如何在 CI 中以非交互方式登录到 ArgoCD CLI,例如 GitHub 操作?
How to login to ArgoCD CLI non-interactive in CI like GitHub Actions?
我们已经 a full-blown setup using AWS EKS with Tekton 安装并希望使用 ArgoCD 进行应用程序部署。
As the docs state 我们在 EKS 上安装了 ArgoCD GitHub Actions with:
- name: Install ArgoCD
run: |
echo "--- Create argo namespace and install it"
kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
我们还公开了 ArgoCD 服务器(包括仪表板)as the docs told us:
- name: Expose ArgoCD Dashboard
run: |
echo "--- Expose ArgoCD Dashboard via K8s Service"
kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
echo "--- Wait until Loadbalancer url is present (see
until kubectl get service/argocd-server -n argocd --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do : ; done
最后我们用 brew 安装了 argocd CLI:
echo "--- Install ArgoCD CLI"
brew install argocd
现在我们如何使用 GitHub 操作(无需人工交互)来执行 argocd login? argocd login 命令需要用户名和密码...
The same docs tell us how to extract the password 对于 argo 有:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
获取 ArgoCD 服务器的 hostname 也没什么大不了的:
kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}'
并且由于 argocd login 命令具有参数 --username 和 --password,我们可以像这样设计我们的登录命令:
argocd login $(kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}') --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) --insecure
注意 --insecure 以防止 argo CLI 询问 WARNING: server certificate had error: x509: certificate is valid for localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local, not a5f715808162c48c1af54069ba37db0e-1371850981.eu-central-1.elb.amazonaws.com. Proceed insecurely (y/n)?.
之类的东西
成功登录在 GitHub 操作中应该看起来像这样 UI(参见 a full log here):
'admin:login' logged in successfully
Context 'a5f715808162c48c1af54069ba37db0e-1371850981.eu-central-1.elb.amazonaws.com' updated
现在您的 GitHub Actions 工作流程应该能够与 ArgoCD 服务器交互。
防止错误FATA[0000] dial tcp: lookup a965bfb530e8449f5a355f221b2fd107-598531793.eu-central-1.elb.amazonaws.com on 8.8.8.8:53: no such host
如果 argocd-server Kubernetes 服务是在 argocd login 命令 运行 之前全新安装的,则会出现此错误。然后 argocd login 命令会失败一段时间,直到它最终可以正常工作。
假设存在一些 DNS 传播问题,我们可以通过将 argocd login 命令包装到 until 中来防止此错误破坏我们的 CI 管道,就像已经完成的 一样。完整的命令将如下所示:
until argocd login $(kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}') --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) --insecure; do : ; done
在 GitHub 操作中,这将看起来像这样:
--- Login argocd CLI - now wrapped in until to prevent FATA[0000] dial tcp: lookup 12345.eu-central-1.elb.amazonaws.com on 8.8.8.8:53: no such host
time="2022-02-21T12:57:32Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:57:35Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:57:37Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
[...]
time="2022-02-21T12:58:27Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:58:30Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:58:32Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
'admin:login' logged in successfully
Context 'a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com' updated
我们已经 a full-blown setup using AWS EKS with Tekton 安装并希望使用 ArgoCD 进行应用程序部署。
As the docs state 我们在 EKS 上安装了 ArgoCD GitHub Actions with:
- name: Install ArgoCD
run: |
echo "--- Create argo namespace and install it"
kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
我们还公开了 ArgoCD 服务器(包括仪表板)as the docs told us:
- name: Expose ArgoCD Dashboard
run: |
echo "--- Expose ArgoCD Dashboard via K8s Service"
kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
echo "--- Wait until Loadbalancer url is present (see
until kubectl get service/argocd-server -n argocd --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do : ; done
最后我们用 brew 安装了 argocd CLI:
echo "--- Install ArgoCD CLI"
brew install argocd
现在我们如何使用 GitHub 操作(无需人工交互)来执行 argocd login? argocd login 命令需要用户名和密码...
The same docs tell us how to extract the password 对于 argo 有:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
获取 ArgoCD 服务器的 hostname 也没什么大不了的:
kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}'
并且由于 argocd login 命令具有参数 --username 和 --password,我们可以像这样设计我们的登录命令:
argocd login $(kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}') --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) --insecure
注意 --insecure 以防止 argo CLI 询问 WARNING: server certificate had error: x509: certificate is valid for localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local, not a5f715808162c48c1af54069ba37db0e-1371850981.eu-central-1.elb.amazonaws.com. Proceed insecurely (y/n)?.
成功登录在 GitHub 操作中应该看起来像这样 UI(参见 a full log here):
'admin:login' logged in successfully
Context 'a5f715808162c48c1af54069ba37db0e-1371850981.eu-central-1.elb.amazonaws.com' updated
现在您的 GitHub Actions 工作流程应该能够与 ArgoCD 服务器交互。
防止错误FATA[0000] dial tcp: lookup a965bfb530e8449f5a355f221b2fd107-598531793.eu-central-1.elb.amazonaws.com on 8.8.8.8:53: no such host
如果 argocd-server Kubernetes 服务是在 argocd login 命令 运行 之前全新安装的,则会出现此错误。然后 argocd login 命令会失败一段时间,直到它最终可以正常工作。
假设存在一些 DNS 传播问题,我们可以通过将 argocd login 命令包装到 until 中来防止此错误破坏我们的 CI 管道,就像已经完成的
until argocd login $(kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}') --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo) --insecure; do : ; done
在 GitHub 操作中,这将看起来像这样:
--- Login argocd CLI - now wrapped in until to prevent FATA[0000] dial tcp: lookup 12345.eu-central-1.elb.amazonaws.com on 8.8.8.8:53: no such host
time="2022-02-21T12:57:32Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:57:35Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:57:37Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
[...]
time="2022-02-21T12:58:27Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:58:30Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
time="2022-02-21T12:58:32Z" level=fatal msg="dial tcp: lookup a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com on 127.0.0.53:53: no such host"
'admin:login' logged in successfully
Context 'a071bed7e9ea14747951b04360133141-459093397.eu-central-1.elb.amazonaws.com' updated