0

所以,我有一个 Argocd 安装,我在其中使用Google 托管证书来使用 SSL。

根据Argocd Ingress Documentation,没有官方定义的方式来执行此操作。为了使用 Google 托管证书,我创建了以下清单文件。

gcp-managed.yaml

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: gcp-managed
spec:
  domains:
    - subdomain.env.domain.com

argocd-ingress-1.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: argocd-ingress-1
  annotations:
    kubernetes.io/ingress.global-static-ip-name: argocd-static-ip
    networking.gke.io/managed-certificates: gcp-managed
    kubernetes.io/ingress.class: "gce"
spec:
  backend:
    serviceName: argocd-service
    servicePort: 80

argocd-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: argocd-service
spec:
  selector:
    app.kubernetes.io/name: argocd-server
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

此外,由于我们使用的是 cloudflare,我已将静态 IP 添加到A recordsubdomain.env.domain.com 现在,Google 托管证书给了我(on , kubectl describe managedcertificate gcp-managed -n argocd

Status:
  Certificate Name:    certificate-unique-id
  Certificate Status:  Provisioning
  Domain Status:
    Domain:  subdomain.env.domain.com
    Status:  FailedNotVisible

并且 argocd-server 的健康检查失败,这导致了上述问题FailedNotVisible,因为除非通过健康检查,否则 GKE 负载均衡器不会引导流量。

那么,我做错了什么?\ 我还能做些什么来完成这项工作。使用诸如大使边缘堆栈或任何其他第三方应用程序不是一种选择。

4

1 回答 1

1

所以,诀窍是使用 argocd命令参考 --insecure标志。创建自定义 argocd 服务,关闭 Cloudflare 中的代理并使用使用托管证书的入口。

development-argocd-static-ip=本质上是全局的静态IP argocd-server, gcp-managed, argocd-service, argocd-ingress都在同一个命名空间中

argocd-server.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/name: argocd-server
    app.kubernetes.io/part-of: argocd
  name: argocd-server
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  template:
    metadata:
      labels:
        app.kubernetes.io/name: argocd-server
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: argocd-server
              topologyKey: kubernetes.io/hostname
            weight: 100
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/part-of: argocd
              topologyKey: kubernetes.io/hostname
            weight: 5
      containers:
      - command:
        - argocd-server
        - --insecure    # added this
        - --staticassets
        - /shared/app
        image: quay.io/argoproj/argocd:v2.0.0
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthz?full=true
            port: 8080
          initialDelaySeconds: 3
          periodSeconds: 30
        name: argocd-server
        ports:
        - containerPort: 8080
        - containerPort: 8083
        readinessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 3
          periodSeconds: 30
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
        volumeMounts:
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /app/config/server/tls
          name: argocd-repo-server-tls
      serviceAccountName: argocd-server
      volumes:
      - emptyDir: {}
        name: static-files
      - configMap:
          name: argocd-ssh-known-hosts-cm
        name: ssh-known-hosts
      - configMap:
          name: argocd-tls-certs-cm
        name: tls-certs
      - name: argocd-repo-server-tls
        secret:
          items:
          - key: tls.crt
            path: tls.crt
          - key: tls.key
            path: tls.key
          - key: ca.crt
            path: ca.crt
          optional: true
          secretName: argocd-repo-server-tls

gcp-managed.yaml

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: gcp-managed
spec:
  domains:
    - subdomain.env.domain.com

argocd-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: argocd-service
spec:
  selector:
    app.kubernetes.io/name: argocd-server
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

argocd-ingress.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: argocd-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: development-argocd-static-ip
    networking.gke.io/managed-certificates: gcp-managed
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: argocd-service
              servicePort: 80

在以下命令中, kubectl describe managedcertificate gcp-managed -n argocd

Status:
  Certificate Name:    certificate-unique-id
  Certificate Status:  Active
  Domain Status:
    Domain:     subdomain.env.domain.com
    Status:     Active
于 2021-05-06T09:27:28.900 回答