 app.kubernetes.io/name: argocd-redis-ha 269 app.kubernetes.io/part-of: argocd 270 name: argocd-redis-ha 271 rules: 272 - apiGroups: 273 - "" 274 resources: 275 - endpoints 276 verbs: 277 - get 278 --- 279 apiVersion: rbac.authorization.k8s.io/v1 280 kind: Role 281 metadata: 282 labels: 283 app.kubernetes.io/component: redis 284 app.kubernetes.io/name: argocd-redis-ha 285 app.kubernetes.io/part-of: argocd 286 name: argocd-redis-ha-haproxy 287 rules: 288 - apiGroups: 289 - "" 290 resources: 291 - secrets 292 verbs: 293 - create 294 - apiGroups: 295 - "" 296 resourceNames: 297 - argocd-redis 298 resources: 299 - secrets 300 verbs: 301 - get 302 - apiGroups: 303 - "" 304 resources: 305 - endpoints 306 verbs: 307 - get 308 --- 309 apiVersion: rbac.authorization.k8s.io/v1 310 kind: Role 311 metadata: 312 labels: 313 app.kubernetes.io/component: server 314 app.kubernetes.io/name: argocd-server 315 app.kubernetes.io/part-of: argocd 316 name: argocd-server 317 rules: 318 - apiGroups: 319 - "" 320 resources: 321 - secrets 322 - configmaps 323 verbs: 324 - create 325 - get 326 - list 327 - watch 328 - update 329 - patch 330 - delete 331 - apiGroups: 332 - argoproj.io 333 resources: 334 - applications 335 - appprojects 336 - applicationsets 337 verbs: 338 - create 339 - get 340 - list 341 - watch 342 - update 343 - delete 344 - patch 345 - apiGroups: 346 - "" 347 resources: 348 - events 349 verbs: 350 - create 351 - list 352 --- 353 apiVersion: rbac.authorization.k8s.io/v1 354 kind: RoleBinding 355 metadata: 356 labels: 357 app.kubernetes.io/component: application-controller 358 app.kubernetes.io/name: argocd-application-controller 359 app.kubernetes.io/part-of: argocd 360 name: argocd-application-controller 361 roleRef: 362 apiGroup: rbac.authorization.k8s.io 363 kind: Role 364 name: argocd-application-controller 365 subjects: 366 - kind: ServiceAccount 367 name: argocd-application-controller 368 --- 369 apiVersion: rbac.authorization.k8s.io/v1 370 kind: RoleBinding 371 metadata: 372 labels: 373 app.kubernetes.io/component: applicationset-controller 374 app.kubernetes.io/name: argocd-applicationset-controller 375 app.kubernetes.io/part-of: argocd 376 name: argocd-applicationset-controller 377 roleRef: 378 apiGroup: rbac.authorization.k8s.io 379 kind: Role 380 name: argocd-applicationset-controller 381 subjects: 382 - kind: ServiceAccount 383 name: argocd-applicationset-controller 384 --- 385 apiVersion: rbac.authorization.k8s.io/v1 386 kind: RoleBinding 387 metadata: 388 labels: 389 app.kubernetes.io/component: dex-server 390 app.kubernetes.io/name: argocd-dex-server 391 app.kubernetes.io/part-of: argocd 392 name: argocd-dex-server 393 roleRef: 394 apiGroup: rbac.authorization.k8s.io 395 kind: Role 396 name: argocd-dex-server 397 subjects: 398 - kind: ServiceAccount 399 name: argocd-dex-server 400 --- 401 apiVersion: rbac.authorization.k8s.io/v1 402 kind: RoleBinding 403 metadata: 404 labels: 405 app.kubernetes.io/component: notifications-controller 406 app.kubernetes.io/name: argocd-notifications-controller 407 app.kubernetes.io/part-of: argocd 408 name: argocd-notifications-controller 409 roleRef: 410 apiGroup: rbac.authorization.k8s.io 411 kind: Role 412 name: argocd-notifications-controller 413 subjects: 414 - kind: ServiceAccount 415 name: argocd-notifications-controller 416 --- 417 apiVersion: rbac.authorization.k8s.io/v1 418 kind: RoleBinding 419 metadata: 420 labels: 421 app.kubernetes.io/component: redis 422 app.kubernetes.io/name: argocd-redis-ha 423 app.kubernetes.io/part-of: argocd 424 name: argocd-redis-ha 425 roleRef: 426 apiGroup: rbac.authorization.k8s.io 427 kind: Role 428 name: argocd-redis-ha 429 subjects: 430 - kind: ServiceAccount 431 name: argocd-redis-ha 432 --- 433 apiVersion: rbac.authorization.k8s.io/v1 434 kind: RoleBinding 435 metadata: 436 labels: 437 app.kubernetes.io/component: redis 438 app.kubernetes.io/name: argocd-redis-ha 439 app.kubernetes.io/part-of: argocd 440 name: argocd-redis-ha-haproxy 441 roleRef: 442 apiGroup: rbac.authorization.k8s.io 443 kind: Role 444 name: argocd-redis-ha-haproxy 445 subjects: 446 - kind: ServiceAccount 447 name: argocd-redis-ha-haproxy 448 --- 449 apiVersion: rbac.authorization.k8s.io/v1 450 kind: RoleBinding 451 metadata: 452 labels: 453 app.kubernetes.io/component: server 454 app.kubernetes.io/name: argocd-server 455 app.kubernetes.io/part-of: argocd 456 name: argocd-server 457 roleRef: 458 apiGroup: rbac.authorization.k8s.io 459 kind: Role 460 name: argocd-server 461 subjects: 462 - kind: ServiceAccount 463 name: argocd-server 464 --- 465 apiVersion: v1 466 data: 467 resource.customizations.ignoreResourceUpdates.ConfigMap: | 468 jqPathExpressions: 469 # Ignore the cluster-autoscaler status 470 - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"' 471 # Ignore the annotation of the legacy Leases election 472 - '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"' 473 resource.customizations.ignoreResourceUpdates.Endpoints: | 474 jsonPointers: 475 - /metadata 476 - /subsets 477 resource.customizations.ignoreResourceUpdates.all: | 478 jsonPointers: 479 - /status 480 resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: | 481 jqPathExpressions: 482 - '.metadata.annotations."deployment.kubernetes.io/desired-replicas"' 483 - '.metadata.annotations."deployment.kubernetes.io/max-replicas"' 484 - '.metadata.annotations."rollout.argoproj.io/desired-replicas"' 485 resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | 486 jqPathExpressions: 487 - '.metadata.annotations."notified.notifications.argoproj.io"' 488 - '.metadata.annotations."argocd.argoproj.io/refresh"' 489 - '.metadata.annotations."argocd.argoproj.io/hydrate"' 490 - '.operation' 491 resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: | 492 jqPathExpressions: 493 - '.metadata.annotations."notified.notifications.argoproj.io"' 494 resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: | 495 jqPathExpressions: 496 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"' 497 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"' 498 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"' 499 - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"' 500 resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: | 501 jsonPointers: 502 - /metadata 503 - /endpoints 504 - /ports 505 resource.exclusions: | 506 ### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter 507 - apiGroups: 508 - '' 509 - discovery.k8s.io 510 kinds: 511 - Endpoints 512 - EndpointSlice 513 ### Internal Kubernetes resources excluded reduce the number of watched events 514 - apiGroups: 515 - coordination.k8s.io 516 kinds: 517 - Lease 518 ### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events 519 - apiGroups: 520 - authentication.k8s.io 521 - authorization.k8s.io 522 kinds: 523 - SelfSubjectReview 524 - TokenReview 525 - LocalSubjectAccessReview 526 - SelfSubjectAccessReview 527 - SelfSubjectRulesReview 528 - SubjectAccessReview 529 ### Intermediate Certificate Request excluded reduce the number of watched events 530 - apiGroups: 531 - certificates.k8s.io 532 kinds: 533 - CertificateSigningRequest 534 - apiGroups: 535 - cert-manager.io 536 kinds: 537 - CertificateRequest 538 ### Cilium internal resources excluded reduce the number of watched events and UI Clutter 539 - apiGroups: 540 - cilium.io 541 kinds: 542 - CiliumIdentity 543 - CiliumEndpoint 544 - CiliumEndpointSlice 545 ### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance 546 - apiGroups: 547 - kyverno.io 548 - reports.kyverno.io 549 - wgpolicyk8s.io 550 kinds: 551 - PolicyReport 552 - ClusterPolicyReport 553 - EphemeralReport 554 - ClusterEphemeralReport 555 - AdmissionReport 556 - ClusterAdmissionReport 557 - BackgroundScanReport 558 - ClusterBackgroundScanReport 559 - UpdateRequest 560 kind: ConfigMap 561 metadata: 562 labels: 563 app.kubernetes.io/name: argocd-cm 564 app.kubernetes.io/part-of: argocd 565 name: argocd-cm 566 --- 567 apiVersion: v1 568 data: 569 redis.server: argocd-redis-ha-haproxy:6379 570 kind: ConfigMap 571 metadata: 572 labels: 573 app.kubernetes.io/name: argocd-cmd-params-cm 574 app.kubernetes.io/part-of: argocd 575 name: argocd-cmd-params-cm 576 --- 577 apiVersion: v1 578 kind: ConfigMap 579 metadata: 580 labels: 581 app.kubernetes.io/name: argocd-gpg-keys-cm 582 app.kubernetes.io/part-of: argocd 583 name: argocd-gpg-keys-cm 584 --- 585 apiVersion: v1 586 kind: ConfigMap 587 metadata: 588 labels: 589 app.kubernetes.io/component: notifications-controller 590 app.kubernetes.io/name: argocd-notifications-controller 591 app.kubernetes.io/part-of: argocd 592 name: argocd-notifications-cm 593 --- 594 apiVersion: v1 595 kind: ConfigMap 596 metadata: 597 labels: 598 app.kubernetes.io/name: argocd-rbac-cm 599 app.kubernetes.io/part-of: argocd 600 name: argocd-rbac-cm 601 --- 602 apiVersion: v1 603 data: 604 fix-split-brain.sh: | 605 HOSTNAME="$(hostname)" 606 INDEX="${HOSTNAME##*-}" 607 SENTINEL_PORT=26379 608 ANNOUNCE_IP='' 609 MASTER='' 610 MASTER_GROUP="argocd" 611 QUORUM="2" 612 REDIS_CONF=/data/conf/redis.conf 613 REDIS_PORT=6379 614 REDIS_TLS_PORT= 615 SENTINEL_CONF=/data/conf/sentinel.conf 616 SENTINEL_TLS_PORT= 617 SERVICE=argocd-redis-ha 618 SENTINEL_TLS_REPLICATION_ENABLED=false 619 REDIS_TLS_REPLICATION_ENABLED=false 620 621 ROLE='' 622 REDIS_MASTER='' 623 624 set -eu 625 sentinel_get_master() { 626 set +e 627 if [ "$SENTINEL_PORT" -eq 0 ]; then 628 redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 629 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 630 else 631 redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 632 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 633 fi 634 set -e 635 } 636 637 sentinel_get_master_retry() { 638 master='' 639 retry=${1} 640 sleep=3 641 for i in $(seq 1 "${retry}"); do 642 master=$(sentinel_get_master) 643 if [ -n "${master}" ]; then 644 break 645 fi 646 sleep $((sleep + i)) 647 done 648 echo "${master}" 649 } 650 651 identify_master() { 652 echo "Identifying redis master (get-master-addr-by-name).." 653 echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" 654 MASTER="$(sentinel_get_master_retry 3)" 655 if [ -n "${MASTER}" ]; then 656 echo " $(date) Found redis master (${MASTER})" 657 else 658 echo " $(date) Did not find redis master (${MASTER})" 659 fi 660 } 661 662 sentinel_update() { 663 echo "Updating sentinel config.." 664 echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" 665 eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" 666 echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" 667 sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" 668 if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then 669 echo " redis master (${1}:${REDIS_TLS_PORT})" 670 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 671 else 672 echo " redis master (${1}:${REDIS_PORT})" 673 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 674 fi 675 echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} 676 if [ "$SENTINEL_PORT" -eq 0 ]; then 677 echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" 678 echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} 679 else 680 echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" 681 echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} 682 fi 683 } 684 685 redis_update() { 686 echo "Updating redis config.." 687 if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then 688 echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" 689 echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" 690 echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} 691 else 692 echo " we are slave of redis master (${1}:${REDIS_PORT})" 693 echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" 694 echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} 695 fi 696 echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} 697 } 698 699 copy_config() { 700 echo "Copying default redis config.." 701 echo " to '${REDIS_CONF}'" 702 cp /readonly-config/redis.conf "${REDIS_CONF}" 703 echo "Copying default sentinel config.." 704 echo " to '${SENTINEL_CONF}'" 705 cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" 706 } 707 708 setup_defaults() { 709 echo "Setting up defaults.." 710 echo " using statefulset index (${INDEX})" 711 if [ "${INDEX}" = "0" ]; then 712 echo "Setting this pod as master for redis and sentinel.." 713 echo " using announce (${ANNOUNCE_IP})" 714 redis_update "${ANNOUNCE_IP}" 715 sentinel_update "${ANNOUNCE_IP}" 716 echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" 717 sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" 718 else 719 echo "Getting redis master ip.." 720 echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" 721 DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" 722 if [ -z "${DEFAULT_MASTER}" ]; then 723 echo "Error: Unable to resolve redis master (getent hosts)." 724 exit 1 725 fi 726 echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" 727 echo "Setting default slave config for redis and sentinel.." 728 echo " using master ip (${DEFAULT_MASTER})" 729 redis_update "${DEFAULT_MASTER}" 730 sentinel_update "${DEFAULT_MASTER}" 731 fi 732 } 733 734 redis_ping() { 735 set +e 736 if [ "$REDIS_PORT" -eq 0 ]; then 737 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping 738 else 739 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping 740 fi 741 set -e 742 } 743 744 redis_ping_retry() { 745 ping='' 746 retry=${1} 747 sleep=3 748 for i in $(seq 1 "${retry}"); do 749 if [ "$(redis_ping)" = "PONG" ]; then 750 ping='PONG' 751 break 752 fi 753 sleep $((sleep + i)) 754 MASTER=$(sentinel_get_master) 755 done 756 echo "${ping}" 757 } 758 759 find_master() { 760 echo "Verifying redis master.." 761 if [ "$REDIS_PORT" -eq 0 ]; then 762 echo " ping (${MASTER}:${REDIS_TLS_PORT})" 763 else 764 echo " ping (${MASTER}:${REDIS_PORT})" 765 fi 766 if [ "$(redis_ping_retry 3)" != "PONG" ]; then 767 echo " $(date) Can't ping redis master (${MASTER})" 768 echo "Attempting to force failover (sentinel failover).." 769 770 if [ "$SENTINEL_PORT" -eq 0 ]; then 771 echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 772 if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 773 echo " $(date) Failover returned with 'NOGOODSLAVE'" 774 echo "Setting defaults for this pod.." 775 setup_defaults 776 return 0 777 fi 778 else 779 echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 780 if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 781 echo " $(date) Failover returned with 'NOGOODSLAVE'" 782 echo "Setting defaults for this pod.." 783 setup_defaults 784 return 0 785 fi 786 fi 787 788 echo "Hold on for 10sec" 789 sleep 10 790 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." 791 if [ "$SENTINEL_PORT" -eq 0 ]; then 792 echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 793 else 794 echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 795 fi 796 MASTER="$(sentinel_get_master)" 797 if [ "${MASTER}" ]; then 798 echo " $(date) Found redis master (${MASTER})" 799 echo "Updating redis and sentinel config.." 800 sentinel_update "${MASTER}" 801 redis_update "${MASTER}" 802 else 803 echo "$(date) Error: Could not failover, exiting..." 804 exit 1 805 fi 806 else 807 echo " $(date) Found reachable redis master (${MASTER})" 808 echo "Updating redis and sentinel config.." 809 sentinel_update "${MASTER}" 810 redis_update "${MASTER}" 811 fi 812 } 813 814 redis_ro_update() { 815 echo "Updating read-only redis config.." 816 echo " redis.conf set 'replica-priority 0'" 817 echo "replica-priority 0" >> ${REDIS_CONF} 818 } 819 820 getent_hosts() { 821 index=${1:-${INDEX}} 822 service="${SERVICE}-announce-${index}" 823 host=$(getent hosts "${service}") 824 echo "${host}" 825 } 826 827 identify_announce_ip() { 828 echo "Identify announce ip for this pod.." 829 echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" 830 ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') 831 echo " identified announce (${ANNOUNCE_IP})" 832 } 833 834 redis_role() { 835 set +e 836 if [ "$REDIS_PORT" -eq 0 ]; then 837 ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//') 838 else 839 ROLE=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//') 840 fi 841 set -e 842 } 843 844 identify_redis_master() { 845 set +e 846 if [ "$REDIS_PORT" -eq 0 ]; then 847 REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//') 848 else 849 REDIS_MASTER=$(redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//') 850 fi 851 set -e 852 } 853 854 reinit() { 855 set +e 856 sh /readonly-config/init.sh 857 858 if [ "$REDIS_PORT" -eq 0 ]; then 859 echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key 860 else 861 echo "shutdown" | redis-cli -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" 862 fi 863 set -e 864 } 865 866 identify_announce_ip 867 868 while [ -z "${ANNOUNCE_IP}" ]; do 869 echo "Error: Could not resolve the announce ip for this pod." 870 sleep 30 871 identify_announce_ip 872 done 873 874 trap "exit 0" TERM 875 while true; do 876 sleep 60 877 878 # where is redis master 879 identify_master 880 881 if [ "$MASTER" = "$ANNOUNCE_IP" ]; then 882 redis_role 883 if [ "$ROLE" != "master" ]; then 884 echo "waiting for redis to become master" 885 sleep 10 886 identify_master 887 redis_role 888 echo "Redis role is $ROLE, expected role is master. No need to reinitialize." 889 if [ "$ROLE" != "master" ]; then 890 echo "Redis role is $ROLE, expected role is master, reinitializing" 891 reinit 892 fi 893 fi 894 elif [ "${MASTER}" ]; then 895 identify_redis_master 896 if [ "$REDIS_MASTER" != "$MASTER" ]; then 897 echo "Redis master and local master are not the same. waiting." 898 sleep 10 899 identify_master 900 identify_redis_master 901 echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}. No need to reinitialize." 902 if [ "${REDIS_MASTER}" != "${MASTER}" ]; then 903 echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}, reinitializing" 904 reinit 905 fi 906 fi 907 fi 908 done 909 haproxy.cfg: "defaults REDIS\n mode tcp\n timeout connect 4s\n timeout server 910 6m\n timeout client 6m\n timeout check 2s\n\nlisten health_check_http_url\n 911 \ bind :8888 \n mode http\n monitor-uri /healthz\n option dontlognull\n# 912 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n 913 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 914 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 915 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE0\n tcp-check send QUIT\\r\\n\n 916 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 917 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n# 918 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n 919 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 920 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 921 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE1\n tcp-check send QUIT\\r\\n\n 922 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 923 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n# 924 Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n 925 \ mode tcp\n option tcp-check\n tcp-check connect\n tcp-check send PING\\r\\n\n 926 \ tcp-check expect string +PONG\n tcp-check send SENTINEL\\ get-master-addr-by-name\\ 927 argocd\\r\\n\n tcp-check expect string REPLACE_ANNOUNCE2\n tcp-check send QUIT\\r\\n\n 928 \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n server R1 argocd-redis-ha-announce-1:26379 929 check inter 3s\n server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n# 930 decide redis backend to use\n#master\nfrontend ft_redis_master\n bind :6379 \n 931 \ use_backend bk_redis_master\n# Check all redis servers to see if they think 932 they are master\nbackend bk_redis_master\n mode tcp\n option tcp-check\n tcp-check 933 connect\n tcp-check send \"AUTH ${AUTH}\"\\r\\n\n tcp-check expect string +OK\n 934 \ tcp-check send PING\\r\\n\n tcp-check expect string +PONG\n tcp-check send 935 info\\ replication\\r\\n\n tcp-check expect string role:master\n tcp-check send 936 QUIT\\r\\n\n tcp-check expect string +OK\n use-server R0 if { srv_is_up(R0) 937 } { nbsrv(check_if_redis_is_master_0) ge 2 }\n server R0 argocd-redis-ha-announce-0:6379 938 check inter 3s fall 1 rise 1\n use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) 939 ge 2 }\n server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 940 1\n use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 941 2 }\n server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\nfrontend 942 stats\n mode http\n bind :9101 \n http-request use-service prometheus-exporter 943 if { path /metrics }\n stats enable\n stats uri /stats\n stats refresh 10s\n# 944 Additional configuration\nglobal\n maxconn 4096\n" 945 haproxy_init.sh: | 946 HAPROXY_CONF=/data/haproxy.cfg 947 cp /readonly/haproxy.cfg "$HAPROXY_CONF" 948 for loop in $(seq 1 10); do 949 getent hosts argocd-redis-ha-announce-0 && break 950 echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1 951 done 952 ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }') 953 if [ -z "$ANNOUNCE_IP0" ]; then 954 echo "Could not resolve the announce ip for argocd-redis-ha-announce-0" 955 exit 1 956 fi 957 sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF" 958 for loop in $(seq 1 10); do 959 getent hosts argocd-redis-ha-announce-1 && break 960 echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1 961 done 962 ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }') 963 if [ -z "$ANNOUNCE_IP1" ]; then 964 echo "Could not resolve the announce ip for argocd-redis-ha-announce-1" 965 exit 1 966 fi 967 sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF" 968 for loop in $(seq 1 10); do 969 getent hosts argocd-redis-ha-announce-2 && break 970 echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1 971 done 972 ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }') 973 if [ -z "$ANNOUNCE_IP2" ]; then 974 echo "Could not resolve the announce ip for argocd-redis-ha-announce-2" 975 exit 1 976 fi 977 sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF" 978 init.sh: | 979 echo "$(date) Start..." 980 HOSTNAME="$(hostname)" 981 INDEX="${HOSTNAME##*-}" 982 SENTINEL_PORT=26379 983 ANNOUNCE_IP='' 984 MASTER='' 985 MASTER_GROUP="argocd" 986 QUORUM="2" 987 REDIS_CONF=/data/conf/redis.conf 988 REDIS_PORT=6379 989 REDIS_TLS_PORT= 990 SENTINEL_CONF=/data/conf/sentinel.conf 991 SENTINEL_TLS_PORT= 992 SERVICE=argocd-redis-ha 993 SENTINEL_TLS_REPLICATION_ENABLED=false 994 REDIS_TLS_REPLICATION_ENABLED=false 995 996 set -eu 997 sentinel_get_master() { 998 set +e 999 if [ "$SENTINEL_PORT" -eq 0 ]; then 1000 redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 1001 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 1002 else 1003 redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ 1004 grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' 1005 fi 1006 set -e 1007 } 1008 1009 sentinel_get_master_retry() { 1010 master='' 1011 retry=${1} 1012 sleep=3 1013 for i in $(seq 1 "${retry}"); do 1014 master=$(sentinel_get_master) 1015 if [ -n "${master}" ]; then 1016 break 1017 fi 1018 sleep $((sleep + i)) 1019 done 1020 echo "${master}" 1021 } 1022 1023 identify_master() { 1024 echo "Identifying redis master (get-master-addr-by-name).." 1025 echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" 1026 MASTER="$(sentinel_get_master_retry 3)" 1027 if [ -n "${MASTER}" ]; then 1028 echo " $(date) Found redis master (${MASTER})" 1029 else 1030 echo " $(date) Did not find redis master (${MASTER})" 1031 fi 1032 } 1033 1034 sentinel_update() { 1035 echo "Updating sentinel config.." 1036 echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" 1037 eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" 1038 echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" 1039 sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" 1040 if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then 1041 echo " redis master (${1}:${REDIS_TLS_PORT})" 1042 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 1043 else 1044 echo " redis master (${1}:${REDIS_PORT})" 1045 sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" 1046 fi 1047 echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} 1048 if [ "$SENTINEL_PORT" -eq 0 ]; then 1049 echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" 1050 echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} 1051 else 1052 echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" 1053 echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} 1054 fi 1055 } 1056 1057 redis_update() { 1058 echo "Updating redis config.." 1059 if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then 1060 echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" 1061 echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" 1062 echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} 1063 else 1064 echo " we are slave of redis master (${1}:${REDIS_PORT})" 1065 echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" 1066 echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} 1067 fi 1068 echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} 1069 } 1070 1071 copy_config() { 1072 echo "Copying default redis config.." 1073 echo " to '${REDIS_CONF}'" 1074 cp /readonly-config/redis.conf "${REDIS_CONF}" 1075 echo "Copying default sentinel config.." 1076 echo " to '${SENTINEL_CONF}'" 1077 cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" 1078 } 1079 1080 setup_defaults() { 1081 echo "Setting up defaults.." 1082 echo " using statefulset index (${INDEX})" 1083 if [ "${INDEX}" = "0" ]; then 1084 echo "Setting this pod as master for redis and sentinel.." 1085 echo " using announce (${ANNOUNCE_IP})" 1086 redis_update "${ANNOUNCE_IP}" 1087 sentinel_update "${ANNOUNCE_IP}" 1088 echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" 1089 sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" 1090 else 1091 echo "Getting redis master ip.." 1092 echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" 1093 DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" 1094 if [ -z "${DEFAULT_MASTER}" ]; then 1095 echo "Error: Unable to resolve redis master (getent hosts)." 1096 exit 1 1097 fi 1098 echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" 1099 echo "Setting default slave config for redis and sentinel.." 1100 echo " using master ip (${DEFAULT_MASTER})" 1101 redis_update "${DEFAULT_MASTER}" 1102 sentinel_update "${DEFAULT_MASTER}" 1103 fi 1104 } 1105 1106 redis_ping() { 1107 set +e 1108 if [ "$REDIS_PORT" -eq 0 ]; then 1109 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping 1110 else 1111 redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping 1112 fi 1113 set -e 1114 } 1115 1116 redis_ping_retry() { 1117 ping='' 1118 retry=${1} 1119 sleep=3 1120 for i in $(seq 1 "${retry}"); do 1121 if [ "$(redis_ping)" = "PONG" ]; then 1122 ping='PONG' 1123 break 1124 fi 1125 sleep $((sleep + i)) 1126 MASTER=$(sentinel_get_master) 1127 done 1128 echo "${ping}" 1129 } 1130 1131 find_master() { 1132 echo "Verifying redis master.." 1133 if [ "$REDIS_PORT" -eq 0 ]; then 1134 echo " ping (${MASTER}:${REDIS_TLS_PORT})" 1135 else 1136 echo " ping (${MASTER}:${REDIS_PORT})" 1137 fi 1138 if [ "$(redis_ping_retry 3)" != "PONG" ]; then 1139 echo " $(date) Can't ping redis master (${MASTER})" 1140 echo "Attempting to force failover (sentinel failover).." 1141 1142 if [ "$SENTINEL_PORT" -eq 0 ]; then 1143 echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 1144 if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 1145 echo " $(date) Failover returned with 'NOGOODSLAVE'" 1146 echo "Setting defaults for this pod.." 1147 setup_defaults 1148 return 0 1149 fi 1150 else 1151 echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 1152 if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then 1153 echo " $(date) Failover returned with 'NOGOODSLAVE'" 1154 echo "Setting defaults for this pod.." 1155 setup_defaults 1156 return 0 1157 fi 1158 fi 1159 1160 echo "Hold on for 10sec" 1161 sleep 10 1162 echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." 1163 if [ "$SENTINEL_PORT" -eq 0 ]; then 1164 echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" 1165 else 1166 echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" 1167 fi 1168 MASTER="$(sentinel_get_master)" 1169 if [ "${MASTER}" ]; then 1170 echo " $(date) Found redis master (${MASTER})" 1171 echo "Updating redis and sentinel config.." 1172 sentinel_update "${MASTER}" 1173 redis_update "${MASTER}" 1174 else 1175 echo "$(date) Error: Could not failover, exiting..." 1176 exit 1 1177 fi 1178 else 1179 echo " $(date) Found reachable redis master (${MASTER})" 1180 echo "Updating redis and sentinel config.." 1181 sentinel_update "${MASTER}" 1182 redis_update "${MASTER}" 1183 fi 1184 } 1185 1186 redis_ro_update() { 1187 echo "Updating read-only redis config.." 1188 echo " redis.conf set 'replica-priority 0'" 1189 echo "replica-priority 0" >> ${REDIS_CONF} 1190 } 1191 1192 getent_hosts() { 1193 index=${1:-${INDEX}} 1194 service="${SERVICE}-announce-${index}" 1195 host=$(getent hosts "${service}") 1196 echo "${host}" 1197 } 1198 1199 identify_announce_ip() { 1200 echo "Identify announce ip for this pod.." 1201 echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" 1202 ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') 1203 echo " identified announce (${ANNOUNCE_IP})" 1204 } 1205 1206 mkdir -p /data/conf/ 1207 1208 echo "Initializing config.." 1209 copy_config 1210 1211 # where is redis master 1212 identify_master 1213 1214 identify_announce_ip 1215 1216 if [ -z "${ANNOUNCE_IP}" ]; then 1217 "Error: Could not resolve the announce ip for this pod" 1218 exit 1 1219 elif [ "${MASTER}" ]; then 1220 find_master 1221 else 1222 setup_defaults 1223 fi 1224 1225 if [ "${AUTH:-}" ]; then 1226 echo "Setting redis auth values.." 1227 ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g'); 1228 sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}" 1229 fi 1230 1231 if [ "${SENTINELAUTH:-}" ]; then 1232 echo "Setting sentinel auth values" 1233 ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g'); 1234 sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF" 1235 fi 1236 1237 echo "$(date) Ready..." 1238 redis.conf: | 1239 dir "/data" 1240 port 6379 1241 rename-command FLUSHDB "" 1242 rename-command FLUSHALL "" 1243 bind 0.0.0.0 1244 maxmemory 0 1245 maxmemory-policy volatile-lru 1246 min-replicas-max-lag 5 1247 min-replicas-to-write 1 1248 rdbchecksum yes 1249 rdbcompression yes 1250 repl-diskless-sync yes 1251 save "" 1252 requirepass replace-default-auth 1253 masterauth replace-default-auth 1254 sentinel.conf: | 1255 dir "/data" 1256 port 26379 1257 bind 0.0.0.0 1258 sentinel down-after-milliseconds argocd 10000 1259 sentinel failover-timeout argocd 180000 1260 maxclients 10000 1261 sentinel parallel-syncs argocd 5 1262 sentinel auth-pass argocd replace-default-auth 1263 trigger-failover-if-master.sh: | 1264 get_redis_role() { 1265 is_master=$( 1266 redis-cli \ 1267 -a "${AUTH}" --no-auth-warning \ 1268 -h localhost \ 1269 -p 6379 \ 1270 info | grep -c 'role:master' || true 1271 ) 1272 } 1273 get_redis_role 1274 if [[ "$is_master" -eq 1 ]]; then 1275 echo "This node is currently master, we trigger a failover." 1276 response=$( 1277 redis-cli \ 1278 -h localhost \ 1279 -p 26379 \ 1280 SENTINEL failover argocd 1281 ) 1282 if [[ "$response" != "OK" ]] ; then 1283 echo "$response" 1284 exit 1 1285 fi 1286 timeout=30 1287 while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do 1288 sleep 1 1289 get_redis_role 1290 timeout=$((timeout - 1)) 1291 done 1292 echo "Failover successful" 1293 fi 1294 kind: ConfigMap 1295 metadata: 1296 labels: 1297 app.kubernetes.io/component: redis 1298 app.kubernetes.io/name: argocd-redis-ha 1299 app.kubernetes.io/part-of: argocd 1300 name: argocd-redis-ha-configmap 1301 --- 1302 apiVersion: v1 1303 data: 1304 redis_liveness.sh: | 1305 response=$( 1306 redis-cli \ 1307 -a "${AUTH}" --no-auth-warning \ 1308 -h localhost \ 1309 -p 6379 \ 1310 ping 1311 ) 1312 echo "response=$response" 1313 case $response in 1314 PONG|LOADING*) ;; 1315 *) exit 1 ;; 1316 esac 1317 exit 0 1318 redis_readiness.sh: | 1319 response=$( 1320 redis-cli \ 1321 -a "${AUTH}" --no-auth-warning \ 1322 -h localhost \ 1323 -p 6379 \ 1324 ping 1325 ) 1326 if [ "$response" != "PONG" ] ; then 1327 echo "ping=$response" 1328 exit 1 1329 fi 1330 1331 response=$( 1332 redis-cli \ 1333 -a "${AUTH}" --no-auth-warning \ 1334 -h localhost \ 1335 -p 6379 \ 1336 role 1337 ) 1338 role=$( echo "$response" | sed "1!d" ) 1339 if [ "$role" = "master" ]; then 1340 echo "role=$role" 1341 exit 0 1342 elif [ "$role" = "slave" ]; then 1343 repl=$( echo "$response" | sed "4!d" ) 1344 echo "role=$role; repl=$repl" 1345 if [ "$repl" = "connected" ]; then 1346 exit 0 1347 else 1348 exit 1 1349 fi 1350 else 1351 echo "role=$role" 1352 exit 1 1353 fi 1354 sentinel_liveness.sh: | 1355 response=$( 1356 redis-cli \ 1357 -h localhost \ 1358 -p 26379 \ 1359 ping 1360 ) 1361 if [ "$response" != "PONG" ]; then 1362 echo "$response" 1363 exit 1 1364 fi 1365 echo "response=$response" 1366 kind: ConfigMap 1367 metadata: 1368 labels: 1369 app.kubernetes.io/component: redis 1370 app.kubernetes.io/name: argocd-redis-ha 1371 app.kubernetes.io/part-of: argocd 1372 name: argocd-redis-ha-health-configmap 1373 --- 1374 apiVersion: v1 1375 data: 1376 ssh_known_hosts: | 1377 # This file was automatically generated by hack/update-ssh-known-hosts.sh. DO NOT EDIT 1378 [ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 1379 [ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 1380 [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 1381 bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= 1382 bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO 1383 bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= 1384 github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 1385 github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 1386 github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 1387 gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= 1388 gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf 1389 gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 1390 ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 1391 vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 1392 kind: ConfigMap 1393 metadata: 1394 labels: 1395 app.kubernetes.io/name: argocd-ssh-known-hosts-cm 1396 app.kubernetes.io/part-of: argocd 1397 name: argocd-ssh-known-hosts-cm 1398 --- 1399 apiVersion: v1 1400 kind: ConfigMap 1401 metadata: 1402 labels: 1403 app.kubernetes.io/name: argocd-tls-certs-cm 1404 app.kubernetes.io/part-of: argocd 1405 name: argocd-tls-certs-cm 1406 --- 1407 apiVersion: v1 1408 kind: Secret 1409 metadata: 1410 labels: 1411 app.kubernetes.io/component: notifications-controller 1412 app.kubernetes.io/name: argocd-notifications-controller 1413 app.kubernetes.io/part-of: argocd 1414 name: argocd-notifications-secret 1415 type: Opaque 1416 --- 1417 apiVersion: v1 1418 kind: Secret 1419 metadata: 1420 labels: 1421 app.kubernetes.io/name: argocd-secret 1422 app.kubernetes.io/part-of: argocd 1423 name: argocd-secret 1424 type: Opaque 1425 --- 1426 apiVersion: v1 1427 kind: Service 1428 metadata: 1429 labels: 1430 app.kubernetes.io/component: applicationset-controller 1431 app.kubernetes.io/name: argocd-applicationset-controller 1432 app.kubernetes.io/part-of: argocd 1433 name: argocd-applicationset-controller 1434 spec: 1435 ports: 1436 - name: webhook 1437 port: 7000 1438 protocol: TCP 1439 targetPort: webhook 1440 - name: metrics 1441 port: 8080 1442 protocol: TCP 1443 targetPort: metrics 1444 selector: 1445 app.kubernetes.io/name: argocd-applicationset-controller 1446 --- 1447 apiVersion: v1 1448 kind: Service 1449 metadata: 1450 labels: 1451 app.kubernetes.io/component: dex-server 1452 app.kubernetes.io/name: argocd-dex-server 1453 app.kubernetes.io/part-of: argocd 1454 name: argocd-dex-server 1455 spec: 1456 ports: 1457 - appProtocol: TCP 1458 name: http 1459 port: 5556 1460 protocol: TCP 1461 targetPort: 5556 1462 - name: grpc 1463 port: 5557 1464 protocol: TCP 1465 targetPort: 5557 1466 - name: metrics 1467 port: 5558 1468 protocol: TCP 1469 targetPort: 5558 1470 selector: 1471 app.kubernetes.io/name: argocd-dex-server 1472 --- 1473 apiVersion: v1 1474 kind: Service 1475 metadata: 1476 labels: 1477 app.kubernetes.io/component: metrics 1478 app.kubernetes.io/name: argocd-metrics 1479 app.kubernetes.io/part-of: argocd 1480 name: argocd-metrics 1481 spec: 1482 ports: 1483 - name: metrics 1484 port: 8082 1485 protocol: TCP 1486 targetPort: 8082 1487 selector: 1488 app.kubernetes.io/name: argocd-application-controller 1489 --- 1490 apiVersion: v1 1491 kind: Service 1492 metadata: 1493 labels: 1494 app.kubernetes.io/component: notifications-controller 1495 app.kubernetes.io/name: argocd-notifications-controller-metrics 1496 app.kubernetes.io/part-of: argocd 1497 name: argocd-notifications-controller-metrics 1498 spec: 1499 ports: 1500 - name: metrics 1501 port: 9001 1502 protocol: TCP 1503 targetPort: 9001 1504 selector: 1505 app.kubernetes.io/name: argocd-notifications-controller 1506 --- 1507 apiVersion: v1 1508 kind: Service 1509 metadata: 1510 labels: 1511 app.kubernetes.io/component: redis 1512 app.kubernetes.io/name: argocd-redis-ha 1513 app.kubernetes.io/part-of: argocd 1514 name: argocd-redis-ha 1515 spec: 1516 clusterIP: None 1517 ports: 1518 - name: tcp-server 1519 port: 6379 1520 protocol: TCP 1521 targetPort: redis 1522 - name: tcp-sentinel 1523 port: 26379 1524 protocol: TCP 1525 targetPort: sentinel 1526 selector: 1527 app.kubernetes.io/name: argocd-redis-ha 1528 type: ClusterIP 1529 --- 1530 apiVersion: v1 1531 kind: Service 1532 metadata: 1533 labels: 1534 app.kubernetes.io/component: redis 1535 app.kubernetes.io/name: argocd-redis-ha 1536 app.kubernetes.io/part-of: argocd 1537 name: argocd-redis-ha-announce-0 1538 spec: 1539 ports: 1540 - name: tcp-server 1541 port: 6379 1542 protocol: TCP 1543 targetPort: redis 1544 - name: tcp-sentinel 1545 port: 26379 1546 protocol: TCP 1547 targetPort: sentinel 1548 publishNotReadyAddresses: true 1549 selector: 1550 app.kubernetes.io/name: argocd-redis-ha 1551 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0 1552 type: ClusterIP 1553 --- 1554 apiVersion: v1 1555 kind: Service 1556 metadata: 1557 labels: 1558 app.kubernetes.io/component: redis 1559 app.kubernetes.io/name: argocd-redis-ha 1560 app.kubernetes.io/part-of: argocd 1561 name: argocd-redis-ha-announce-1 1562 spec: 1563 ports: 1564 - name: tcp-server 1565 port: 6379 1566 protocol: TCP 1567 targetPort: redis 1568 - name: tcp-sentinel 1569 port: 26379 1570 protocol: TCP 1571 targetPort: sentinel 1572 publishNotReadyAddresses: true 1573 selector: 1574 app.kubernetes.io/name: argocd-redis-ha 1575 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1 1576 type: ClusterIP 1577 --- 1578 apiVersion: v1 1579 kind: Service 1580 metadata: 1581 labels: 1582 app.kubernetes.io/component: redis 1583 app.kubernetes.io/name: argocd-redis-ha 1584 app.kubernetes.io/part-of: argocd 1585 name: argocd-redis-ha-announce-2 1586 spec: 1587 ports: 1588 - name: tcp-server 1589 port: 6379 1590 protocol: TCP 1591 targetPort: redis 1592 - name: tcp-sentinel 1593 port: 26379 1594 protocol: TCP 1595 targetPort: sentinel 1596 publishNotReadyAddresses: true 1597 selector: 1598 app.kubernetes.io/name: argocd-redis-ha 1599 statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2 1600 type: ClusterIP 1601 --- 1602 apiVersion: v1 1603 kind: Service 1604 metadata: 1605 labels: 1606 app.kubernetes.io/component: redis 1607 app.kubernetes.io/name: argocd-redis-ha-haproxy 1608 app.kubernetes.io/part-of: argocd 1609 name: argocd-redis-ha-haproxy 1610 spec: 1611 ports: 1612 - name: tcp-haproxy 1613 port: 6379 1614 protocol: TCP 1615 targetPort: redis 1616 - name: http-exporter-port 1617 port: 9101 1618 protocol: TCP 1619 targetPort: metrics-port 1620 selector: 1621 app.kubernetes.io/name: argocd-redis-ha-haproxy 1622 type: ClusterIP 1623 --- 1624 apiVersion: v1 1625 kind: Service 1626 metadata: 1627 labels: 1628 app.kubernetes.io/component: repo-server 1629 app.kubernetes.io/name: argocd-repo-server 1630 app.kubernetes.io/part-of: argocd 1631 name: argocd-repo-server 1632 spec: 1633 ports: 1634 - name: server 1635 port: 8081 1636 protocol: TCP 1637 targetPort: 8081 1638 - name: metrics 1639 port: 8084 1640 protocol: TCP 1641 targetPort: 8084 1642 selector: 1643 app.kubernetes.io/name: argocd-repo-server 1644 --- 1645 apiVersion: v1 1646 kind: Service 1647 metadata: 1648 labels: 1649 app.kubernetes.io/component: server 1650 app.kubernetes.io/name: argocd-server 1651 app.kubernetes.io/part-of: argocd 1652 name: argocd-server 1653 spec: 1654 ports: 1655 - name: http 1656 port: 80 1657 protocol: TCP 1658 targetPort: 8080 1659 - name: https 1660 port: 443 1661 protocol: TCP 1662 targetPort: 8080 1663 selector: 1664 app.kubernetes.io/name: argocd-server 1665 --- 1666 apiVersion: v1 1667 kind: Service 1668 metadata: 1669 labels: 1670 app.kubernetes.io/component: server 1671 app.kubernetes.io/name: argocd-server-metrics 1672 app.kubernetes.io/part-of: argocd 1673 name: argocd-server-metrics 1674 spec: 1675 ports: 1676 - name: metrics 1677 port: 8083 1678 protocol: TCP 1679 targetPort: 8083 1680 selector: 1681 app.kubernetes.io/name: argocd-server 1682 --- 1683 apiVersion: apps/v1 1684 kind: Deployment 1685 metadata: 1686 labels: 1687 app.kubernetes.io/component: applicationset-controller 1688 app.kubernetes.io/name: argocd-applicationset-controller 1689 app.kubernetes.io/part-of: argocd 1690 name: argocd-applicationset-controller 1691 spec: 1692 selector: 1693 matchLabels: 1694 app.kubernetes.io/name: argocd-applicationset-controller 1695 template: 1696 metadata: 1697 labels: 1698 app.kubernetes.io/name: argocd-applicationset-controller 1699 spec: 1700 containers: 1701 - args: 1702 - /usr/local/bin/argocd-applicationset-controller 1703 env: 1704 - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS 1705 valueFrom: 1706 configMapKeyRef: 1707 key: applicationsetcontroller.global.preserved.annotations 1708 name: argocd-cmd-params-cm 1709 optional: true 1710 - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS 1711 valueFrom: 1712 configMapKeyRef: 1713 key: applicationsetcontroller.global.preserved.labels 1714 name: argocd-cmd-params-cm 1715 optional: true 1716 - name: NAMESPACE 1717 valueFrom: 1718 fieldRef: 1719 fieldPath: metadata.namespace 1720 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION 1721 valueFrom: 1722 configMapKeyRef: 1723 key: applicationsetcontroller.enable.leader.election 1724 name: argocd-cmd-params-cm 1725 optional: true 1726 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER 1727 valueFrom: 1728 configMapKeyRef: 1729 key: repo.server 1730 name: argocd-cmd-params-cm 1731 optional: true 1732 - name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY 1733 valueFrom: 1734 configMapKeyRef: 1735 key: applicationsetcontroller.policy 1736 name: argocd-cmd-params-cm 1737 optional: true 1738 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE 1739 valueFrom: 1740 configMapKeyRef: 1741 key: applicationsetcontroller.enable.policy.override 1742 name: argocd-cmd-params-cm 1743 optional: true 1744 - name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG 1745 valueFrom: 1746 configMapKeyRef: 1747 key: applicationsetcontroller.debug 1748 name: argocd-cmd-params-cm 1749 optional: true 1750 - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT 1751 valueFrom: 1752 configMapKeyRef: 1753 key: applicationsetcontroller.log.format 1754 name: argocd-cmd-params-cm 1755 optional: true 1756 - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL 1757 valueFrom: 1758 configMapKeyRef: 1759 key: applicationsetcontroller.log.level 1760 name: argocd-cmd-params-cm 1761 optional: true 1762 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 1763 valueFrom: 1764 configMapKeyRef: 1765 key: log.format.timestamp 1766 name: argocd-cmd-params-cm 1767 optional: true 1768 - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN 1769 valueFrom: 1770 configMapKeyRef: 1771 key: applicationsetcontroller.dryrun 1772 name: argocd-cmd-params-cm 1773 optional: true 1774 - name: ARGOCD_GIT_MODULES_ENABLED 1775 valueFrom: 1776 configMapKeyRef: 1777 key: applicationsetcontroller.enable.git.submodule 1778 name: argocd-cmd-params-cm 1779 optional: true 1780 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS 1781 valueFrom: 1782 configMapKeyRef: 1783 key: applicationsetcontroller.enable.progressive.syncs 1784 name: argocd-cmd-params-cm 1785 optional: true 1786 - name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE 1787 valueFrom: 1788 configMapKeyRef: 1789 key: applicationsetcontroller.enable.tokenref.strict.mode 1790 name: argocd-cmd-params-cm 1791 optional: true 1792 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING 1793 valueFrom: 1794 configMapKeyRef: 1795 key: applicationsetcontroller.enable.new.git.file.globbing 1796 name: argocd-cmd-params-cm 1797 optional: true 1798 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT 1799 valueFrom: 1800 configMapKeyRef: 1801 key: applicationsetcontroller.repo.server.plaintext 1802 name: argocd-cmd-params-cm 1803 optional: true 1804 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS 1805 valueFrom: 1806 configMapKeyRef: 1807 key: applicationsetcontroller.repo.server.strict.tls 1808 name: argocd-cmd-params-cm 1809 optional: true 1810 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS 1811 valueFrom: 1812 configMapKeyRef: 1813 key: applicationsetcontroller.repo.server.timeout.seconds 1814 name: argocd-cmd-params-cm 1815 optional: true 1816 - name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS 1817 valueFrom: 1818 configMapKeyRef: 1819 key: applicationsetcontroller.concurrent.reconciliations.max 1820 name: argocd-cmd-params-cm 1821 optional: true 1822 - name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES 1823 valueFrom: 1824 configMapKeyRef: 1825 key: applicationsetcontroller.namespaces 1826 name: argocd-cmd-params-cm 1827 optional: true 1828 - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH 1829 valueFrom: 1830 configMapKeyRef: 1831 key: applicationsetcontroller.scm.root.ca.path 1832 name: argocd-cmd-params-cm 1833 optional: true 1834 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS 1835 valueFrom: 1836 configMapKeyRef: 1837 key: applicationsetcontroller.allowed.scm.providers 1838 name: argocd-cmd-params-cm 1839 optional: true 1840 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS 1841 valueFrom: 1842 configMapKeyRef: 1843 key: applicationsetcontroller.enable.scm.providers 1844 name: argocd-cmd-params-cm 1845 optional: true 1846 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS 1847 valueFrom: 1848 configMapKeyRef: 1849 key: applicationsetcontroller.enable.github.api.metrics 1850 name: argocd-cmd-params-cm 1851 optional: true 1852 - name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT 1853 valueFrom: 1854 configMapKeyRef: 1855 key: applicationsetcontroller.webhook.parallelism.limit 1856 name: argocd-cmd-params-cm 1857 optional: true 1858 - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER 1859 valueFrom: 1860 configMapKeyRef: 1861 key: applicationsetcontroller.requeue.after 1862 name: argocd-cmd-params-cm 1863 optional: true 1864 - name: ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT 1865 valueFrom: 1866 configMapKeyRef: 1867 key: applicationsetcontroller.status.max.resources.count 1868 name: argocd-cmd-params-cm 1869 optional: true 1870 image: quay.io/argoproj/argocd:v3.2.1 1871 imagePullPolicy: Always 1872 name: argocd-applicationset-controller 1873 ports: 1874 - containerPort: 7000 1875 name: webhook 1876 - containerPort: 8080 1877 name: metrics 1878 securityContext: 1879 allowPrivilegeEscalation: false 1880 capabilities: 1881 drop: 1882 - ALL 1883 readOnlyRootFilesystem: true 1884 runAsNonRoot: true 1885 seccompProfile: 1886 type: RuntimeDefault 1887 volumeMounts: 1888 - mountPath: /app/config/ssh 1889 name: ssh-known-hosts 1890 - mountPath: /app/config/tls 1891 name: tls-certs 1892 - mountPath: /app/config/gpg/source 1893 name: gpg-keys 1894 - mountPath: /app/config/gpg/keys 1895 name: gpg-keyring 1896 - mountPath: /tmp 1897 name: tmp 1898 - mountPath: /app/config/reposerver/tls 1899 name: argocd-repo-server-tls 1900 - mountPath: /home/argocd/params 1901 name: argocd-cmd-params-cm 1902 nodeSelector: 1903 kubernetes.io/os: linux 1904 serviceAccountName: argocd-applicationset-controller 1905 volumes: 1906 - configMap: 1907 name: argocd-ssh-known-hosts-cm 1908 name: ssh-known-hosts 1909 - configMap: 1910 name: argocd-tls-certs-cm 1911 name: tls-certs 1912 - configMap: 1913 name: argocd-gpg-keys-cm 1914 name: gpg-keys 1915 - emptyDir: {} 1916 name: gpg-keyring 1917 - emptyDir: {} 1918 name: tmp 1919 - name: argocd-repo-server-tls 1920 secret: 1921 items: 1922 - key: tls.crt 1923 path: tls.crt 1924 - key: tls.key 1925 path: tls.key 1926 - key: ca.crt 1927 path: ca.crt 1928 optional: true 1929 secretName: argocd-repo-server-tls 1930 - configMap: 1931 items: 1932 - key: applicationsetcontroller.profile.enabled 1933 path: profiler.enabled 1934 name: argocd-cmd-params-cm 1935 optional: true 1936 name: argocd-cmd-params-cm 1937 --- 1938 apiVersion: apps/v1 1939 kind: Deployment 1940 metadata: 1941 labels: 1942 app.kubernetes.io/component: dex-server 1943 app.kubernetes.io/name: argocd-dex-server 1944 app.kubernetes.io/part-of: argocd 1945 name: argocd-dex-server 1946 spec: 1947 selector: 1948 matchLabels: 1949 app.kubernetes.io/name: argocd-dex-server 1950 template: 1951 metadata: 1952 labels: 1953 app.kubernetes.io/name: argocd-dex-server 1954 spec: 1955 affinity: 1956 podAntiAffinity: 1957 preferredDuringSchedulingIgnoredDuringExecution: 1958 - podAffinityTerm: 1959 labelSelector: 1960 matchLabels: 1961 app.kubernetes.io/part-of: argocd 1962 topologyKey: kubernetes.io/hostname 1963 weight: 5 1964 containers: 1965 - command: 1966 - /shared/argocd-dex 1967 - rundex 1968 env: 1969 - name: ARGOCD_DEX_SERVER_LOGFORMAT 1970 valueFrom: 1971 configMapKeyRef: 1972 key: dexserver.log.format 1973 name: argocd-cmd-params-cm 1974 optional: true 1975 - name: ARGOCD_DEX_SERVER_LOGLEVEL 1976 valueFrom: 1977 configMapKeyRef: 1978 key: dexserver.log.level 1979 name: argocd-cmd-params-cm 1980 optional: true 1981 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 1982 valueFrom: 1983 configMapKeyRef: 1984 key: log.format.timestamp 1985 name: argocd-cmd-params-cm 1986 optional: true 1987 - name: ARGOCD_DEX_SERVER_DISABLE_TLS 1988 valueFrom: 1989 configMapKeyRef: 1990 key: dexserver.disable.tls 1991 name: argocd-cmd-params-cm 1992 optional: true 1993 image: ghcr.io/dexidp/dex:v2.43.0 1994 imagePullPolicy: Always 1995 name: dex 1996 ports: 1997 - containerPort: 5556 1998 - containerPort: 5557 1999 - containerPort: 5558 2000 securityContext: 2001 allowPrivilegeEscalation: false 2002 capabilities: 2003 drop: 2004 - ALL 2005 readOnlyRootFilesystem: true 2006 runAsNonRoot: true 2007 seccompProfile: 2008 type: RuntimeDefault 2009 volumeMounts: 2010 - mountPath: /shared 2011 name: static-files 2012 - mountPath: /tmp 2013 name: dexconfig 2014 - mountPath: /tls 2015 name: argocd-dex-server-tls 2016 initContainers: 2017 - command: 2018 - /bin/cp 2019 - -n 2020 - /usr/local/bin/argocd 2021 - /shared/argocd-dex 2022 image: quay.io/argoproj/argocd:v3.2.1 2023 imagePullPolicy: Always 2024 name: copyutil 2025 securityContext: 2026 allowPrivilegeEscalation: false 2027 capabilities: 2028 drop: 2029 - ALL 2030 readOnlyRootFilesystem: true 2031 runAsNonRoot: true 2032 seccompProfile: 2033 type: RuntimeDefault 2034 volumeMounts: 2035 - mountPath: /shared 2036 name: static-files 2037 - mountPath: /tmp 2038 name: dexconfig 2039 nodeSelector: 2040 kubernetes.io/os: linux 2041 serviceAccountName: argocd-dex-server 2042 volumes: 2043 - emptyDir: {} 2044 name: static-files 2045 - emptyDir: {} 2046 name: dexconfig 2047 - name: argocd-dex-server-tls 2048 secret: 2049 items: 2050 - key: tls.crt 2051 path: tls.crt 2052 - key: tls.key 2053 path: tls.key 2054 - key: ca.crt 2055 path: ca.crt 2056 optional: true 2057 secretName: argocd-dex-server-tls 2058 --- 2059 apiVersion: apps/v1 2060 kind: Deployment 2061 metadata: 2062 labels: 2063 app.kubernetes.io/component: notifications-controller 2064 app.kubernetes.io/name: argocd-notifications-controller 2065 app.kubernetes.io/part-of: argocd 2066 name: argocd-notifications-controller 2067 spec: 2068 selector: 2069 matchLabels: 2070 app.kubernetes.io/name: argocd-notifications-controller 2071 strategy: 2072 type: Recreate 2073 template: 2074 metadata: 2075 labels: 2076 app.kubernetes.io/name: argocd-notifications-controller 2077 spec: 2078 containers: 2079 - args: 2080 - /usr/local/bin/argocd-notifications 2081 env: 2082 - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT 2083 valueFrom: 2084 configMapKeyRef: 2085 key: notificationscontroller.log.format 2086 name: argocd-cmd-params-cm 2087 optional: true 2088 - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL 2089 valueFrom: 2090 configMapKeyRef: 2091 key: notificationscontroller.log.level 2092 name: argocd-cmd-params-cm 2093 optional: true 2094 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2095 valueFrom: 2096 configMapKeyRef: 2097 key: log.format.timestamp 2098 name: argocd-cmd-params-cm 2099 optional: true 2100 - name: ARGOCD_APPLICATION_NAMESPACES 2101 valueFrom: 2102 configMapKeyRef: 2103 key: application.namespaces 2104 name: argocd-cmd-params-cm 2105 optional: true 2106 - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED 2107 valueFrom: 2108 configMapKeyRef: 2109 key: notificationscontroller.selfservice.enabled 2110 name: argocd-cmd-params-cm 2111 optional: true 2112 - name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT 2113 valueFrom: 2114 configMapKeyRef: 2115 key: notificationscontroller.repo.server.plaintext 2116 name: argocd-cmd-params-cm 2117 optional: true 2118 image: quay.io/argoproj/argocd:v3.2.1 2119 imagePullPolicy: Always 2120 livenessProbe: 2121 tcpSocket: 2122 port: 9001 2123 name: argocd-notifications-controller 2124 securityContext: 2125 allowPrivilegeEscalation: false 2126 capabilities: 2127 drop: 2128 - ALL 2129 readOnlyRootFilesystem: true 2130 volumeMounts: 2131 - mountPath: /app/config/tls 2132 name: tls-certs 2133 - mountPath: /app/config/reposerver/tls 2134 name: argocd-repo-server-tls 2135 workingDir: /app 2136 nodeSelector: 2137 kubernetes.io/os: linux 2138 securityContext: 2139 runAsNonRoot: true 2140 seccompProfile: 2141 type: RuntimeDefault 2142 serviceAccountName: argocd-notifications-controller 2143 volumes: 2144 - configMap: 2145 name: argocd-tls-certs-cm 2146 name: tls-certs 2147 - name: argocd-repo-server-tls 2148 secret: 2149 items: 2150 - key: tls.crt 2151 path: tls.crt 2152 - key: tls.key 2153 path: tls.key 2154 - key: ca.crt 2155 path: ca.crt 2156 optional: true 2157 secretName: argocd-repo-server-tls 2158 --- 2159 apiVersion: apps/v1 2160 kind: Deployment 2161 metadata: 2162 labels: 2163 app.kubernetes.io/component: redis 2164 app.kubernetes.io/name: argocd-redis-ha-haproxy 2165 app.kubernetes.io/part-of: argocd 2166 name: argocd-redis-ha-haproxy 2167 spec: 2168 replicas: 3 2169 revisionHistoryLimit: 1 2170 selector: 2171 matchLabels: 2172 app.kubernetes.io/name: argocd-redis-ha-haproxy 2173 strategy: 2174 type: RollingUpdate 2175 template: 2176 metadata: 2177 annotations: 2178 checksum/config: cd6508bdf9819601c454d0cc491fb77a209e3a88761d92514d105b6681829953 2179 prometheus.io/path: /metrics 2180 prometheus.io/port: "9101" 2181 prometheus.io/scrape: "true" 2182 labels: 2183 app.kubernetes.io/name: argocd-redis-ha-haproxy 2184 name: argocd-redis-ha-haproxy 2185 spec: 2186 affinity: 2187 podAntiAffinity: 2188 requiredDuringSchedulingIgnoredDuringExecution: 2189 - labelSelector: 2190 matchLabels: 2191 app.kubernetes.io/name: argocd-redis-ha-haproxy 2192 topologyKey: kubernetes.io/hostname 2193 automountServiceAccountToken: true 2194 containers: 2195 - env: 2196 - name: AUTH 2197 valueFrom: 2198 secretKeyRef: 2199 key: auth 2200 name: argocd-redis 2201 image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine 2202 imagePullPolicy: IfNotPresent 2203 lifecycle: {} 2204 livenessProbe: 2205 httpGet: 2206 path: /healthz 2207 port: probe 2208 initialDelaySeconds: 5 2209 periodSeconds: 3 2210 name: haproxy 2211 ports: 2212 - containerPort: 8888 2213 name: probe 2214 - containerPort: 6379 2215 name: redis 2216 - containerPort: 9101 2217 name: metrics-port 2218 readinessProbe: 2219 httpGet: 2220 path: /healthz 2221 port: probe 2222 initialDelaySeconds: 5 2223 periodSeconds: 3 2224 securityContext: 2225 allowPrivilegeEscalation: false 2226 capabilities: 2227 drop: 2228 - ALL 2229 readOnlyRootFilesystem: true 2230 seccompProfile: 2231 type: RuntimeDefault 2232 volumeMounts: 2233 - mountPath: /usr/local/etc/haproxy 2234 name: data 2235 - mountPath: /run/haproxy 2236 name: shared-socket 2237 initContainers: 2238 - command: 2239 - argocd 2240 - admin 2241 - redis-initial-password 2242 image: quay.io/argoproj/argocd:v3.2.1 2243 imagePullPolicy: IfNotPresent 2244 name: secret-init 2245 securityContext: 2246 allowPrivilegeEscalation: false 2247 capabilities: 2248 drop: 2249 - ALL 2250 readOnlyRootFilesystem: true 2251 runAsNonRoot: true 2252 seccompProfile: 2253 type: RuntimeDefault 2254 - args: 2255 - /readonly/haproxy_init.sh 2256 command: 2257 - sh 2258 image: public.ecr.aws/docker/library/haproxy:3.0.8-alpine 2259 imagePullPolicy: IfNotPresent 2260 name: config-init 2261 securityContext: 2262 allowPrivilegeEscalation: false 2263 capabilities: 2264 drop: 2265 - ALL 2266 readOnlyRootFilesystem: true 2267 seccompProfile: 2268 type: RuntimeDefault 2269 volumeMounts: 2270 - mountPath: /readonly 2271 name: config-volume 2272 readOnly: true 2273 - mountPath: /data 2274 name: data 2275 securityContext: 2276 fsGroup: 99 2277 runAsNonRoot: true 2278 runAsUser: 99 2279 serviceAccountName: argocd-redis-ha-haproxy 2280 volumes: 2281 - configMap: 2282 name: argocd-redis-ha-configmap 2283 name: config-volume 2284 - emptyDir: {} 2285 name: shared-socket 2286 - emptyDir: {} 2287 name: data 2288 --- 2289 apiVersion: apps/v1 2290 kind: Deployment 2291 metadata: 2292 labels: 2293 app.kubernetes.io/component: repo-server 2294 app.kubernetes.io/name: argocd-repo-server 2295 app.kubernetes.io/part-of: argocd 2296 name: argocd-repo-server 2297 spec: 2298 replicas: 2 2299 selector: 2300 matchLabels: 2301 app.kubernetes.io/name: argocd-repo-server 2302 template: 2303 metadata: 2304 labels: 2305 app.kubernetes.io/name: argocd-repo-server 2306 spec: 2307 affinity: 2308 podAntiAffinity: 2309 preferredDuringSchedulingIgnoredDuringExecution: 2310 - podAffinityTerm: 2311 labelSelector: 2312 matchLabels: 2313 app.kubernetes.io/name: argocd-repo-server 2314 topologyKey: topology.kubernetes.io/zone 2315 weight: 100 2316 requiredDuringSchedulingIgnoredDuringExecution: 2317 - labelSelector: 2318 matchLabels: 2319 app.kubernetes.io/name: argocd-repo-server 2320 topologyKey: kubernetes.io/hostname 2321 automountServiceAccountToken: false 2322 containers: 2323 - args: 2324 - /usr/local/bin/argocd-repo-server 2325 env: 2326 - name: REDIS_PASSWORD 2327 valueFrom: 2328 secretKeyRef: 2329 key: auth 2330 name: argocd-redis 2331 - name: ARGOCD_RECONCILIATION_TIMEOUT 2332 valueFrom: 2333 configMapKeyRef: 2334 key: timeout.reconciliation 2335 name: argocd-cm 2336 optional: true 2337 - name: ARGOCD_REPO_SERVER_LOGFORMAT 2338 valueFrom: 2339 configMapKeyRef: 2340 key: reposerver.log.format 2341 name: argocd-cmd-params-cm 2342 optional: true 2343 - name: ARGOCD_REPO_SERVER_LOGLEVEL 2344 valueFrom: 2345 configMapKeyRef: 2346 key: reposerver.log.level 2347 name: argocd-cmd-params-cm 2348 optional: true 2349 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 2350 valueFrom: 2351 configMapKeyRef: 2352 key: log.format.timestamp 2353 name: argocd-cmd-params-cm 2354 optional: true 2355 - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT 2356 valueFrom: 2357 configMapKeyRef: 2358 key: reposerver.parallelism.limit 2359 name: argocd-cmd-params-cm 2360 optional: true 2361 - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS 2362 valueFrom: 2363 configMapKeyRef: 2364 key: reposerver.listen.address 2365 name: argocd-cmd-params-cm 2366 optional: true 2367 - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS 2368 valueFrom: 2369 configMapKeyRef: 2370 key: reposerver.metrics.listen.address 2371 name: argocd-cmd-params-cm 2372 optional: true 2373 - name: ARGOCD_REPO_SERVER_DISABLE_TLS 2374 valueFrom: 2375 configMapKeyRef: 2376 key: reposerver.disable.tls 2377 name: argocd-cmd-params-cm 2378 optional: true 2379 - name: ARGOCD_TLS_MIN_VERSION 2380 valueFrom: 2381 configMapKeyRef: 2382 key: reposerver.tls.minversion 2383 name: argocd-cmd-params-cm 2384 optional: true 2385 - name: ARGOCD_TLS_MAX_VERSION 2386 valueFrom: 2387 configMapKeyRef: 2388 key: reposerver.tls.maxversion 2389 name: argocd-cmd-params-cm 2390 optional: true 2391 - name: ARGOCD_TLS_CIPHERS 2392 valueFrom: 2393 configMapKeyRef: 2394 key: reposerver.tls.ciphers 2395 name: argocd-cmd-params-cm 2396 optional: true 2397 - name: ARGOCD_REPO_CACHE_EXPIRATION 2398 valueFrom: 2399 configMapKeyRef: 2400 key: reposerver.repo.cache.expiration 2401 name: argocd-cmd-params-cm 2402 optional: true 2403 - name: REDIS_SERVER 2404 valueFrom: 2405 configMapKeyRef: 2406 key: redis.server 2407 name: argocd-cmd-params-cm 2408 optional: true 2409 - name: REDIS_COMPRESSION 2410 valueFrom: 2411 configMapKeyRef: 2412 key: redis.compression 2413 name: argocd-cmd-params-cm 2414 optional: true 2415 - name: REDISDB 2416 valueFrom: 2417 configMapKeyRef: 2418 key: redis.db 2419 name: argocd-cmd-params-cm 2420 optional: true 2421 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 2422 valueFrom: 2423 configMapKeyRef: 2424 key: reposerver.default.cache.expiration 2425 name: argocd-cmd-params-cm 2426 optional: true 2427 - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS 2428 valueFrom: 2429 configMapKeyRef: 2430 key: otlp.address 2431 name: argocd-cmd-params-cm 2432 optional: true 2433 - name: ARGOCD_REPO_SERVER_OTLP_INSECURE 2434 valueFrom: 2435 configMapKeyRef: 2436 key: otlp.insecure 2437 name: argocd-cmd-params-cm 2438 optional: true 2439 - name: ARGOCD_REPO_SERVER_OTLP_HEADERS 2440 valueFrom: 2441 configMapKeyRef: 2442 key: otlp.headers 2443 name: argocd-cmd-params-cm 2444 optional: true 2445 - name: ARGOCD_REPO_SERVER_OTLP_ATTRS 2446 valueFrom: 2447 configMapKeyRef: 2448 key: otlp.attrs 2449 name: argocd-cmd-params-cm 2450 optional: true 2451 - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE 2452 valueFrom: 2453 configMapKeyRef: 2454 key: reposerver.max.combined.directory.manifests.size 2455 name: argocd-cmd-params-cm 2456 optional: true 2457 - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS 2458 valueFrom: 2459 configMapKeyRef: 2460 key: reposerver.plugin.tar.exclusions 2461 name: argocd-cmd-params-cm 2462 optional: true 2463 - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS 2464 valueFrom: 2465 configMapKeyRef: 2466 key: reposerver.plugin.use.manifest.generate.paths 2467 name: argocd-cmd-params-cm 2468 optional: true 2469 - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS 2470 valueFrom: 2471 configMapKeyRef: 2472 key: reposerver.allow.oob.symlinks 2473 name: argocd-cmd-params-cm 2474 optional: true 2475 - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE 2476 valueFrom: 2477 configMapKeyRef: 2478 key: reposerver.streamed.manifest.max.tar.size 2479 name: argocd-cmd-params-cm 2480 optional: true 2481 - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE 2482 valueFrom: 2483 configMapKeyRef: 2484 key: reposerver.streamed.manifest.max.extracted.size 2485 name: argocd-cmd-params-cm 2486 optional: true 2487 - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE 2488 valueFrom: 2489 configMapKeyRef: 2490 key: reposerver.helm.manifest.max.extracted.size 2491 name: argocd-cmd-params-cm 2492 optional: true 2493 - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE 2494 valueFrom: 2495 configMapKeyRef: 2496 key: reposerver.disable.helm.manifest.max.extracted.size 2497 name: argocd-cmd-params-cm 2498 optional: true 2499 - name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE 2500 valueFrom: 2501 configMapKeyRef: 2502 key: reposerver.oci.manifest.max.extracted.size 2503 name: argocd-cmd-params-cm 2504 optional: true 2505 - name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE 2506 valueFrom: 2507 configMapKeyRef: 2508 key: reposerver.disable.oci.manifest.max.extracted.size 2509 name: argocd-cmd-params-cm 2510 optional: true 2511 - name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES 2512 valueFrom: 2513 configMapKeyRef: 2514 key: reposerver.oci.layer.media.types 2515 name: argocd-cmd-params-cm 2516 optional: true 2517 - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT 2518 valueFrom: 2519 configMapKeyRef: 2520 key: reposerver.revision.cache.lock.timeout 2521 name: argocd-cmd-params-cm 2522 optional: true 2523 - name: ARGOCD_GIT_MODULES_ENABLED 2524 valueFrom: 2525 configMapKeyRef: 2526 key: reposerver.enable.git.submodule 2527 name: argocd-cmd-params-cm 2528 optional: true 2529 - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT 2530 valueFrom: 2531 configMapKeyRef: 2532 key: reposerver.git.lsremote.parallelism.limit 2533 name: argocd-cmd-params-cm 2534 optional: true 2535 - name: ARGOCD_GIT_REQUEST_TIMEOUT 2536 valueFrom: 2537 configMapKeyRef: 2538 key: reposerver.git.request.timeout 2539 name: argocd-cmd-params-cm 2540 optional: true 2541 - name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG 2542 valueFrom: 2543 configMapKeyRef: 2544 key: reposerver.enable.builtin.git.config 2545 name: argocd-cmd-params-cm 2546 optional: true 2547 - name: ARGOCD_GRPC_MAX_SIZE_MB 2548 valueFrom: 2549 configMapKeyRef: 2550 key: reposerver.grpc.max.size 2551 name: argocd-cmd-params-cm 2552 optional: true 2553 - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES 2554 valueFrom: 2555 configMapKeyRef: 2556 key: reposerver.include.hidden.directories 2557 name: argocd-cmd-params-cm 2558 optional: true 2559 - name: HELM_CACHE_HOME 2560 value: /helm-working-dir 2561 - name: HELM_CONFIG_HOME 2562 value: /helm-working-dir 2563 - name: HELM_DATA_HOME 2564 value: /helm-working-dir 2565 image: quay.io/argoproj/argocd:v3.2.1 2566 imagePullPolicy: Always 2567 livenessProbe: 2568 failureThreshold: 3 2569 httpGet: 2570 path: /healthz?full=true 2571 port: 8084 2572 initialDelaySeconds: 30 2573 periodSeconds: 30 2574 timeoutSeconds: 5 2575 name: argocd-repo-server 2576 ports: 2577 - containerPort: 8081 2578 - containerPort: 8084 2579 readinessProbe: 2580 httpGet: 2581 path: /healthz 2582 port: 8084 2583 initialDelaySeconds: 5 2584 periodSeconds: 10 2585 securityContext: 2586 allowPrivilegeEscalation: false 2587 capabilities: 2588 drop: 2589 - ALL 2590 readOnlyRootFilesystem: true 2591 runAsNonRoot: true 2592 seccompProfile: 2593 type: RuntimeDefault 2594 volumeMounts: 2595 - mountPath: /app/config/ssh 2596 name: ssh-known-hosts 2597 - mountPath: /app/config/tls 2598 name: tls-certs 2599 - mountPath: /app/config/gpg/source 2600 name: gpg-keys 2601 - mountPath: /app/config/gpg/keys 2602 name: gpg-keyring 2603 - mountPath: /app/config/reposerver/tls 2604 name: argocd-repo-server-tls 2605 - mountPath: /tmp 2606 name: tmp 2607 - mountPath: /helm-working-dir 2608 name: helm-working-dir 2609 - mountPath: /home/argocd/cmp-server/plugins 2610 name: plugins 2611 initContainers: 2612 - command: 2613 - /bin/cp 2614 - -n 2615 - /usr/local/bin/argocd 2616 - /var/run/argocd/argocd-cmp-server 2617 image: quay.io/argoproj/argocd:v3.2.1 2618 name: copyutil 2619 securityContext: 2620 allowPrivilegeEscalation: false 2621 capabilities: 2622 drop: 2623 - ALL 2624 readOnlyRootFilesystem: true 2625 runAsNonRoot: true 2626 seccompProfile: 2627 type: RuntimeDefault 2628 volumeMounts: 2629 - mountPath: /var/run/argocd 2630 name: var-files 2631 nodeSelector: 2632 kubernetes.io/os: linux 2633 serviceAccountName: argocd-repo-server 2634 volumes: 2635 - configMap: 2636 name: argocd-ssh-known-hosts-cm 2637 name: ssh-known-hosts 2638 - configMap: 2639 name: argocd-tls-certs-cm 2640 name: tls-certs 2641 - configMap: 2642 name: argocd-gpg-keys-cm 2643 name: gpg-keys 2644 - emptyDir: {} 2645 name: gpg-keyring 2646 - emptyDir: {} 2647 name: tmp 2648 - emptyDir: {} 2649 name: helm-working-dir 2650 - name: argocd-repo-server-tls 2651 secret: 2652 items: 2653 - key: tls.crt 2654 path: tls.crt 2655 - key: tls.key 2656 path: tls.key 2657 - key: ca.crt 2658 path: ca.crt 2659 optional: true 2660 secretName: argocd-repo-server-tls 2661 - emptyDir: {} 2662 name: var-files 2663 - emptyDir: {} 2664 name: plugins 2665 --- 2666 apiVersion: apps/v1 2667 kind: Deployment 2668 metadata: 2669 labels: 2670 app.kubernetes.io/component: server 2671 app.kubernetes.io/name: argocd-server 2672 app.kubernetes.io/part-of: argocd 2673 name: argocd-server 2674 spec: 2675 replicas: 2 2676 selector: 2677 matchLabels: 2678 app.kubernetes.io/name: argocd-server 2679 template: 2680 metadata: 2681 labels: 2682 app.kubernetes.io/name: argocd-server 2683 spec: 2684 affinity: 2685 podAntiAffinity: 2686 preferredDuringSchedulingIgnoredDuringExecution: 2687 - podAffinityTerm: 2688 labelSelector: 2689 matchLabels: 2690 app.kubernetes.io/name: argocd-server 2691 topologyKey: topology.kubernetes.io/zone 2692 weight: 100 2693 requiredDuringSchedulingIgnoredDuringExecution: 2694 - labelSelector: 2695 matchLabels: 2696 app.kubernetes.io/name: argocd-server 2697 topologyKey: kubernetes.io/hostname 2698 containers: 2699 - args: 2700 - /usr/local/bin/argocd-server 2701 env: 2702 - name: ARGOCD_API_SERVER_REPLICAS 2703 value: "2" 2704 - name: REDIS_PASSWORD 2705 valueFrom: 2706 secretKeyRef: 2707 key: auth 2708 name: argocd-redis 2709 - name: ARGOCD_SERVER_INSECURE 2710 valueFrom: 2711 configMapKeyRef: 2712 key: server.insecure 2713 name: argocd-cmd-params-cm 2714 optional: true 2715 - name: ARGOCD_SERVER_BASEHREF 2716 valueFrom: 2717 configMapKeyRef: 2718 key: server.basehref 2719 name: argocd-cmd-params-cm 2720 optional: true 2721 - name: ARGOCD_SERVER_ROOTPATH 2722 valueFrom: 2723 configMapKeyRef: 2724 key: server.rootpath 2725 name: argocd-cmd-params-cm 2726 optional: true 2727 - name: ARGOCD_SERVER_LOGFORMAT 2728 valueFrom: 2729 configMapKeyRef: 2730 key: server.log.format 2731 name: argocd-cmd-params-cm 2732 optional: true 2733 - name: ARGOCD_SERVER_LOG_LEVEL 2734 valueFrom: 2735 configMapKeyRef: 2736 key: server.log.level 2737 name: argocd-cmd-params-cm 2738 optional: true 2739 - name: ARGOCD_SERVER_REPO_SERVER 2740 valueFrom: 2741 configMapKeyRef: 2742 key: repo.server 2743 name: argocd-cmd-params-cm 2744 optional: true 2745 - name: ARGOCD_SERVER_DEX_SERVER 2746 valueFrom: 2747 configMapKeyRef: 2748 key: server.dex.server 2749 name: argocd-cmd-params-cm 2750 optional: true 2751 - name: ARGOCD_SERVER_DISABLE_AUTH 2752 valueFrom: 2753 configMapKeyRef: 2754 key: server.disable.auth 2755 name: argocd-cmd-params-cm 2756 optional: true 2757 - name: ARGOCD_SERVER_ENABLE_GZIP 2758 valueFrom: 2759 configMapKeyRef: 2760 key: server.enable.gzip 2761 name: argocd-cmd-params-cm 2762 optional: true 2763 - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS 2764 valueFrom: 2765 configMapKeyRef: 2766 key: server.repo.server.timeout.seconds 2767 name: argocd-cmd-params-cm 2768 optional: true 2769 - name: ARGOCD_SERVER_X_FRAME_OPTIONS 2770 valueFrom: 2771 configMapKeyRef: 2772 key: server.x.frame.options 2773 name: argocd-cmd-params-cm 2774 optional: true 2775 - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY 2776 valueFrom: 2777 configMapKeyRef: 2778 key: server.content.security.policy 2779 name: argocd-cmd-params-cm 2780 optional: true 2781 - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT 2782 valueFrom: 2783 configMapKeyRef: 2784 key: server.repo.server.plaintext 2785 name: argocd-cmd-params-cm 2786 optional: true 2787 - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS 2788 valueFrom: 2789 configMapKeyRef: 2790 key: server.repo.server.strict.tls 2791 name: argocd-cmd-params-cm 2792 optional: true 2793 - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT 2794 valueFrom: 2795 configMapKeyRef: 2796 key: server.dex.server.plaintext 2797 name: argocd-cmd-params-cm 2798 optional: true 2799 - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS 2800 valueFrom: 2801 configMapKeyRef: 2802 key: server.dex.server.strict.tls 2803 name: argocd-cmd-params-cm 2804 optional: true 2805 - name: ARGOCD_TLS_MIN_VERSION 2806 valueFrom: 2807 configMapKeyRef: 2808 key: server.tls.minversion 2809 name: argocd-cmd-params-cm 2810 optional: true 2811 - name: ARGOCD_TLS_MAX_VERSION 2812 valueFrom: 2813 configMapKeyRef: 2814 key: server.tls.maxversion 2815 name: argocd-cmd-params-cm 2816 optional: true 2817 - name: ARGOCD_TLS_CIPHERS 2818 valueFrom: 2819 configMapKeyRef: 2820 key: server.tls.ciphers 2821 name: argocd-cmd-params-cm 2822 optional: true 2823 - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION 2824 valueFrom: 2825 configMapKeyRef: 2826 key: server.connection.status.cache.expiration 2827 name: argocd-cmd-params-cm 2828 optional: true 2829 - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION 2830 valueFrom: 2831 configMapKeyRef: 2832 key: server.oidc.cache.expiration 2833 name: argocd-cmd-params-cm 2834 optional: true 2835 - name: ARGOCD_SERVER_STATIC_ASSETS 2836 valueFrom: 2837 configMapKeyRef: 2838 key: server.staticassets 2839 name: argocd-cmd-params-cm 2840 optional: true 2841 - name: ARGOCD_APP_STATE_CACHE_EXPIRATION 2842 valueFrom: 2843 configMapKeyRef: 2844 key: server.app.state.cache.expiration 2845 name: argocd-cmd-params-cm 2846 optional: true 2847 - name: REDIS_SERVER 2848 valueFrom: 2849 configMapKeyRef: 2850 key: redis.server 2851 name: argocd-cmd-params-cm 2852 optional: true 2853 - name: REDIS_COMPRESSION 2854 valueFrom: 2855 configMapKeyRef: 2856 key: redis.compression 2857 name: argocd-cmd-params-cm 2858 optional: true 2859 - name: REDISDB 2860 valueFrom: 2861 configMapKeyRef: 2862 key: redis.db 2863 name: argocd-cmd-params-cm 2864 optional: true 2865 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 2866 valueFrom: 2867 configMapKeyRef: 2868 key: server.default.cache.expiration 2869 name: argocd-cmd-params-cm 2870 optional: true 2871 - name: ARGOCD_MAX_COOKIE_NUMBER 2872 valueFrom: 2873 configMapKeyRef: 2874 key: server.http.cookie.maxnumber 2875 name: argocd-cmd-params-cm 2876 optional: true 2877 - name: ARGOCD_SERVER_LISTEN_ADDRESS 2878 valueFrom: 2879 configMapKeyRef: 2880 key: server.listen.address 2881 name: argocd-cmd-params-cm 2882 optional: true 2883 - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS 2884 valueFrom: 2885 configMapKeyRef: 2886 key: server.metrics.listen.address 2887 name: argocd-cmd-params-cm 2888 optional: true 2889 - name: ARGOCD_SERVER_OTLP_ADDRESS 2890 valueFrom: 2891 configMapKeyRef: 2892 key: otlp.address 2893 name: argocd-cmd-params-cm 2894 optional: true 2895 - name: ARGOCD_SERVER_OTLP_INSECURE 2896 valueFrom: 2897 configMapKeyRef: 2898 key: otlp.insecure 2899 name: argocd-cmd-params-cm 2900 optional: true 2901 - name: ARGOCD_SERVER_OTLP_HEADERS 2902 valueFrom: 2903 configMapKeyRef: 2904 key: otlp.headers 2905 name: argocd-cmd-params-cm 2906 optional: true 2907 - name: ARGOCD_SERVER_OTLP_ATTRS 2908 valueFrom: 2909 configMapKeyRef: 2910 key: otlp.attrs 2911 name: argocd-cmd-params-cm 2912 optional: true 2913 - name: ARGOCD_APPLICATION_NAMESPACES 2914 valueFrom: 2915 configMapKeyRef: 2916 key: application.namespaces 2917 name: argocd-cmd-params-cm 2918 optional: true 2919 - name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION 2920 valueFrom: 2921 configMapKeyRef: 2922 key: server.enable.proxy.extension 2923 name: argocd-cmd-params-cm 2924 optional: true 2925 - name: ARGOCD_K8SCLIENT_RETRY_MAX 2926 valueFrom: 2927 configMapKeyRef: 2928 key: server.k8sclient.retry.max 2929 name: argocd-cmd-params-cm 2930 optional: true 2931 - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF 2932 valueFrom: 2933 configMapKeyRef: 2934 key: server.k8sclient.retry.base.backoff 2935 name: argocd-cmd-params-cm 2936 optional: true 2937 - name: ARGOCD_API_CONTENT_TYPES 2938 valueFrom: 2939 configMapKeyRef: 2940 key: server.api.content.types 2941 name: argocd-cmd-params-cm 2942 optional: true 2943 - name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT 2944 valueFrom: 2945 configMapKeyRef: 2946 key: server.webhook.parallelism.limit 2947 name: argocd-cmd-params-cm 2948 optional: true 2949 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING 2950 valueFrom: 2951 configMapKeyRef: 2952 key: applicationsetcontroller.enable.new.git.file.globbing 2953 name: argocd-cmd-params-cm 2954 optional: true 2955 - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH 2956 valueFrom: 2957 configMapKeyRef: 2958 key: applicationsetcontroller.scm.root.ca.path 2959 name: argocd-cmd-params-cm 2960 optional: true 2961 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS 2962 valueFrom: 2963 configMapKeyRef: 2964 key: applicationsetcontroller.allowed.scm.providers 2965 name: argocd-cmd-params-cm 2966 optional: true 2967 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS 2968 valueFrom: 2969 configMapKeyRef: 2970 key: applicationsetcontroller.enable.scm.providers 2971 name: argocd-cmd-params-cm 2972 optional: true 2973 - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS 2974 valueFrom: 2975 configMapKeyRef: 2976 key: applicationsetcontroller.enable.github.api.metrics 2977 name: argocd-cmd-params-cm 2978 optional: true 2979 - name: ARGOCD_HYDRATOR_ENABLED 2980 valueFrom: 2981 configMapKeyRef: 2982 key: hydrator.enabled 2983 name: argocd-cmd-params-cm 2984 optional: true 2985 - name: ARGOCD_SYNC_WITH_REPLACE_ALLOWED 2986 valueFrom: 2987 configMapKeyRef: 2988 key: server.sync.replace.allowed 2989 name: argocd-cmd-params-cm 2990 optional: true 2991 image: quay.io/argoproj/argocd:v3.2.1 2992 imagePullPolicy: Always 2993 livenessProbe: 2994 httpGet: 2995 path: /healthz?full=true 2996 port: 8080 2997 initialDelaySeconds: 3 2998 periodSeconds: 30 2999 timeoutSeconds: 5 3000 name: argocd-server 3001 ports: 3002 - containerPort: 8080 3003 - containerPort: 8083 3004 readinessProbe: 3005 httpGet: 3006 path: /healthz 3007 port: 8080 3008 initialDelaySeconds: 3 3009 periodSeconds: 30 3010 securityContext: 3011 allowPrivilegeEscalation: false 3012 capabilities: 3013 drop: 3014 - ALL 3015 readOnlyRootFilesystem: true 3016 runAsNonRoot: true 3017 seccompProfile: 3018 type: RuntimeDefault 3019 volumeMounts: 3020 - mountPath: /app/config/ssh 3021 name: ssh-known-hosts 3022 - mountPath: /app/config/tls 3023 name: tls-certs 3024 - mountPath: /app/config/server/tls 3025 name: argocd-repo-server-tls 3026 - mountPath: /app/config/dex/tls 3027 name: argocd-dex-server-tls 3028 - mountPath: /home/argocd 3029 name: plugins-home 3030 - mountPath: /tmp 3031 name: tmp 3032 - mountPath: /home/argocd/params 3033 name: argocd-cmd-params-cm 3034 nodeSelector: 3035 kubernetes.io/os: linux 3036 serviceAccountName: argocd-server 3037 volumes: 3038 - emptyDir: {} 3039 name: plugins-home 3040 - emptyDir: {} 3041 name: tmp 3042 - configMap: 3043 name: argocd-ssh-known-hosts-cm 3044 name: ssh-known-hosts 3045 - configMap: 3046 name: argocd-tls-certs-cm 3047 name: tls-certs 3048 - name: argocd-repo-server-tls 3049 secret: 3050 items: 3051 - key: tls.crt 3052 path: tls.crt 3053 - key: tls.key 3054 path: tls.key 3055 - key: ca.crt 3056 path: ca.crt 3057 optional: true 3058 secretName: argocd-repo-server-tls 3059 - name: argocd-dex-server-tls 3060 secret: 3061 items: 3062 - key: tls.crt 3063 path: tls.crt 3064 - key: ca.crt 3065 path: ca.crt 3066 optional: true 3067 secretName: argocd-dex-server-tls 3068 - configMap: 3069 items: 3070 - key: server.profile.enabled 3071 path: profiler.enabled 3072 name: argocd-cmd-params-cm 3073 optional: true 3074 name: argocd-cmd-params-cm 3075 --- 3076 apiVersion: apps/v1 3077 kind: StatefulSet 3078 metadata: 3079 labels: 3080 app.kubernetes.io/component: application-controller 3081 app.kubernetes.io/name: argocd-application-controller 3082 app.kubernetes.io/part-of: argocd 3083 name: argocd-application-controller 3084 spec: 3085 replicas: 1 3086 selector: 3087 matchLabels: 3088 app.kubernetes.io/name: argocd-application-controller 3089 serviceName: argocd-application-controller 3090 template: 3091 metadata: 3092 labels: 3093 app.kubernetes.io/name: argocd-application-controller 3094 spec: 3095 affinity: 3096 podAntiAffinity: 3097 preferredDuringSchedulingIgnoredDuringExecution: 3098 - podAffinityTerm: 3099 labelSelector: 3100 matchLabels: 3101 app.kubernetes.io/name: argocd-application-controller 3102 topologyKey: kubernetes.io/hostname 3103 weight: 100 3104 - podAffinityTerm: 3105 labelSelector: 3106 matchLabels: 3107 app.kubernetes.io/part-of: argocd 3108 topologyKey: kubernetes.io/hostname 3109 weight: 5 3110 containers: 3111 - args: 3112 - /usr/local/bin/argocd-application-controller 3113 env: 3114 - name: REDIS_PASSWORD 3115 valueFrom: 3116 secretKeyRef: 3117 key: auth 3118 name: argocd-redis 3119 - name: ARGOCD_CONTROLLER_REPLICAS 3120 value: "1" 3121 - name: ARGOCD_RECONCILIATION_TIMEOUT 3122 valueFrom: 3123 configMapKeyRef: 3124 key: timeout.reconciliation 3125 name: argocd-cm 3126 optional: true 3127 - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT 3128 valueFrom: 3129 configMapKeyRef: 3130 key: timeout.hard.reconciliation 3131 name: argocd-cm 3132 optional: true 3133 - name: ARGOCD_RECONCILIATION_JITTER 3134 valueFrom: 3135 configMapKeyRef: 3136 key: timeout.reconciliation.jitter 3137 name: argocd-cm 3138 optional: true 3139 - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS 3140 valueFrom: 3141 configMapKeyRef: 3142 key: controller.repo.error.grace.period.seconds 3143 name: argocd-cmd-params-cm 3144 optional: true 3145 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER 3146 valueFrom: 3147 configMapKeyRef: 3148 key: repo.server 3149 name: argocd-cmd-params-cm 3150 optional: true 3151 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS 3152 valueFrom: 3153 configMapKeyRef: 3154 key: controller.repo.server.timeout.seconds 3155 name: argocd-cmd-params-cm 3156 optional: true 3157 - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS 3158 valueFrom: 3159 configMapKeyRef: 3160 key: controller.status.processors 3161 name: argocd-cmd-params-cm 3162 optional: true 3163 - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS 3164 valueFrom: 3165 configMapKeyRef: 3166 key: controller.operation.processors 3167 name: argocd-cmd-params-cm 3168 optional: true 3169 - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT 3170 valueFrom: 3171 configMapKeyRef: 3172 key: controller.log.format 3173 name: argocd-cmd-params-cm 3174 optional: true 3175 - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL 3176 valueFrom: 3177 configMapKeyRef: 3178 key: controller.log.level 3179 name: argocd-cmd-params-cm 3180 optional: true 3181 - name: ARGOCD_LOG_FORMAT_TIMESTAMP 3182 valueFrom: 3183 configMapKeyRef: 3184 key: log.format.timestamp 3185 name: argocd-cmd-params-cm 3186 optional: true 3187 - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION 3188 valueFrom: 3189 configMapKeyRef: 3190 key: controller.metrics.cache.expiration 3191 name: argocd-cmd-params-cm 3192 optional: true 3193 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS 3194 valueFrom: 3195 configMapKeyRef: 3196 key: controller.self.heal.timeout.seconds 3197 name: argocd-cmd-params-cm 3198 optional: true 3199 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS 3200 valueFrom: 3201 configMapKeyRef: 3202 key: controller.self.heal.backoff.timeout.seconds 3203 name: argocd-cmd-params-cm 3204 optional: true 3205 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR 3206 valueFrom: 3207 configMapKeyRef: 3208 key: controller.self.heal.backoff.factor 3209 name: argocd-cmd-params-cm 3210 optional: true 3211 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS 3212 valueFrom: 3213 configMapKeyRef: 3214 key: controller.self.heal.backoff.cap.seconds 3215 name: argocd-cmd-params-cm 3216 optional: true 3217 - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS 3218 valueFrom: 3219 configMapKeyRef: 3220 key: controller.self.heal.backoff.cooldown.seconds 3221 name: argocd-cmd-params-cm 3222 optional: true 3223 - name: ARGOCD_SYNC_WAVE_DELAY 3224 valueFrom: 3225 configMapKeyRef: 3226 key: controller.sync.wave.delay.seconds 3227 name: argocd-cmd-params-cm 3228 optional: true 3229 - name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT 3230 valueFrom: 3231 configMapKeyRef: 3232 key: controller.sync.timeout.seconds 3233 name: argocd-cmd-params-cm 3234 optional: true 3235 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT 3236 valueFrom: 3237 configMapKeyRef: 3238 key: controller.repo.server.plaintext 3239 name: argocd-cmd-params-cm 3240 optional: true 3241 - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS 3242 valueFrom: 3243 configMapKeyRef: 3244 key: controller.repo.server.strict.tls 3245 name: argocd-cmd-params-cm 3246 optional: true 3247 - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH 3248 valueFrom: 3249 configMapKeyRef: 3250 key: controller.resource.health.persist 3251 name: argocd-cmd-params-cm 3252 optional: true 3253 - name: ARGOCD_APP_STATE_CACHE_EXPIRATION 3254 valueFrom: 3255 configMapKeyRef: 3256 key: controller.app.state.cache.expiration 3257 name: argocd-cmd-params-cm 3258 optional: true 3259 - name: REDIS_SERVER 3260 valueFrom: 3261 configMapKeyRef: 3262 key: redis.server 3263 name: argocd-cmd-params-cm 3264 optional: true 3265 - name: REDIS_COMPRESSION 3266 valueFrom: 3267 configMapKeyRef: 3268 key: redis.compression 3269 name: argocd-cmd-params-cm 3270 optional: true 3271 - name: REDISDB 3272 valueFrom: 3273 configMapKeyRef: 3274 key: redis.db 3275 name: argocd-cmd-params-cm 3276 optional: true 3277 - name: ARGOCD_DEFAULT_CACHE_EXPIRATION 3278 valueFrom: 3279 configMapKeyRef: 3280 key: controller.default.cache.expiration 3281 name: argocd-cmd-params-cm 3282 optional: true 3283 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS 3284 valueFrom: 3285 configMapKeyRef: 3286 key: otlp.address 3287 name: argocd-cmd-params-cm 3288 optional: true 3289 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE 3290 valueFrom: 3291 configMapKeyRef: 3292 key: otlp.insecure 3293 name: argocd-cmd-params-cm 3294 optional: true 3295 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS 3296 valueFrom: 3297 configMapKeyRef: 3298 key: otlp.headers 3299 name: argocd-cmd-params-cm 3300 optional: true 3301 - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS 3302 valueFrom: 3303 configMapKeyRef: 3304 key: otlp.attrs 3305 name: argocd-cmd-params-cm 3306 optional: true 3307 - name: ARGOCD_APPLICATION_NAMESPACES 3308 valueFrom: 3309 configMapKeyRef: 3310 key: application.namespaces 3311 name: argocd-cmd-params-cm 3312 optional: true 3313 - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM 3314 valueFrom: 3315 configMapKeyRef: 3316 key: controller.sharding.algorithm 3317 name: argocd-cmd-params-cm 3318 optional: true 3319 - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT 3320 valueFrom: 3321 configMapKeyRef: 3322 key: controller.kubectl.parallelism.limit 3323 name: argocd-cmd-params-cm 3324 optional: true 3325 - name: ARGOCD_K8SCLIENT_RETRY_MAX 3326 valueFrom: 3327 configMapKeyRef: 3328 key: controller.k8sclient.retry.max 3329 name: argocd-cmd-params-cm 3330 optional: true 3331 - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF 3332 valueFrom: 3333 configMapKeyRef: 3334 key: controller.k8sclient.retry.base.backoff 3335 name: argocd-cmd-params-cm 3336 optional: true 3337 - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF 3338 valueFrom: 3339 configMapKeyRef: 3340 key: controller.diff.server.side 3341 name: argocd-cmd-params-cm 3342 optional: true 3343 - name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT 3344 valueFrom: 3345 configMapKeyRef: 3346 key: controller.ignore.normalizer.jq.timeout 3347 name: argocd-cmd-params-cm 3348 optional: true 3349 - name: ARGOCD_HYDRATOR_ENABLED 3350 valueFrom: 3351 configMapKeyRef: 3352 key: hydrator.enabled 3353 name: argocd-cmd-params-cm 3354 optional: true 3355 - name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING 3356 valueFrom: 3357 configMapKeyRef: 3358 key: controller.cluster.cache.batch.events.processing 3359 name: argocd-cmd-params-cm 3360 optional: true 3361 - name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL 3362 valueFrom: 3363 configMapKeyRef: 3364 key: controller.cluster.cache.events.processing.interval 3365 name: argocd-cmd-params-cm 3366 optional: true 3367 - name: ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER 3368 valueFrom: 3369 configMapKeyRef: 3370 key: commit.server 3371 name: argocd-cmd-params-cm 3372 optional: true 3373 - name: KUBECACHEDIR 3374 value: /tmp/kubecache 3375 image: quay.io/argoproj/argocd:v3.2.1 3376 imagePullPolicy: Always 3377 name: argocd-application-controller 3378 ports: 3379 - containerPort: 8082 3380 readinessProbe: 3381 httpGet: 3382 path: /healthz 3383 port: 8082 3384 initialDelaySeconds: 5 3385 periodSeconds: 10 3386 securityContext: 3387 allowPrivilegeEscalation: false 3388 capabilities: 3389 drop: 3390 - ALL 3391 readOnlyRootFilesystem: true 3392 runAsNonRoot: true 3393 seccompProfile: 3394 type: RuntimeDefault 3395 volumeMounts: 3396 - mountPath: /app/config/controller/tls 3397 name: argocd-repo-server-tls 3398 - mountPath: /home/argocd 3399 name: argocd-home 3400 - mountPath: /home/argocd/params 3401 name: argocd-cmd-params-cm 3402 - mountPath: /tmp 3403 name: argocd-application-controller-tmp 3404 workingDir: /home/argocd 3405 nodeSelector: 3406 kubernetes.io/os: linux 3407 serviceAccountName: argocd-application-controller 3408 volumes: 3409 - emptyDir: {} 3410 name: argocd-home 3411 - emptyDir: {} 3412 name: argocd-application-controller-tmp 3413 - name: argocd-repo-server-tls 3414 secret: 3415 items: 3416 - key: tls.crt 3417 path: tls.crt 3418 - key: tls.key 3419 path: tls.key 3420 - key: ca.crt 3421 path: ca.crt 3422 optional: true 3423 secretName: argocd-repo-server-tls 3424 - configMap: 3425 items: 3426 - key: controller.profile.enabled 3427 path: profiler.enabled 3428 name: argocd-cmd-params-cm 3429 optional: true 3430 name: argocd-cmd-params-cm 3431 --- 3432 apiVersion: apps/v1 3433 kind: StatefulSet 3434 metadata: 3435 labels: 3436 app.kubernetes.io/component: redis 3437 app.kubernetes.io/name: argocd-redis-ha 3438 app.kubernetes.io/part-of: argocd 3439 name: argocd-redis-ha-server 3440 spec: 3441 podManagementPolicy: OrderedReady 3442 replicas: 3 3443 selector: 3444 matchLabels: 3445 app.kubernetes.io/name: argocd-redis-ha 3446 serviceName: argocd-redis-ha 3447 template: 3448 metadata: 3449 annotations: 3450 checksum/init-config: fd74f7d84e39b3f6eac1d7ce5deb0083e58f218376faf363343d91a0fb4f2563 3451 labels: 3452 app.kubernetes.io/name: argocd-redis-ha 3453 spec: 3454 affinity: 3455 podAntiAffinity: 3456 requiredDuringSchedulingIgnoredDuringExecution: 3457 - labelSelector: 3458 matchLabels: 3459 app.kubernetes.io/name: argocd-redis-ha 3460 topologyKey: kubernetes.io/hostname 3461 automountServiceAccountToken: false 3462 containers: 3463 - args: 3464 - /data/conf/redis.conf 3465 command: 3466 - redis-server 3467 env: 3468 - name: AUTH 3469 valueFrom: 3470 secretKeyRef: 3471 key: auth 3472 name: argocd-redis 3473 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3474 imagePullPolicy: IfNotPresent 3475 lifecycle: 3476 preStop: 3477 exec: 3478 command: 3479 - /bin/sh 3480 - /readonly-config/trigger-failover-if-master.sh 3481 livenessProbe: 3482 exec: 3483 command: 3484 - sh 3485 - -c 3486 - /health/redis_liveness.sh 3487 failureThreshold: 5 3488 initialDelaySeconds: 30 3489 periodSeconds: 15 3490 successThreshold: 1 3491 timeoutSeconds: 15 3492 name: redis 3493 ports: 3494 - containerPort: 6379 3495 name: redis 3496 readinessProbe: 3497 exec: 3498 command: 3499 - sh 3500 - -c 3501 - /health/redis_readiness.sh 3502 failureThreshold: 5 3503 initialDelaySeconds: 30 3504 periodSeconds: 15 3505 successThreshold: 1 3506 timeoutSeconds: 15 3507 securityContext: 3508 allowPrivilegeEscalation: false 3509 capabilities: 3510 drop: 3511 - ALL 3512 readOnlyRootFilesystem: true 3513 seccompProfile: 3514 type: RuntimeDefault 3515 startupProbe: 3516 exec: 3517 command: 3518 - sh 3519 - -c 3520 - /health/redis_readiness.sh 3521 failureThreshold: 5 3522 initialDelaySeconds: 30 3523 periodSeconds: 15 3524 successThreshold: 1 3525 timeoutSeconds: 15 3526 volumeMounts: 3527 - mountPath: /readonly-config 3528 name: config 3529 readOnly: true 3530 - mountPath: /data 3531 name: data 3532 - mountPath: /health 3533 name: health 3534 - args: 3535 - /data/conf/sentinel.conf 3536 command: 3537 - redis-sentinel 3538 env: 3539 - name: AUTH 3540 valueFrom: 3541 secretKeyRef: 3542 key: auth 3543 name: argocd-redis 3544 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3545 imagePullPolicy: IfNotPresent 3546 lifecycle: 3547 postStart: 3548 exec: 3549 command: 3550 - /bin/sh 3551 - -c 3552 - sleep 30; redis-cli -p 26379 sentinel reset argocd 3553 livenessProbe: 3554 exec: 3555 command: 3556 - sh 3557 - -c 3558 - /health/sentinel_liveness.sh 3559 failureThreshold: 5 3560 initialDelaySeconds: 30 3561 periodSeconds: 15 3562 successThreshold: 1 3563 timeoutSeconds: 15 3564 name: sentinel 3565 ports: 3566 - containerPort: 26379 3567 name: sentinel 3568 readinessProbe: 3569 exec: 3570 command: 3571 - sh 3572 - -c 3573 - /health/sentinel_liveness.sh 3574 failureThreshold: 5 3575 initialDelaySeconds: 30 3576 periodSeconds: 15 3577 successThreshold: 3 3578 timeoutSeconds: 15 3579 securityContext: 3580 allowPrivilegeEscalation: false 3581 capabilities: 3582 drop: 3583 - ALL 3584 readOnlyRootFilesystem: true 3585 seccompProfile: 3586 type: RuntimeDefault 3587 startupProbe: 3588 exec: 3589 command: 3590 - sh 3591 - -c 3592 - /health/sentinel_liveness.sh 3593 failureThreshold: 3 3594 initialDelaySeconds: 5 3595 periodSeconds: 10 3596 successThreshold: 1 3597 timeoutSeconds: 15 3598 volumeMounts: 3599 - mountPath: /data 3600 name: data 3601 - mountPath: /health 3602 name: health 3603 - args: 3604 - /readonly-config/fix-split-brain.sh 3605 command: 3606 - sh 3607 env: 3608 - name: SENTINEL_ID_0 3609 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 3610 - name: SENTINEL_ID_1 3611 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 3612 - name: SENTINEL_ID_2 3613 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca 3614 - name: AUTH 3615 valueFrom: 3616 secretKeyRef: 3617 key: auth 3618 name: argocd-redis 3619 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3620 imagePullPolicy: IfNotPresent 3621 name: split-brain-fix 3622 resources: {} 3623 securityContext: 3624 allowPrivilegeEscalation: false 3625 capabilities: 3626 drop: 3627 - ALL 3628 readOnlyRootFilesystem: true 3629 seccompProfile: 3630 type: RuntimeDefault 3631 volumeMounts: 3632 - mountPath: /readonly-config 3633 name: config 3634 readOnly: true 3635 - mountPath: /data 3636 name: data 3637 initContainers: 3638 - args: 3639 - /readonly-config/init.sh 3640 command: 3641 - sh 3642 env: 3643 - name: SENTINEL_ID_0 3644 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 3645 - name: SENTINEL_ID_1 3646 value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 3647 - name: SENTINEL_ID_2 3648 value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca 3649 - name: AUTH 3650 valueFrom: 3651 secretKeyRef: 3652 key: auth 3653 name: argocd-redis 3654 image: public.ecr.aws/docker/library/redis:8.2.2-alpine 3655 imagePullPolicy: IfNotPresent 3656 name: config-init 3657 securityContext: 3658 allowPrivilegeEscalation: false 3659 capabilities: 3660 drop: 3661 - ALL 3662 readOnlyRootFilesystem: true 3663 seccompProfile: 3664 type: RuntimeDefault 3665 volumeMounts: 3666 - mountPath: /readonly-config 3667 name: config 3668 readOnly: true 3669 - mountPath: /data 3670 name: data 3671 securityContext: 3672 fsGroup: 1000 3673 runAsNonRoot: true 3674 runAsUser: 1000 3675 serviceAccountName: argocd-redis-ha 3676 terminationGracePeriodSeconds: 60 3677 volumes: 3678 - configMap: 3679 name: argocd-redis-ha-configmap 3680 name: config 3681 - configMap: 3682 defaultMode: 493 3683 name: argocd-redis-ha-health-configmap 3684 name: health 3685 - emptyDir: {} 3686 name: data 3687 updateStrategy: 3688 type: RollingUpdate 3689 --- 3690 apiVersion: networking.k8s.io/v1 3691 kind: NetworkPolicy 3692 metadata: 3693 labels: 3694 app.kubernetes.io/component: application-controller 3695 app.kubernetes.io/name: argocd-application-controller 3696 app.kubernetes.io/part-of: argocd 3697 name: argocd-application-controller-network-policy 3698 spec: 3699 ingress: 3700 - from: 3701 - namespaceSelector: {} 3702 ports: 3703 - port: 8082 3704 podSelector: 3705 matchLabels: 3706 app.kubernetes.io/name: argocd-application-controller 3707 policyTypes: 3708 - Ingress 3709 --- 3710 apiVersion: networking.k8s.io/v1 3711 kind: NetworkPolicy 3712 metadata: 3713 labels: 3714 app.kubernetes.io/component: applicationset-controller 3715 app.kubernetes.io/name: argocd-applicationset-controller 3716 app.kubernetes.io/part-of: argocd 3717 name: argocd-applicationset-controller-network-policy 3718 spec: 3719 ingress: 3720 - from: 3721 - namespaceSelector: {} 3722 ports: 3723 - port: 7000 3724 protocol: TCP 3725 - port: 8080 3726 protocol: TCP 3727 podSelector: 3728 matchLabels: 3729 app.kubernetes.io/name: argocd-applicationset-controller 3730 policyTypes: 3731 - Ingress 3732 --- 3733 apiVersion: networking.k8s.io/v1 3734 kind: NetworkPolicy 3735 metadata: 3736 labels: 3737 app.kubernetes.io/component: dex-server 3738 app.kubernetes.io/name: argocd-dex-server 3739 app.kubernetes.io/part-of: argocd 3740 name: argocd-dex-server-network-policy 3741 spec: 3742 ingress: 3743 - from: 3744 - podSelector: 3745 matchLabels: 3746 app.kubernetes.io/name: argocd-server 3747 ports: 3748 - port: 5556 3749 protocol: TCP 3750 - port: 5557 3751 protocol: TCP 3752 - from: 3753 - namespaceSelector: {} 3754 ports: 3755 - port: 5558 3756 protocol: TCP 3757 podSelector: 3758 matchLabels: 3759 app.kubernetes.io/name: argocd-dex-server 3760 policyTypes: 3761 - Ingress 3762 --- 3763 apiVersion: networking.k8s.io/v1 3764 kind: NetworkPolicy 3765 metadata: 3766 labels: 3767 app.kubernetes.io/component: notifications-controller 3768 app.kubernetes.io/name: argocd-notifications-controller 3769 app.kubernetes.io/part-of: argocd 3770 name: argocd-notifications-controller-network-policy 3771 spec: 3772 ingress: 3773 - from: 3774 - namespaceSelector: {} 3775 ports: 3776 - port: 9001 3777 protocol: TCP 3778 podSelector: 3779 matchLabels: 3780 app.kubernetes.io/name: argocd-notifications-controller 3781 policyTypes: 3782 - Ingress 3783 --- 3784 apiVersion: networking.k8s.io/v1 3785 kind: NetworkPolicy 3786 metadata: 3787 labels: 3788 app.kubernetes.io/component: redis 3789 app.kubernetes.io/name: argocd-redis-ha-haproxy 3790 app.kubernetes.io/part-of: argocd 3791 name: argocd-redis-ha-proxy-network-policy 3792 spec: 3793 ingress: 3794 - from: 3795 - podSelector: 3796 matchLabels: 3797 app.kubernetes.io/name: argocd-server 3798 - podSelector: 3799 matchLabels: 3800 app.kubernetes.io/name: argocd-repo-server 3801 - podSelector: 3802 matchLabels: 3803 app.kubernetes.io/name: argocd-application-controller 3804 ports: 3805 - port: 6379 3806 protocol: TCP 3807 - port: 26379 3808 protocol: TCP 3809 - from: 3810 - namespaceSelector: {} 3811 ports: 3812 - port: 9101 3813 protocol: TCP 3814 podSelector: 3815 matchLabels: 3816 app.kubernetes.io/name: argocd-redis-ha-haproxy 3817 policyTypes: 3818 - Ingress 3819 --- 3820 apiVersion: networking.k8s.io/v1 3821 kind: NetworkPolicy 3822 metadata: 3823 labels: 3824 app.kubernetes.io/component: redis 3825 app.kubernetes.io/name: argocd-redis-ha 3826 app.kubernetes.io/part-of: argocd 3827 name: argocd-redis-ha-server-network-policy 3828 spec: 3829 egress: 3830 - ports: 3831 - port: 6379 3832 protocol: TCP 3833 - port: 26379 3834 protocol: TCP 3835 to: 3836 - podSelector: 3837 matchLabels: 3838 app.kubernetes.io/name: argocd-redis-ha 3839 - ports: 3840 - port: 53 3841 protocol: UDP 3842 - port: 53 3843 protocol: TCP 3844 ingress: 3845 - from: 3846 - podSelector: 3847 matchLabels: 3848 app.kubernetes.io/name: argocd-redis-ha-haproxy 3849 - podSelector: 3850 matchLabels: 3851 app.kubernetes.io/name: argocd-redis-ha 3852 ports: 3853 - port: 6379 3854 protocol: TCP 3855 - port: 26379 3856 protocol: TCP 3857 podSelector: 3858 matchLabels: 3859 app.kubernetes.io/name: argocd-redis-ha 3860 policyTypes: 3861 - Ingress 3862 - Egress 3863 --- 3864 apiVersion: networking.k8s.io/v1 3865 kind: NetworkPolicy 3866 metadata: 3867 labels: 3868 app.kubernetes.io/component: repo-server 3869 app.kubernetes.io/name: argocd-repo-server 3870 app.kubernetes.io/part-of: argocd 3871 name: argocd-repo-server-network-policy 3872 spec: 3873 ingress: 3874 - from: 3875 - podSelector: 3876 matchLabels: 3877 app.kubernetes.io/name: argocd-server 3878 - podSelector: 3879 matchLabels: 3880 app.kubernetes.io/name: argocd-application-controller 3881 - podSelector: 3882 matchLabels: 3883 app.kubernetes.io/name: argocd-notifications-controller 3884 - podSelector: 3885 matchLabels: 3886 app.kubernetes.io/name: argocd-applicationset-controller 3887 ports: 3888 - port: 8081 3889 protocol: TCP 3890 - from: 3891 - namespaceSelector: {} 3892 ports: 3893 - port: 8084 3894 podSelector: 3895 matchLabels: 3896 app.kubernetes.io/name: argocd-repo-server 3897 policyTypes: 3898 - Ingress 3899 --- 3900 apiVersion: networking.k8s.io/v1 3901 kind: NetworkPolicy 3902 metadata: 3903 labels: 3904 app.kubernetes.io/component: server 3905 app.kubernetes.io/name: argocd-server 3906 app.kubernetes.io/part-of: argocd 3907 name: argocd-server-network-policy 3908 spec: 3909 ingress: 3910 - {} 3911 podSelector: 3912 matchLabels: 3913 app.kubernetes.io/name: argocd-server 3914 policyTypes: 3915 - Ingress