argo-cd

1
# This is an auto-generated file. DO NOT EDIT
2
apiVersion: v1
3
kind: ServiceAccount
4
metadata:
5
  labels:
6
    app.kubernetes.io/component: application-controller
7
    app.kubernetes.io/name: argocd-application-controller
8
    app.kubernetes.io/part-of: argocd
9
  name: argocd-application-controller
10
---
11
apiVersion: v1
12
kind: ServiceAccount
13
metadata:
14
  labels:
15
    app.kubernetes.io/component: applicationset-controller
16
    app.kubernetes.io/name: argocd-applicationset-controller
17
    app.kubernetes.io/part-of: argocd
18
  name: argocd-applicationset-controller
19
---
20
apiVersion: v1
21
kind: ServiceAccount
22
metadata:
23
  labels:
24
    app.kubernetes.io/component: dex-server
25
    app.kubernetes.io/name: argocd-dex-server
26
    app.kubernetes.io/part-of: argocd
27
  name: argocd-dex-server
28
---
29
apiVersion: v1
30
kind: ServiceAccount
31
metadata:
32
  labels:
33
    app.kubernetes.io/component: notifications-controller
34
    app.kubernetes.io/name: argocd-notifications-controller
35
    app.kubernetes.io/part-of: argocd
36
  name: argocd-notifications-controller
37
---
38
apiVersion: v1
39
kind: ServiceAccount
40
metadata:
41
  labels:
42
    app.kubernetes.io/component: redis
43
    app.kubernetes.io/name: argocd-redis-ha
44
    app.kubernetes.io/part-of: argocd
45
  name: argocd-redis-ha
46
---
47
apiVersion: v1
48
kind: ServiceAccount
49
metadata:
50
  labels:
51
    app.kubernetes.io/component: redis
52
    app.kubernetes.io/name: argocd-redis-ha-haproxy
53
    app.kubernetes.io/part-of: argocd
54
  name: argocd-redis-ha-haproxy
55
---
56
apiVersion: v1
57
kind: ServiceAccount
58
metadata:
59
  labels:
60
    app.kubernetes.io/component: repo-server
61
    app.kubernetes.io/name: argocd-repo-server
62
    app.kubernetes.io/part-of: argocd
63
  name: argocd-repo-server
64
---
65
apiVersion: v1
66
kind: ServiceAccount
67
metadata:
68
  labels:
69
    app.kubernetes.io/component: server
70
    app.kubernetes.io/name: argocd-server
71
    app.kubernetes.io/part-of: argocd
72
  name: argocd-server
73
---
74
apiVersion: rbac.authorization.k8s.io/v1
75
kind: Role
76
metadata:
77
  labels:
78
    app.kubernetes.io/component: application-controller
79
    app.kubernetes.io/name: argocd-application-controller
80
    app.kubernetes.io/part-of: argocd
81
  name: argocd-application-controller
82
rules:
83
- apiGroups:
84
  - ""
85
  resources:
86
  - secrets
87
  - configmaps
88
  verbs:
89
  - get
90
  - list
91
  - watch
92
- apiGroups:
93
  - argoproj.io
94
  resources:
95
  - applications
96
  - appprojects
97
  verbs:
98
  - create
99
  - get
100
  - list
101
  - watch
102
  - update
103
  - patch
104
  - delete
105
- apiGroups:
106
  - ""
107
  resources:
108
  - events
109
  verbs:
110
  - create
111
  - list
112
- apiGroups:
113
  - apps
114
  resources:
115
  - deployments
116
  verbs:
117
  - get
118
  - list
119
  - watch
120
---
121
apiVersion: rbac.authorization.k8s.io/v1
122
kind: Role
123
metadata:
124
  labels:
125
    app.kubernetes.io/component: applicationset-controller
126
    app.kubernetes.io/name: argocd-applicationset-controller
127
    app.kubernetes.io/part-of: argocd
128
  name: argocd-applicationset-controller
129
rules:
130
- apiGroups:
131
  - argoproj.io
132
  resources:
133
  - applications
134
  - applicationsets
135
  - applicationsets/finalizers
136
  verbs:
137
  - create
138
  - delete
139
  - get
140
  - list
141
  - patch
142
  - update
143
  - watch
144
- apiGroups:
145
  - argoproj.io
146
  resources:
147
  - appprojects
148
  verbs:
149
  - get
150
- apiGroups:
151
  - argoproj.io
152
  resources:
153
  - applicationsets/status
154
  verbs:
155
  - get
156
  - patch
157
  - update
158
- apiGroups:
159
  - ""
160
  resources:
161
  - events
162
  verbs:
163
  - create
164
  - get
165
  - list
166
  - patch
167
  - watch
168
- apiGroups:
169
  - ""
170
  resources:
171
  - secrets
172
  - configmaps
173
  verbs:
174
  - get
175
  - list
176
  - watch
177
- apiGroups:
178
  - apps
179
  - extensions
180
  resources:
181
  - deployments
182
  verbs:
183
  - get
184
  - list
185
  - watch
186
---
187
apiVersion: rbac.authorization.k8s.io/v1
188
kind: Role
189
metadata:
190
  labels:
191
    app.kubernetes.io/component: dex-server
192
    app.kubernetes.io/name: argocd-dex-server
193
    app.kubernetes.io/part-of: argocd
194
  name: argocd-dex-server
195
rules:
196
- apiGroups:
197
  - ""
198
  resources:
199
  - secrets
200
  - configmaps
201
  verbs:
202
  - get
203
  - list
204
  - watch
205
---
206
apiVersion: rbac.authorization.k8s.io/v1
207
kind: Role
208
metadata:
209
  labels:
210
    app.kubernetes.io/component: notifications-controller
211
    app.kubernetes.io/name: argocd-notifications-controller
212
    app.kubernetes.io/part-of: argocd
213
  name: argocd-notifications-controller
214
rules:
215
- apiGroups:
216
  - argoproj.io
217
  resources:
218
  - applications
219
  - appprojects
220
  verbs:
221
  - get
222
  - list
223
  - watch
224
  - update
225
  - patch
226
- apiGroups:
227
  - ""
228
  resources:
229
  - configmaps
230
  - secrets
231
  verbs:
232
  - list
233
  - watch
234
- apiGroups:
235
  - ""
236
  resourceNames:
237
  - argocd-notifications-cm
238
  resources:
239
  - configmaps
240
  verbs:
241
  - get
242
- apiGroups:
243
  - ""
244
  resourceNames:
245
  - argocd-notifications-secret
246
  resources:
247
  - secrets
248
  verbs:
249
  - get
250
---
251
apiVersion: rbac.authorization.k8s.io/v1
252
kind: Role
253
metadata:
254
  labels:
255
    app.kubernetes.io/component: redis
256
    app.kubernetes.io/name: argocd-redis-ha
257
    app.kubernetes.io/part-of: argocd
258
  name: argocd-redis-ha
259
rules:
260
- apiGroups:
261
  - ""
262
  resources:
263
  - endpoints
264
  verbs:
265
  - get
266
---
267
apiVersion: rbac.authorization.k8s.io/v1
268
kind: Role
269
metadata:
270
  labels:
271
    app.kubernetes.io/component: redis
272
    app.kubernetes.io/name: argocd-redis-ha
273
    app.kubernetes.io/part-of: argocd
274
  name: argocd-redis-ha-haproxy
275
rules:
276
- apiGroups:
277
  - ""
278
  resources:
279
  - endpoints
280
  verbs:
281
  - get
282
---
283
apiVersion: rbac.authorization.k8s.io/v1
284
kind: Role
285
metadata:
286
  labels:
287
    app.kubernetes.io/component: server
288
    app.kubernetes.io/name: argocd-server
289
    app.kubernetes.io/part-of: argocd
290
  name: argocd-server
291
rules:
292
- apiGroups:
293
  - ""
294
  resources:
295
  - secrets
296
  - configmaps
297
  verbs:
298
  - create
299
  - get
300
  - list
301
  - watch
302
  - update
303
  - patch
304
  - delete
305
- apiGroups:
306
  - argoproj.io
307
  resources:
308
  - applications
309
  - appprojects
310
  - applicationsets
311
  verbs:
312
  - create
313
  - get
314
  - list
315
  - watch
316
  - update
317
  - delete
318
  - patch
319
- apiGroups:
320
  - ""
321
  resources:
322
  - events
323
  verbs:
324
  - create
325
  - list
326
---
327
apiVersion: rbac.authorization.k8s.io/v1
328
kind: RoleBinding
329
metadata:
330
  labels:
331
    app.kubernetes.io/component: application-controller
332
    app.kubernetes.io/name: argocd-application-controller
333
    app.kubernetes.io/part-of: argocd
334
  name: argocd-application-controller
335
roleRef:
336
  apiGroup: rbac.authorization.k8s.io
337
  kind: Role
338
  name: argocd-application-controller
339
subjects:
340
- kind: ServiceAccount
341
  name: argocd-application-controller
342
---
343
apiVersion: rbac.authorization.k8s.io/v1
344
kind: RoleBinding
345
metadata:
346
  labels:
347
    app.kubernetes.io/component: applicationset-controller
348
    app.kubernetes.io/name: argocd-applicationset-controller
349
    app.kubernetes.io/part-of: argocd
350
  name: argocd-applicationset-controller
351
roleRef:
352
  apiGroup: rbac.authorization.k8s.io
353
  kind: Role
354
  name: argocd-applicationset-controller
355
subjects:
356
- kind: ServiceAccount
357
  name: argocd-applicationset-controller
358
---
359
apiVersion: rbac.authorization.k8s.io/v1
360
kind: RoleBinding
361
metadata:
362
  labels:
363
    app.kubernetes.io/component: dex-server
364
    app.kubernetes.io/name: argocd-dex-server
365
    app.kubernetes.io/part-of: argocd
366
  name: argocd-dex-server
367
roleRef:
368
  apiGroup: rbac.authorization.k8s.io
369
  kind: Role
370
  name: argocd-dex-server
371
subjects:
372
- kind: ServiceAccount
373
  name: argocd-dex-server
374
---
375
apiVersion: rbac.authorization.k8s.io/v1
376
kind: RoleBinding
377
metadata:
378
  labels:
379
    app.kubernetes.io/component: notifications-controller
380
    app.kubernetes.io/name: argocd-notifications-controller
381
    app.kubernetes.io/part-of: argocd
382
  name: argocd-notifications-controller
383
roleRef:
384
  apiGroup: rbac.authorization.k8s.io
385
  kind: Role
386
  name: argocd-notifications-controller
387
subjects:
388
- kind: ServiceAccount
389
  name: argocd-notifications-controller
390
---
391
apiVersion: rbac.authorization.k8s.io/v1
392
kind: RoleBinding
393
metadata:
394
  labels:
395
    app.kubernetes.io/component: redis
396
    app.kubernetes.io/name: argocd-redis-ha
397
    app.kubernetes.io/part-of: argocd
398
  name: argocd-redis-ha
399
roleRef:
400
  apiGroup: rbac.authorization.k8s.io
401
  kind: Role
402
  name: argocd-redis-ha
403
subjects:
404
- kind: ServiceAccount
405
  name: argocd-redis-ha
406
---
407
apiVersion: rbac.authorization.k8s.io/v1
408
kind: RoleBinding
409
metadata:
410
  labels:
411
    app.kubernetes.io/component: redis
412
    app.kubernetes.io/name: argocd-redis-ha
413
    app.kubernetes.io/part-of: argocd
414
  name: argocd-redis-ha-haproxy
415
roleRef:
416
  apiGroup: rbac.authorization.k8s.io
417
  kind: Role
418
  name: argocd-redis-ha-haproxy
419
subjects:
420
- kind: ServiceAccount
421
  name: argocd-redis-ha-haproxy
422
---
423
apiVersion: rbac.authorization.k8s.io/v1
424
kind: RoleBinding
425
metadata:
426
  labels:
427
    app.kubernetes.io/component: server
428
    app.kubernetes.io/name: argocd-server
429
    app.kubernetes.io/part-of: argocd
430
  name: argocd-server
431
roleRef:
432
  apiGroup: rbac.authorization.k8s.io
433
  kind: Role
434
  name: argocd-server
435
subjects:
436
- kind: ServiceAccount
437
  name: argocd-server
438
---
439
apiVersion: v1
440
kind: ConfigMap
441
metadata:
442
  labels:
443
    app.kubernetes.io/name: argocd-cm
444
    app.kubernetes.io/part-of: argocd
445
  name: argocd-cm
446
---
447
apiVersion: v1
448
data:
449
  redis.server: argocd-redis-ha-haproxy:6379
450
kind: ConfigMap
451
metadata:
452
  labels:
453
    app.kubernetes.io/name: argocd-cmd-params-cm
454
    app.kubernetes.io/part-of: argocd
455
  name: argocd-cmd-params-cm
456
---
457
apiVersion: v1
458
kind: ConfigMap
459
metadata:
460
  labels:
461
    app.kubernetes.io/name: argocd-gpg-keys-cm
462
    app.kubernetes.io/part-of: argocd
463
  name: argocd-gpg-keys-cm
464
---
465
apiVersion: v1
466
kind: ConfigMap
467
metadata:
468
  labels:
469
    app.kubernetes.io/component: notifications-controller
470
    app.kubernetes.io/name: argocd-notifications-controller
471
    app.kubernetes.io/part-of: argocd
472
  name: argocd-notifications-cm
473
---
474
apiVersion: v1
475
kind: ConfigMap
476
metadata:
477
  labels:
478
    app.kubernetes.io/name: argocd-rbac-cm
479
    app.kubernetes.io/part-of: argocd
480
  name: argocd-rbac-cm
481
---
482
apiVersion: v1
483
data:
484
  fix-split-brain.sh: |
485
    HOSTNAME="$(hostname)"
486
    INDEX="${HOSTNAME##*-}"
487
    SENTINEL_PORT=26379
488
    ANNOUNCE_IP=''
489
    MASTER=''
490
    MASTER_GROUP="argocd"
491
    QUORUM="2"
492
    REDIS_CONF=/data/conf/redis.conf
493
    REDIS_PORT=6379
494
    REDIS_TLS_PORT=
495
    SENTINEL_CONF=/data/conf/sentinel.conf
496
    SENTINEL_TLS_PORT=
497
    SERVICE=argocd-redis-ha
498
    SENTINEL_TLS_REPLICATION_ENABLED=false
499
    REDIS_TLS_REPLICATION_ENABLED=false
500

501
    ROLE=''
502
    REDIS_MASTER=''
503

504
    set -eu
505
    sentinel_get_master() {
506
    set +e
507
        if [ "$SENTINEL_PORT" -eq 0 ]; then
508
            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
509
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
510
        else
511
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
512
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
513
        fi
514
    set -e
515
    }
516

517
    sentinel_get_master_retry() {
518
        master=''
519
        retry=${1}
520
        sleep=3
521
        for i in $(seq 1 "${retry}"); do
522
            master=$(sentinel_get_master)
523
            if [ -n "${master}" ]; then
524
                break
525
            fi
526
            sleep $((sleep + i))
527
        done
528
        echo "${master}"
529
    }
530

531
    identify_master() {
532
        echo "Identifying redis master (get-master-addr-by-name).."
533
        echo "  using sentinel (argocd-redis-ha), sentinel group name (argocd)"
534
        MASTER="$(sentinel_get_master_retry 3)"
535
        if [ -n "${MASTER}" ]; then
536
            echo "  $(date) Found redis master (${MASTER})"
537
        else
538
            echo "  $(date) Did not find redis master (${MASTER})"
539
        fi
540
    }
541

542
    sentinel_update() {
543
        echo "Updating sentinel config.."
544
        echo "  evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
545
        eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
546
        echo "  sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
547
        sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
548
        if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
549
            echo "  redis master (${1}:${REDIS_TLS_PORT})"
550
            sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
551
        else
552
            echo "  redis master (${1}:${REDIS_PORT})"
553
            sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
554
        fi
555
        echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
556
        if [ "$SENTINEL_PORT" -eq 0 ]; then
557
            echo "  announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
558
            echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
559
        else
560
            echo "  announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
561
            echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
562
        fi
563
    }
564

565
    redis_update() {
566
        echo "Updating redis config.."
567
        if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
568
            echo "  we are slave of redis master (${1}:${REDIS_TLS_PORT})"
569
            echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
570
            echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
571
        else
572
            echo "  we are slave of redis master (${1}:${REDIS_PORT})"
573
            echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
574
            echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
575
        fi
576
        echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
577
    }
578

579
    copy_config() {
580
        echo "Copying default redis config.."
581
        echo "  to '${REDIS_CONF}'"
582
        cp /readonly-config/redis.conf "${REDIS_CONF}"
583
        echo "Copying default sentinel config.."
584
        echo "  to '${SENTINEL_CONF}'"
585
        cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
586
    }
587

588
    setup_defaults() {
589
        echo "Setting up defaults.."
590
        echo "  using statefulset index (${INDEX})"
591
        if [ "${INDEX}" = "0" ]; then
592
            echo "Setting this pod as master for redis and sentinel.."
593
            echo "  using announce (${ANNOUNCE_IP})"
594
            redis_update "${ANNOUNCE_IP}"
595
            sentinel_update "${ANNOUNCE_IP}"
596
            echo "  make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
597
            sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
598
        else
599
            echo "Getting redis master ip.."
600
            echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
601
            DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
602
            if [ -z "${DEFAULT_MASTER}" ]; then
603
                echo "Error: Unable to resolve redis master (getent hosts)."
604
                exit 1
605
            fi
606
            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
607
            echo "Setting default slave config for redis and sentinel.."
608
            echo "  using master ip (${DEFAULT_MASTER})"
609
            redis_update "${DEFAULT_MASTER}"
610
            sentinel_update "${DEFAULT_MASTER}"
611
        fi
612
    }
613

614
    redis_ping() {
615
    set +e
616
        if [ "$REDIS_PORT" -eq 0 ]; then
617
            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
618
        else
619
            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
620
        fi
621
    set -e
622
    }
623

624
    redis_ping_retry() {
625
        ping=''
626
        retry=${1}
627
        sleep=3
628
        for i in $(seq 1 "${retry}"); do
629
            if [ "$(redis_ping)" = "PONG" ]; then
630
               ping='PONG'
631
               break
632
            fi
633
            sleep $((sleep + i))
634
            MASTER=$(sentinel_get_master)
635
        done
636
        echo "${ping}"
637
    }
638

639
    find_master() {
640
        echo "Verifying redis master.."
641
        if [ "$REDIS_PORT" -eq 0 ]; then
642
            echo "  ping (${MASTER}:${REDIS_TLS_PORT})"
643
        else
644
            echo "  ping (${MASTER}:${REDIS_PORT})"
645
        fi
646
        if [ "$(redis_ping_retry 3)" != "PONG" ]; then
647
            echo "  $(date) Can't ping redis master (${MASTER})"
648
            echo "Attempting to force failover (sentinel failover).."
649

650
            if [ "$SENTINEL_PORT" -eq 0 ]; then
651
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
652
                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
653
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
654
                    echo "Setting defaults for this pod.."
655
                    setup_defaults
656
                    return 0
657
                fi
658
            else
659
                echo "  on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
660
                if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
661
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
662
                    echo "Setting defaults for this pod.."
663
                    setup_defaults
664
                    return 0
665
                fi
666
            fi
667

668
            echo "Hold on for 10sec"
669
            sleep 10
670
            echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
671
            if [ "$SENTINEL_PORT" -eq 0 ]; then
672
                echo "  sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
673
            else
674
                echo "  sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
675
            fi
676
            MASTER="$(sentinel_get_master)"
677
            if [ "${MASTER}" ]; then
678
                echo "  $(date) Found redis master (${MASTER})"
679
                echo "Updating redis and sentinel config.."
680
                sentinel_update "${MASTER}"
681
                redis_update "${MASTER}"
682
            else
683
                echo "$(date) Error: Could not failover, exiting..."
684
                exit 1
685
            fi
686
        else
687
            echo "  $(date) Found reachable redis master (${MASTER})"
688
            echo "Updating redis and sentinel config.."
689
            sentinel_update "${MASTER}"
690
            redis_update "${MASTER}"
691
        fi
692
    }
693

694
    redis_ro_update() {
695
        echo "Updating read-only redis config.."
696
        echo "  redis.conf set 'replica-priority 0'"
697
        echo "replica-priority 0" >> ${REDIS_CONF}
698
    }
699

700
    getent_hosts() {
701
        index=${1:-${INDEX}}
702
        service="${SERVICE}-announce-${index}"
703
        host=$(getent hosts "${service}")
704
        echo "${host}"
705
    }
706

707
    identify_announce_ip() {
708
        echo "Identify announce ip for this pod.."
709
        echo "  using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
710
        ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
711
        echo "  identified announce (${ANNOUNCE_IP})"
712
    }
713

714
    redis_role() {
715
    set +e
716
        if [ "$REDIS_PORT" -eq 0 ]; then
717
            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
718
        else
719
            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
720
        fi
721
    set -e
722
    }
723

724
    identify_redis_master() {
725
    set +e
726
        if [ "$REDIS_PORT" -eq 0 ]; then
727
            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
728
        else
729
            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
730
        fi
731
    set -e
732
    }
733

734
    reinit() {
735
    set +e
736
        sh /readonly-config/init.sh
737

738
        if [ "$REDIS_PORT" -eq 0 ]; then
739
            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
740
        else
741
            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
742
        fi
743
    set -e
744
    }
745

746
    identify_announce_ip
747

748
    while [ -z "${ANNOUNCE_IP}" ]; do
749
        echo "Error: Could not resolve the announce ip for this pod."
750
        sleep 30
751
        identify_announce_ip
752
    done
753

754
    while true; do
755
        sleep 60
756

757
        # where is redis master
758
        identify_master
759

760
        if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
761
            redis_role
762
            if [ "$ROLE" != "master" ]; then
763
                reinit
764
            fi
765
        elif [ "${MASTER}" ]; then
766
            identify_redis_master
767
            if [ "$REDIS_MASTER" != "$MASTER" ]; then
768
                reinit
769
            fi
770
        fi
771
    done
772
  haproxy.cfg: "defaults REDIS\n  mode tcp\n  timeout connect 4s\n  timeout server
773
    6m\n  timeout client 6m\n  timeout check 2s\n\nlisten health_check_http_url\n
774
    \ bind :8888  \n  mode http\n  monitor-uri /healthz\n  option      dontlognull\n#
775
    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n
776
    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
777
    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
778
    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE0\n  tcp-check send QUIT\\r\\n\n
779
    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
780
    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
781
    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n
782
    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
783
    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
784
    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE1\n  tcp-check send QUIT\\r\\n\n
785
    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
786
    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
787
    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n
788
    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
789
    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
790
    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE2\n  tcp-check send QUIT\\r\\n\n
791
    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
792
    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n#
793
    decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
794
    \ use_backend bk_redis_master\n# Check all redis servers to see if they think
795
    they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
796
    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
797
    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
798
    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
799
    } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
800
    check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
801
    ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
802
    1\n  use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge
803
    2 }\n  server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\nfrontend
804
    stats\n  mode http\n  bind :9101 \n  http-request use-service prometheus-exporter
805
    if { path /metrics }\n  stats enable\n  stats uri /stats\n  stats refresh 10s\n"
806
  haproxy_init.sh: |
807
    HAPROXY_CONF=/data/haproxy.cfg
808
    cp /readonly/haproxy.cfg "$HAPROXY_CONF"
809
    for loop in $(seq 1 10); do
810
      getent hosts argocd-redis-ha-announce-0 && break
811
      echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1
812
    done
813
    ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }')
814
    if [ -z "$ANNOUNCE_IP0" ]; then
815
      echo "Could not resolve the announce ip for argocd-redis-ha-announce-0"
816
      exit 1
817
    fi
818
    sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF"
819
    for loop in $(seq 1 10); do
820
      getent hosts argocd-redis-ha-announce-1 && break
821
      echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1
822
    done
823
    ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }')
824
    if [ -z "$ANNOUNCE_IP1" ]; then
825
      echo "Could not resolve the announce ip for argocd-redis-ha-announce-1"
826
      exit 1
827
    fi
828
    sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF"
829
    for loop in $(seq 1 10); do
830
      getent hosts argocd-redis-ha-announce-2 && break
831
      echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1
832
    done
833
    ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }')
834
    if [ -z "$ANNOUNCE_IP2" ]; then
835
      echo "Could not resolve the announce ip for argocd-redis-ha-announce-2"
836
      exit 1
837
    fi
838
    sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF"
839
  init.sh: |
840
    echo "$(date) Start..."
841
    HOSTNAME="$(hostname)"
842
    INDEX="${HOSTNAME##*-}"
843
    SENTINEL_PORT=26379
844
    ANNOUNCE_IP=''
845
    MASTER=''
846
    MASTER_GROUP="argocd"
847
    QUORUM="2"
848
    REDIS_CONF=/data/conf/redis.conf
849
    REDIS_PORT=6379
850
    REDIS_TLS_PORT=
851
    SENTINEL_CONF=/data/conf/sentinel.conf
852
    SENTINEL_TLS_PORT=
853
    SERVICE=argocd-redis-ha
854
    SENTINEL_TLS_REPLICATION_ENABLED=false
855
    REDIS_TLS_REPLICATION_ENABLED=false
856

857
    set -eu
858
    sentinel_get_master() {
859
    set +e
860
        if [ "$SENTINEL_PORT" -eq 0 ]; then
861
            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
862
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
863
        else
864
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
865
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
866
        fi
867
    set -e
868
    }
869

870
    sentinel_get_master_retry() {
871
        master=''
872
        retry=${1}
873
        sleep=3
874
        for i in $(seq 1 "${retry}"); do
875
            master=$(sentinel_get_master)
876
            if [ -n "${master}" ]; then
877
                break
878
            fi
879
            sleep $((sleep + i))
880
        done
881
        echo "${master}"
882
    }
883

884
    identify_master() {
885
        echo "Identifying redis master (get-master-addr-by-name).."
886
        echo "  using sentinel (argocd-redis-ha), sentinel group name (argocd)"
887
        MASTER="$(sentinel_get_master_retry 3)"
888
        if [ -n "${MASTER}" ]; then
889
            echo "  $(date) Found redis master (${MASTER})"
890
        else
891
            echo "  $(date) Did not find redis master (${MASTER})"
892
        fi
893
    }
894

895
    sentinel_update() {
896
        echo "Updating sentinel config.."
897
        echo "  evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
898
        eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
899
        echo "  sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
900
        sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
901
        if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
902
            echo "  redis master (${1}:${REDIS_TLS_PORT})"
903
            sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
904
        else
905
            echo "  redis master (${1}:${REDIS_PORT})"
906
            sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
907
        fi
908
        echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
909
        if [ "$SENTINEL_PORT" -eq 0 ]; then
910
            echo "  announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
911
            echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
912
        else
913
            echo "  announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
914
            echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
915
        fi
916
    }
917

918
    redis_update() {
919
        echo "Updating redis config.."
920
        if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
921
            echo "  we are slave of redis master (${1}:${REDIS_TLS_PORT})"
922
            echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
923
            echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
924
        else
925
            echo "  we are slave of redis master (${1}:${REDIS_PORT})"
926
            echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
927
            echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
928
        fi
929
        echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
930
    }
931

932
    copy_config() {
933
        echo "Copying default redis config.."
934
        echo "  to '${REDIS_CONF}'"
935
        cp /readonly-config/redis.conf "${REDIS_CONF}"
936
        echo "Copying default sentinel config.."
937
        echo "  to '${SENTINEL_CONF}'"
938
        cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
939
    }
940

941
    setup_defaults() {
942
        echo "Setting up defaults.."
943
        echo "  using statefulset index (${INDEX})"
944
        if [ "${INDEX}" = "0" ]; then
945
            echo "Setting this pod as master for redis and sentinel.."
946
            echo "  using announce (${ANNOUNCE_IP})"
947
            redis_update "${ANNOUNCE_IP}"
948
            sentinel_update "${ANNOUNCE_IP}"
949
            echo "  make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
950
            sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
951
        else
952
            echo "Getting redis master ip.."
953
            echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
954
            DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
955
            if [ -z "${DEFAULT_MASTER}" ]; then
956
                echo "Error: Unable to resolve redis master (getent hosts)."
957
                exit 1
958
            fi
959
            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
960
            echo "Setting default slave config for redis and sentinel.."
961
            echo "  using master ip (${DEFAULT_MASTER})"
962
            redis_update "${DEFAULT_MASTER}"
963
            sentinel_update "${DEFAULT_MASTER}"
964
        fi
965
    }
966

967
    redis_ping() {
968
    set +e
969
        if [ "$REDIS_PORT" -eq 0 ]; then
970
            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
971
        else
972
            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
973
        fi
974
    set -e
975
    }
976

977
    redis_ping_retry() {
978
        ping=''
979
        retry=${1}
980
        sleep=3
981
        for i in $(seq 1 "${retry}"); do
982
            if [ "$(redis_ping)" = "PONG" ]; then
983
               ping='PONG'
984
               break
985
            fi
986
            sleep $((sleep + i))
987
            MASTER=$(sentinel_get_master)
988
        done
989
        echo "${ping}"
990
    }
991

992
    find_master() {
993
        echo "Verifying redis master.."
994
        if [ "$REDIS_PORT" -eq 0 ]; then
995
            echo "  ping (${MASTER}:${REDIS_TLS_PORT})"
996
        else
997
            echo "  ping (${MASTER}:${REDIS_PORT})"
998
        fi
999
        if [ "$(redis_ping_retry 3)" != "PONG" ]; then
1000
            echo "  $(date) Can't ping redis master (${MASTER})"
1001
            echo "Attempting to force failover (sentinel failover).."
1002

1003
            if [ "$SENTINEL_PORT" -eq 0 ]; then
1004
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
1005
                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
1006
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
1007
                    echo "Setting defaults for this pod.."
1008
                    setup_defaults
1009
                    return 0
1010
                fi
1011
            else
1012
                echo "  on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
1013
                if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
1014
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
1015
                    echo "Setting defaults for this pod.."
1016
                    setup_defaults
1017
                    return 0
1018
                fi
1019
            fi
1020

1021
            echo "Hold on for 10sec"
1022
            sleep 10
1023
            echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
1024
            if [ "$SENTINEL_PORT" -eq 0 ]; then
1025
                echo "  sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
1026
            else
1027
                echo "  sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
1028
            fi
1029
            MASTER="$(sentinel_get_master)"
1030
            if [ "${MASTER}" ]; then
1031
                echo "  $(date) Found redis master (${MASTER})"
1032
                echo "Updating redis and sentinel config.."
1033
                sentinel_update "${MASTER}"
1034
                redis_update "${MASTER}"
1035
            else
1036
                echo "$(date) Error: Could not failover, exiting..."
1037
                exit 1
1038
            fi
1039
        else
1040
            echo "  $(date) Found reachable redis master (${MASTER})"
1041
            echo "Updating redis and sentinel config.."
1042
            sentinel_update "${MASTER}"
1043
            redis_update "${MASTER}"
1044
        fi
1045
    }
1046

1047
    redis_ro_update() {
1048
        echo "Updating read-only redis config.."
1049
        echo "  redis.conf set 'replica-priority 0'"
1050
        echo "replica-priority 0" >> ${REDIS_CONF}
1051
    }
1052

1053
    getent_hosts() {
1054
        index=${1:-${INDEX}}
1055
        service="${SERVICE}-announce-${index}"
1056
        host=$(getent hosts "${service}")
1057
        echo "${host}"
1058
    }
1059

1060
    identify_announce_ip() {
1061
        echo "Identify announce ip for this pod.."
1062
        echo "  using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
1063
        ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
1064
        echo "  identified announce (${ANNOUNCE_IP})"
1065
    }
1066

1067
    mkdir -p /data/conf/
1068

1069
    echo "Initializing config.."
1070
    copy_config
1071

1072
    # where is redis master
1073
    identify_master
1074

1075
    identify_announce_ip
1076

1077
    if [ -z "${ANNOUNCE_IP}" ]; then
1078
        "Error: Could not resolve the announce ip for this pod."
1079
        exit 1
1080
    elif [ "${MASTER}" ]; then
1081
        find_master
1082
    else
1083
        setup_defaults
1084
    fi
1085

1086
    if [ "${AUTH:-}" ]; then
1087
        echo "Setting redis auth values.."
1088
        ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g');
1089
        sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}"
1090
    fi
1091

1092
    if [ "${SENTINELAUTH:-}" ]; then
1093
        echo "Setting sentinel auth values"
1094
        ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g');
1095
        sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF"
1096
    fi
1097

1098
    echo "$(date) Ready..."
1099
  redis.conf: |
1100
    dir "/data"
1101
    port 6379
1102
    rename-command FLUSHDB ""
1103
    rename-command FLUSHALL ""
1104
    bind 0.0.0.0
1105
    maxmemory 0
1106
    maxmemory-policy volatile-lru
1107
    min-replicas-max-lag 5
1108
    min-replicas-to-write 1
1109
    rdbchecksum yes
1110
    rdbcompression yes
1111
    repl-diskless-sync yes
1112
    save ""
1113
  sentinel.conf: |
1114
    dir "/data"
1115
    port 26379
1116
    bind 0.0.0.0
1117
        sentinel down-after-milliseconds argocd 10000
1118
        sentinel failover-timeout argocd 180000
1119
        maxclients 10000
1120
        sentinel parallel-syncs argocd 5
1121
  trigger-failover-if-master.sh: |
1122
    get_redis_role() {
1123
      is_master=$(
1124
        redis-cli \
1125
          -h localhost \
1126
          -p 6379 \
1127
          info | grep -c 'role:master' || true
1128
      )
1129
    }
1130
    get_redis_role
1131
    if [[ "$is_master" -eq 1 ]]; then
1132
      echo "This node is currently master, we trigger a failover."
1133
      response=$(
1134
        redis-cli \
1135
          -h localhost \
1136
          -p 26379 \
1137
          SENTINEL failover argocd
1138
      )
1139
      if [[ "$response" != "OK" ]] ; then
1140
        echo "$response"
1141
        exit 1
1142
      fi
1143
      timeout=30
1144
      while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do
1145
        sleep 1
1146
        get_redis_role
1147
        timeout=$((timeout - 1))
1148
      done
1149
      echo "Failover successful"
1150
    fi
1151
kind: ConfigMap
1152
metadata:
1153
  labels:
1154
    app.kubernetes.io/component: redis
1155
    app.kubernetes.io/name: argocd-redis-ha
1156
    app.kubernetes.io/part-of: argocd
1157
  name: argocd-redis-ha-configmap
1158
---
1159
apiVersion: v1
1160
data:
1161
  redis_liveness.sh: |
1162
    response=$(
1163
      redis-cli \
1164
        -h localhost \
1165
        -p 6379 \
1166
        ping
1167
    )
1168
    if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then
1169
      echo "$response"
1170
      exit 1
1171
    fi
1172
    echo "response=$response"
1173
  redis_readiness.sh: |
1174
    response=$(
1175
      redis-cli \
1176
        -h localhost \
1177
        -p 6379 \
1178
        ping
1179
    )
1180
    if [ "$response" != "PONG" ] ; then
1181
      echo "$response"
1182
      exit 1
1183
    fi
1184
    echo "response=$response"
1185
  sentinel_liveness.sh: |
1186
    response=$(
1187
      redis-cli \
1188
        -h localhost \
1189
        -p 26379 \
1190
        ping
1191
    )
1192
    if [ "$response" != "PONG" ]; then
1193
      echo "$response"
1194
      exit 1
1195
    fi
1196
    echo "response=$response"
1197
kind: ConfigMap
1198
metadata:
1199
  labels:
1200
    app.kubernetes.io/component: redis
1201
    app.kubernetes.io/name: argocd-redis-ha
1202
    app.kubernetes.io/part-of: argocd
1203
  name: argocd-redis-ha-health-configmap
1204
---
1205
apiVersion: v1
1206
data:
1207
  ssh_known_hosts: |
1208
    # This file was automatically generated by hack/update-ssh-known-hosts.sh. DO NOT EDIT
1209
    [ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
1210
    [ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
1211
    [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
1212
    bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
1213
    bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
1214
    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
1215
    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
1216
    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
1217
    github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
1218
    gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
1219
    gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
1220
    gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
1221
    ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
1222
    vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
1223
kind: ConfigMap
1224
metadata:
1225
  labels:
1226
    app.kubernetes.io/name: argocd-ssh-known-hosts-cm
1227
    app.kubernetes.io/part-of: argocd
1228
  name: argocd-ssh-known-hosts-cm
1229
---
1230
apiVersion: v1
1231
kind: ConfigMap
1232
metadata:
1233
  labels:
1234
    app.kubernetes.io/name: argocd-tls-certs-cm
1235
    app.kubernetes.io/part-of: argocd
1236
  name: argocd-tls-certs-cm
1237
---
1238
apiVersion: v1
1239
kind: Secret
1240
metadata:
1241
  labels:
1242
    app.kubernetes.io/component: notifications-controller
1243
    app.kubernetes.io/name: argocd-notifications-controller
1244
    app.kubernetes.io/part-of: argocd
1245
  name: argocd-notifications-secret
1246
type: Opaque
1247
---
1248
apiVersion: v1
1249
kind: Secret
1250
metadata:
1251
  labels:
1252
    app.kubernetes.io/name: argocd-secret
1253
    app.kubernetes.io/part-of: argocd
1254
  name: argocd-secret
1255
type: Opaque
1256
---
1257
apiVersion: v1
1258
kind: Service
1259
metadata:
1260
  labels:
1261
    app.kubernetes.io/component: applicationset-controller
1262
    app.kubernetes.io/name: argocd-applicationset-controller
1263
    app.kubernetes.io/part-of: argocd
1264
  name: argocd-applicationset-controller
1265
spec:
1266
  ports:
1267
  - name: webhook
1268
    port: 7000
1269
    protocol: TCP
1270
    targetPort: webhook
1271
  - name: metrics
1272
    port: 8080
1273
    protocol: TCP
1274
    targetPort: metrics
1275
  selector:
1276
    app.kubernetes.io/name: argocd-applicationset-controller
1277
---
1278
apiVersion: v1
1279
kind: Service
1280
metadata:
1281
  labels:
1282
    app.kubernetes.io/component: dex-server
1283
    app.kubernetes.io/name: argocd-dex-server
1284
    app.kubernetes.io/part-of: argocd
1285
  name: argocd-dex-server
1286
spec:
1287
  ports:
1288
  - appProtocol: TCP
1289
    name: http
1290
    port: 5556
1291
    protocol: TCP
1292
    targetPort: 5556
1293
  - name: grpc
1294
    port: 5557
1295
    protocol: TCP
1296
    targetPort: 5557
1297
  - name: metrics
1298
    port: 5558
1299
    protocol: TCP
1300
    targetPort: 5558
1301
  selector:
1302
    app.kubernetes.io/name: argocd-dex-server
1303
---
1304
apiVersion: v1
1305
kind: Service
1306
metadata:
1307
  labels:
1308
    app.kubernetes.io/component: metrics
1309
    app.kubernetes.io/name: argocd-metrics
1310
    app.kubernetes.io/part-of: argocd
1311
  name: argocd-metrics
1312
spec:
1313
  ports:
1314
  - name: metrics
1315
    port: 8082
1316
    protocol: TCP
1317
    targetPort: 8082
1318
  selector:
1319
    app.kubernetes.io/name: argocd-application-controller
1320
---
1321
apiVersion: v1
1322
kind: Service
1323
metadata:
1324
  labels:
1325
    app.kubernetes.io/component: notifications-controller
1326
    app.kubernetes.io/name: argocd-notifications-controller-metrics
1327
    app.kubernetes.io/part-of: argocd
1328
  name: argocd-notifications-controller-metrics
1329
spec:
1330
  ports:
1331
  - name: metrics
1332
    port: 9001
1333
    protocol: TCP
1334
    targetPort: 9001
1335
  selector:
1336
    app.kubernetes.io/name: argocd-notifications-controller
1337
---
1338
apiVersion: v1
1339
kind: Service
1340
metadata:
1341
  labels:
1342
    app.kubernetes.io/component: redis
1343
    app.kubernetes.io/name: argocd-redis-ha
1344
    app.kubernetes.io/part-of: argocd
1345
  name: argocd-redis-ha
1346
spec:
1347
  clusterIP: None
1348
  ports:
1349
  - name: tcp-server
1350
    port: 6379
1351
    protocol: TCP
1352
    targetPort: redis
1353
  - name: tcp-sentinel
1354
    port: 26379
1355
    protocol: TCP
1356
    targetPort: sentinel
1357
  selector:
1358
    app.kubernetes.io/name: argocd-redis-ha
1359
  type: ClusterIP
1360
---
1361
apiVersion: v1
1362
kind: Service
1363
metadata:
1364
  annotations:
1365
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
1366
  labels:
1367
    app.kubernetes.io/component: redis
1368
    app.kubernetes.io/name: argocd-redis-ha
1369
    app.kubernetes.io/part-of: argocd
1370
  name: argocd-redis-ha-announce-0
1371
spec:
1372
  ports:
1373
  - name: tcp-server
1374
    port: 6379
1375
    protocol: TCP
1376
    targetPort: redis
1377
  - name: tcp-sentinel
1378
    port: 26379
1379
    protocol: TCP
1380
    targetPort: sentinel
1381
  publishNotReadyAddresses: true
1382
  selector:
1383
    app.kubernetes.io/name: argocd-redis-ha
1384
    statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-0
1385
  type: ClusterIP
1386
---
1387
apiVersion: v1
1388
kind: Service
1389
metadata:
1390
  annotations:
1391
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
1392
  labels:
1393
    app.kubernetes.io/component: redis
1394
    app.kubernetes.io/name: argocd-redis-ha
1395
    app.kubernetes.io/part-of: argocd
1396
  name: argocd-redis-ha-announce-1
1397
spec:
1398
  ports:
1399
  - name: tcp-server
1400
    port: 6379
1401
    protocol: TCP
1402
    targetPort: redis
1403
  - name: tcp-sentinel
1404
    port: 26379
1405
    protocol: TCP
1406
    targetPort: sentinel
1407
  publishNotReadyAddresses: true
1408
  selector:
1409
    app.kubernetes.io/name: argocd-redis-ha
1410
    statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-1
1411
  type: ClusterIP
1412
---
1413
apiVersion: v1
1414
kind: Service
1415
metadata:
1416
  annotations:
1417
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
1418
  labels:
1419
    app.kubernetes.io/component: redis
1420
    app.kubernetes.io/name: argocd-redis-ha
1421
    app.kubernetes.io/part-of: argocd
1422
  name: argocd-redis-ha-announce-2
1423
spec:
1424
  ports:
1425
  - name: tcp-server
1426
    port: 6379
1427
    protocol: TCP
1428
    targetPort: redis
1429
  - name: tcp-sentinel
1430
    port: 26379
1431
    protocol: TCP
1432
    targetPort: sentinel
1433
  publishNotReadyAddresses: true
1434
  selector:
1435
    app.kubernetes.io/name: argocd-redis-ha
1436
    statefulset.kubernetes.io/pod-name: argocd-redis-ha-server-2
1437
  type: ClusterIP
1438
---
1439
apiVersion: v1
1440
kind: Service
1441
metadata:
1442
  labels:
1443
    app.kubernetes.io/component: redis
1444
    app.kubernetes.io/name: argocd-redis-ha-haproxy
1445
    app.kubernetes.io/part-of: argocd
1446
  name: argocd-redis-ha-haproxy
1447
spec:
1448
  ports:
1449
  - name: tcp-haproxy
1450
    port: 6379
1451
    protocol: TCP
1452
    targetPort: redis
1453
  - name: http-exporter-port
1454
    port: 9101
1455
    protocol: TCP
1456
    targetPort: metrics-port
1457
  selector:
1458
    app.kubernetes.io/name: argocd-redis-ha-haproxy
1459
  type: ClusterIP
1460
---
1461
apiVersion: v1
1462
kind: Service
1463
metadata:
1464
  labels:
1465
    app.kubernetes.io/component: repo-server
1466
    app.kubernetes.io/name: argocd-repo-server
1467
    app.kubernetes.io/part-of: argocd
1468
  name: argocd-repo-server
1469
spec:
1470
  ports:
1471
  - name: server
1472
    port: 8081
1473
    protocol: TCP
1474
    targetPort: 8081
1475
  - name: metrics
1476
    port: 8084
1477
    protocol: TCP
1478
    targetPort: 8084
1479
  selector:
1480
    app.kubernetes.io/name: argocd-repo-server
1481
---
1482
apiVersion: v1
1483
kind: Service
1484
metadata:
1485
  labels:
1486
    app.kubernetes.io/component: server
1487
    app.kubernetes.io/name: argocd-server
1488
    app.kubernetes.io/part-of: argocd
1489
  name: argocd-server
1490
spec:
1491
  ports:
1492
  - name: http
1493
    port: 80
1494
    protocol: TCP
1495
    targetPort: 8080
1496
  - name: https
1497
    port: 443
1498
    protocol: TCP
1499
    targetPort: 8080
1500
  selector:
1501
    app.kubernetes.io/name: argocd-server
1502
---
1503
apiVersion: v1
1504
kind: Service
1505
metadata:
1506
  labels:
1507
    app.kubernetes.io/component: server
1508
    app.kubernetes.io/name: argocd-server-metrics
1509
    app.kubernetes.io/part-of: argocd
1510
  name: argocd-server-metrics
1511
spec:
1512
  ports:
1513
  - name: metrics
1514
    port: 8083
1515
    protocol: TCP
1516
    targetPort: 8083
1517
  selector:
1518
    app.kubernetes.io/name: argocd-server
1519
---
1520
apiVersion: apps/v1
1521
kind: Deployment
1522
metadata:
1523
  labels:
1524
    app.kubernetes.io/component: applicationset-controller
1525
    app.kubernetes.io/name: argocd-applicationset-controller
1526
    app.kubernetes.io/part-of: argocd
1527
  name: argocd-applicationset-controller
1528
spec:
1529
  selector:
1530
    matchLabels:
1531
      app.kubernetes.io/name: argocd-applicationset-controller
1532
  template:
1533
    metadata:
1534
      labels:
1535
        app.kubernetes.io/name: argocd-applicationset-controller
1536
    spec:
1537
      containers:
1538
      - args:
1539
        - /usr/local/bin/argocd-applicationset-controller
1540
        env:
1541
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS
1542
          valueFrom:
1543
            configMapKeyRef:
1544
              key: applicationsetcontroller.global.preserved.annotations
1545
              name: argocd-cmd-params-cm
1546
              optional: true
1547
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS
1548
          valueFrom:
1549
            configMapKeyRef:
1550
              key: applicationsetcontroller.global.preserved.labels
1551
              name: argocd-cmd-params-cm
1552
              optional: true
1553
        - name: NAMESPACE
1554
          valueFrom:
1555
            fieldRef:
1556
              fieldPath: metadata.namespace
1557
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
1558
          valueFrom:
1559
            configMapKeyRef:
1560
              key: applicationsetcontroller.enable.leader.election
1561
              name: argocd-cmd-params-cm
1562
              optional: true
1563
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
1564
          valueFrom:
1565
            configMapKeyRef:
1566
              key: repo.server
1567
              name: argocd-cmd-params-cm
1568
              optional: true
1569
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
1570
          valueFrom:
1571
            configMapKeyRef:
1572
              key: applicationsetcontroller.policy
1573
              name: argocd-cmd-params-cm
1574
              optional: true
1575
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
1576
          valueFrom:
1577
            configMapKeyRef:
1578
              key: applicationsetcontroller.enable.policy.override
1579
              name: argocd-cmd-params-cm
1580
              optional: true
1581
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
1582
          valueFrom:
1583
            configMapKeyRef:
1584
              key: applicationsetcontroller.debug
1585
              name: argocd-cmd-params-cm
1586
              optional: true
1587
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
1588
          valueFrom:
1589
            configMapKeyRef:
1590
              key: applicationsetcontroller.log.format
1591
              name: argocd-cmd-params-cm
1592
              optional: true
1593
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
1594
          valueFrom:
1595
            configMapKeyRef:
1596
              key: applicationsetcontroller.log.level
1597
              name: argocd-cmd-params-cm
1598
              optional: true
1599
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
1600
          valueFrom:
1601
            configMapKeyRef:
1602
              key: applicationsetcontroller.dryrun
1603
              name: argocd-cmd-params-cm
1604
              optional: true
1605
        - name: ARGOCD_GIT_MODULES_ENABLED
1606
          valueFrom:
1607
            configMapKeyRef:
1608
              key: applicationsetcontroller.enable.git.submodule
1609
              name: argocd-cmd-params-cm
1610
              optional: true
1611
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS
1612
          valueFrom:
1613
            configMapKeyRef:
1614
              key: applicationsetcontroller.enable.progressive.syncs
1615
              name: argocd-cmd-params-cm
1616
              optional: true
1617
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
1618
          valueFrom:
1619
            configMapKeyRef:
1620
              key: applicationsetcontroller.enable.new.git.file.globbing
1621
              name: argocd-cmd-params-cm
1622
              optional: true
1623
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT
1624
          valueFrom:
1625
            configMapKeyRef:
1626
              key: applicationsetcontroller.repo.server.plaintext
1627
              name: argocd-cmd-params-cm
1628
              optional: true
1629
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS
1630
          valueFrom:
1631
            configMapKeyRef:
1632
              key: applicationsetcontroller.repo.server.strict.tls
1633
              name: argocd-cmd-params-cm
1634
              optional: true
1635
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
1636
          valueFrom:
1637
            configMapKeyRef:
1638
              key: applicationsetcontroller.repo.server.timeout.seconds
1639
              name: argocd-cmd-params-cm
1640
              optional: true
1641
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS
1642
          valueFrom:
1643
            configMapKeyRef:
1644
              key: applicationsetcontroller.concurrent.reconciliations.max
1645
              name: argocd-cmd-params-cm
1646
              optional: true
1647
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES
1648
          valueFrom:
1649
            configMapKeyRef:
1650
              key: applicationsetcontroller.namespaces
1651
              name: argocd-cmd-params-cm
1652
              optional: true
1653
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
1654
          valueFrom:
1655
            configMapKeyRef:
1656
              key: applicationsetcontroller.scm.root.ca.path
1657
              name: argocd-cmd-params-cm
1658
              optional: true
1659
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
1660
          valueFrom:
1661
            configMapKeyRef:
1662
              key: applicationsetcontroller.allowed.scm.providers
1663
              name: argocd-cmd-params-cm
1664
              optional: true
1665
        - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
1666
          valueFrom:
1667
            configMapKeyRef:
1668
              key: applicationsetcontroller.enable.scm.providers
1669
              name: argocd-cmd-params-cm
1670
              optional: true
1671
        image: quay.io/argoproj/argocd:latest
1672
        imagePullPolicy: Always
1673
        name: argocd-applicationset-controller
1674
        ports:
1675
        - containerPort: 7000
1676
          name: webhook
1677
        - containerPort: 8080
1678
          name: metrics
1679
        securityContext:
1680
          allowPrivilegeEscalation: false
1681
          capabilities:
1682
            drop:
1683
            - ALL
1684
          readOnlyRootFilesystem: true
1685
          runAsNonRoot: true
1686
          seccompProfile:
1687
            type: RuntimeDefault
1688
        volumeMounts:
1689
        - mountPath: /app/config/ssh
1690
          name: ssh-known-hosts
1691
        - mountPath: /app/config/tls
1692
          name: tls-certs
1693
        - mountPath: /app/config/gpg/source
1694
          name: gpg-keys
1695
        - mountPath: /app/config/gpg/keys
1696
          name: gpg-keyring
1697
        - mountPath: /tmp
1698
          name: tmp
1699
        - mountPath: /app/config/reposerver/tls
1700
          name: argocd-repo-server-tls
1701
      serviceAccountName: argocd-applicationset-controller
1702
      volumes:
1703
      - configMap:
1704
          name: argocd-ssh-known-hosts-cm
1705
        name: ssh-known-hosts
1706
      - configMap:
1707
          name: argocd-tls-certs-cm
1708
        name: tls-certs
1709
      - configMap:
1710
          name: argocd-gpg-keys-cm
1711
        name: gpg-keys
1712
      - emptyDir: {}
1713
        name: gpg-keyring
1714
      - emptyDir: {}
1715
        name: tmp
1716
      - name: argocd-repo-server-tls
1717
        secret:
1718
          items:
1719
          - key: tls.crt
1720
            path: tls.crt
1721
          - key: tls.key
1722
            path: tls.key
1723
          - key: ca.crt
1724
            path: ca.crt
1725
          optional: true
1726
          secretName: argocd-repo-server-tls
1727
---
1728
apiVersion: apps/v1
1729
kind: Deployment
1730
metadata:
1731
  labels:
1732
    app.kubernetes.io/component: dex-server
1733
    app.kubernetes.io/name: argocd-dex-server
1734
    app.kubernetes.io/part-of: argocd
1735
  name: argocd-dex-server
1736
spec:
1737
  selector:
1738
    matchLabels:
1739
      app.kubernetes.io/name: argocd-dex-server
1740
  template:
1741
    metadata:
1742
      labels:
1743
        app.kubernetes.io/name: argocd-dex-server
1744
    spec:
1745
      affinity:
1746
        podAntiAffinity:
1747
          preferredDuringSchedulingIgnoredDuringExecution:
1748
          - podAffinityTerm:
1749
              labelSelector:
1750
                matchLabels:
1751
                  app.kubernetes.io/part-of: argocd
1752
              topologyKey: kubernetes.io/hostname
1753
            weight: 5
1754
      containers:
1755
      - command:
1756
        - /shared/argocd-dex
1757
        - rundex
1758
        env:
1759
        - name: ARGOCD_DEX_SERVER_DISABLE_TLS
1760
          valueFrom:
1761
            configMapKeyRef:
1762
              key: dexserver.disable.tls
1763
              name: argocd-cmd-params-cm
1764
              optional: true
1765
        image: ghcr.io/dexidp/dex:v2.38.0
1766
        imagePullPolicy: Always
1767
        name: dex
1768
        ports:
1769
        - containerPort: 5556
1770
        - containerPort: 5557
1771
        - containerPort: 5558
1772
        securityContext:
1773
          allowPrivilegeEscalation: false
1774
          capabilities:
1775
            drop:
1776
            - ALL
1777
          readOnlyRootFilesystem: true
1778
          runAsNonRoot: true
1779
          seccompProfile:
1780
            type: RuntimeDefault
1781
        volumeMounts:
1782
        - mountPath: /shared
1783
          name: static-files
1784
        - mountPath: /tmp
1785
          name: dexconfig
1786
        - mountPath: /tls
1787
          name: argocd-dex-server-tls
1788
      initContainers:
1789
      - command:
1790
        - /bin/cp
1791
        - -n
1792
        - /usr/local/bin/argocd
1793
        - /shared/argocd-dex
1794
        image: quay.io/argoproj/argocd:latest
1795
        imagePullPolicy: Always
1796
        name: copyutil
1797
        securityContext:
1798
          allowPrivilegeEscalation: false
1799
          capabilities:
1800
            drop:
1801
            - ALL
1802
          readOnlyRootFilesystem: true
1803
          runAsNonRoot: true
1804
          seccompProfile:
1805
            type: RuntimeDefault
1806
        volumeMounts:
1807
        - mountPath: /shared
1808
          name: static-files
1809
        - mountPath: /tmp
1810
          name: dexconfig
1811
      serviceAccountName: argocd-dex-server
1812
      volumes:
1813
      - emptyDir: {}
1814
        name: static-files
1815
      - emptyDir: {}
1816
        name: dexconfig
1817
      - name: argocd-dex-server-tls
1818
        secret:
1819
          items:
1820
          - key: tls.crt
1821
            path: tls.crt
1822
          - key: tls.key
1823
            path: tls.key
1824
          - key: ca.crt
1825
            path: ca.crt
1826
          optional: true
1827
          secretName: argocd-dex-server-tls
1828
---
1829
apiVersion: apps/v1
1830
kind: Deployment
1831
metadata:
1832
  labels:
1833
    app.kubernetes.io/component: notifications-controller
1834
    app.kubernetes.io/name: argocd-notifications-controller
1835
    app.kubernetes.io/part-of: argocd
1836
  name: argocd-notifications-controller
1837
spec:
1838
  selector:
1839
    matchLabels:
1840
      app.kubernetes.io/name: argocd-notifications-controller
1841
  strategy:
1842
    type: Recreate
1843
  template:
1844
    metadata:
1845
      labels:
1846
        app.kubernetes.io/name: argocd-notifications-controller
1847
    spec:
1848
      containers:
1849
      - args:
1850
        - /usr/local/bin/argocd-notifications
1851
        env:
1852
        - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT
1853
          valueFrom:
1854
            configMapKeyRef:
1855
              key: notificationscontroller.log.format
1856
              name: argocd-cmd-params-cm
1857
              optional: true
1858
        - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL
1859
          valueFrom:
1860
            configMapKeyRef:
1861
              key: notificationscontroller.log.level
1862
              name: argocd-cmd-params-cm
1863
              optional: true
1864
        - name: ARGOCD_APPLICATION_NAMESPACES
1865
          valueFrom:
1866
            configMapKeyRef:
1867
              key: application.namespaces
1868
              name: argocd-cmd-params-cm
1869
              optional: true
1870
        - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
1871
          valueFrom:
1872
            configMapKeyRef:
1873
              key: notificationscontroller.selfservice.enabled
1874
              name: argocd-cmd-params-cm
1875
              optional: true
1876
        image: quay.io/argoproj/argocd:latest
1877
        imagePullPolicy: Always
1878
        livenessProbe:
1879
          tcpSocket:
1880
            port: 9001
1881
        name: argocd-notifications-controller
1882
        securityContext:
1883
          allowPrivilegeEscalation: false
1884
          capabilities:
1885
            drop:
1886
            - ALL
1887
          readOnlyRootFilesystem: true
1888
        volumeMounts:
1889
        - mountPath: /app/config/tls
1890
          name: tls-certs
1891
        - mountPath: /app/config/reposerver/tls
1892
          name: argocd-repo-server-tls
1893
        workingDir: /app
1894
      securityContext:
1895
        runAsNonRoot: true
1896
        seccompProfile:
1897
          type: RuntimeDefault
1898
      serviceAccountName: argocd-notifications-controller
1899
      volumes:
1900
      - configMap:
1901
          name: argocd-tls-certs-cm
1902
        name: tls-certs
1903
      - name: argocd-repo-server-tls
1904
        secret:
1905
          items:
1906
          - key: tls.crt
1907
            path: tls.crt
1908
          - key: tls.key
1909
            path: tls.key
1910
          - key: ca.crt
1911
            path: ca.crt
1912
          optional: true
1913
          secretName: argocd-repo-server-tls
1914
---
1915
apiVersion: apps/v1
1916
kind: Deployment
1917
metadata:
1918
  labels:
1919
    app.kubernetes.io/component: redis
1920
    app.kubernetes.io/name: argocd-redis-ha-haproxy
1921
    app.kubernetes.io/part-of: argocd
1922
  name: argocd-redis-ha-haproxy
1923
spec:
1924
  replicas: 3
1925
  revisionHistoryLimit: 1
1926
  selector:
1927
    matchLabels:
1928
      app.kubernetes.io/name: argocd-redis-ha-haproxy
1929
  strategy:
1930
    type: RollingUpdate
1931
  template:
1932
    metadata:
1933
      annotations:
1934
        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
1935
        prometheus.io/path: /metrics
1936
        prometheus.io/port: "9101"
1937
        prometheus.io/scrape: "true"
1938
      labels:
1939
        app.kubernetes.io/name: argocd-redis-ha-haproxy
1940
      name: argocd-redis-ha-haproxy
1941
    spec:
1942
      affinity:
1943
        podAntiAffinity:
1944
          requiredDuringSchedulingIgnoredDuringExecution:
1945
          - labelSelector:
1946
              matchLabels:
1947
                app.kubernetes.io/name: argocd-redis-ha-haproxy
1948
            topologyKey: kubernetes.io/hostname
1949
      containers:
1950
      - image: haproxy:2.6.14-alpine
1951
        imagePullPolicy: IfNotPresent
1952
        lifecycle: {}
1953
        livenessProbe:
1954
          httpGet:
1955
            path: /healthz
1956
            port: 8888
1957
          initialDelaySeconds: 5
1958
          periodSeconds: 3
1959
        name: haproxy
1960
        ports:
1961
        - containerPort: 6379
1962
          name: redis
1963
        - containerPort: 9101
1964
          name: metrics-port
1965
        readinessProbe:
1966
          httpGet:
1967
            path: /healthz
1968
            port: 8888
1969
          initialDelaySeconds: 5
1970
          periodSeconds: 3
1971
        securityContext:
1972
          allowPrivilegeEscalation: false
1973
          capabilities:
1974
            drop:
1975
            - ALL
1976
          readOnlyRootFilesystem: true
1977
          seccompProfile:
1978
            type: RuntimeDefault
1979
        volumeMounts:
1980
        - mountPath: /usr/local/etc/haproxy
1981
          name: data
1982
        - mountPath: /run/haproxy
1983
          name: shared-socket
1984
      initContainers:
1985
      - args:
1986
        - /readonly/haproxy_init.sh
1987
        command:
1988
        - sh
1989
        image: haproxy:2.6.14-alpine
1990
        imagePullPolicy: IfNotPresent
1991
        name: config-init
1992
        securityContext:
1993
          allowPrivilegeEscalation: false
1994
          capabilities:
1995
            drop:
1996
            - ALL
1997
          readOnlyRootFilesystem: true
1998
          seccompProfile:
1999
            type: RuntimeDefault
2000
        volumeMounts:
2001
        - mountPath: /readonly
2002
          name: config-volume
2003
          readOnly: true
2004
        - mountPath: /data
2005
          name: data
2006
      securityContext:
2007
        fsGroup: 99
2008
        runAsNonRoot: true
2009
        runAsUser: 99
2010
      serviceAccountName: argocd-redis-ha-haproxy
2011
      volumes:
2012
      - configMap:
2013
          name: argocd-redis-ha-configmap
2014
        name: config-volume
2015
      - emptyDir: {}
2016
        name: shared-socket
2017
      - emptyDir: {}
2018
        name: data
2019
---
2020
apiVersion: apps/v1
2021
kind: Deployment
2022
metadata:
2023
  labels:
2024
    app.kubernetes.io/component: repo-server
2025
    app.kubernetes.io/name: argocd-repo-server
2026
    app.kubernetes.io/part-of: argocd
2027
  name: argocd-repo-server
2028
spec:
2029
  replicas: 2
2030
  selector:
2031
    matchLabels:
2032
      app.kubernetes.io/name: argocd-repo-server
2033
  template:
2034
    metadata:
2035
      labels:
2036
        app.kubernetes.io/name: argocd-repo-server
2037
    spec:
2038
      affinity:
2039
        podAntiAffinity:
2040
          preferredDuringSchedulingIgnoredDuringExecution:
2041
          - podAffinityTerm:
2042
              labelSelector:
2043
                matchLabels:
2044
                  app.kubernetes.io/name: argocd-repo-server
2045
              topologyKey: topology.kubernetes.io/zone
2046
            weight: 100
2047
          requiredDuringSchedulingIgnoredDuringExecution:
2048
          - labelSelector:
2049
              matchLabels:
2050
                app.kubernetes.io/name: argocd-repo-server
2051
            topologyKey: kubernetes.io/hostname
2052
      automountServiceAccountToken: false
2053
      containers:
2054
      - args:
2055
        - /usr/local/bin/argocd-repo-server
2056
        env:
2057
        - name: ARGOCD_RECONCILIATION_TIMEOUT
2058
          valueFrom:
2059
            configMapKeyRef:
2060
              key: timeout.reconciliation
2061
              name: argocd-cm
2062
              optional: true
2063
        - name: ARGOCD_REPO_SERVER_LOGFORMAT
2064
          valueFrom:
2065
            configMapKeyRef:
2066
              key: reposerver.log.format
2067
              name: argocd-cmd-params-cm
2068
              optional: true
2069
        - name: ARGOCD_REPO_SERVER_LOGLEVEL
2070
          valueFrom:
2071
            configMapKeyRef:
2072
              key: reposerver.log.level
2073
              name: argocd-cmd-params-cm
2074
              optional: true
2075
        - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
2076
          valueFrom:
2077
            configMapKeyRef:
2078
              key: reposerver.parallelism.limit
2079
              name: argocd-cmd-params-cm
2080
              optional: true
2081
        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
2082
          valueFrom:
2083
            configMapKeyRef:
2084
              key: reposerver.listen.address
2085
              name: argocd-cmd-params-cm
2086
              optional: true
2087
        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
2088
          valueFrom:
2089
            configMapKeyRef:
2090
              key: reposerver.metrics.listen.address
2091
              name: argocd-cmd-params-cm
2092
              optional: true
2093
        - name: ARGOCD_REPO_SERVER_DISABLE_TLS
2094
          valueFrom:
2095
            configMapKeyRef:
2096
              key: reposerver.disable.tls
2097
              name: argocd-cmd-params-cm
2098
              optional: true
2099
        - name: ARGOCD_TLS_MIN_VERSION
2100
          valueFrom:
2101
            configMapKeyRef:
2102
              key: reposerver.tls.minversion
2103
              name: argocd-cmd-params-cm
2104
              optional: true
2105
        - name: ARGOCD_TLS_MAX_VERSION
2106
          valueFrom:
2107
            configMapKeyRef:
2108
              key: reposerver.tls.maxversion
2109
              name: argocd-cmd-params-cm
2110
              optional: true
2111
        - name: ARGOCD_TLS_CIPHERS
2112
          valueFrom:
2113
            configMapKeyRef:
2114
              key: reposerver.tls.ciphers
2115
              name: argocd-cmd-params-cm
2116
              optional: true
2117
        - name: ARGOCD_REPO_CACHE_EXPIRATION
2118
          valueFrom:
2119
            configMapKeyRef:
2120
              key: reposerver.repo.cache.expiration
2121
              name: argocd-cmd-params-cm
2122
              optional: true
2123
        - name: REDIS_SERVER
2124
          valueFrom:
2125
            configMapKeyRef:
2126
              key: redis.server
2127
              name: argocd-cmd-params-cm
2128
              optional: true
2129
        - name: REDIS_COMPRESSION
2130
          valueFrom:
2131
            configMapKeyRef:
2132
              key: redis.compression
2133
              name: argocd-cmd-params-cm
2134
              optional: true
2135
        - name: REDISDB
2136
          valueFrom:
2137
            configMapKeyRef:
2138
              key: redis.db
2139
              name: argocd-cmd-params-cm
2140
              optional: true
2141
        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
2142
          valueFrom:
2143
            configMapKeyRef:
2144
              key: reposerver.default.cache.expiration
2145
              name: argocd-cmd-params-cm
2146
              optional: true
2147
        - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
2148
          valueFrom:
2149
            configMapKeyRef:
2150
              key: otlp.address
2151
              name: argocd-cmd-params-cm
2152
              optional: true
2153
        - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
2154
          valueFrom:
2155
            configMapKeyRef:
2156
              key: otlp.insecure
2157
              name: argocd-cmd-params-cm
2158
              optional: true
2159
        - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
2160
          valueFrom:
2161
            configMapKeyRef:
2162
              key: otlp.headers
2163
              name: argocd-cmd-params-cm
2164
              optional: true
2165
        - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
2166
          valueFrom:
2167
            configMapKeyRef:
2168
              key: reposerver.max.combined.directory.manifests.size
2169
              name: argocd-cmd-params-cm
2170
              optional: true
2171
        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
2172
          valueFrom:
2173
            configMapKeyRef:
2174
              key: reposerver.plugin.tar.exclusions
2175
              name: argocd-cmd-params-cm
2176
              optional: true
2177
        - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
2178
          valueFrom:
2179
            configMapKeyRef:
2180
              key: reposerver.allow.oob.symlinks
2181
              name: argocd-cmd-params-cm
2182
              optional: true
2183
        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
2184
          valueFrom:
2185
            configMapKeyRef:
2186
              key: reposerver.streamed.manifest.max.tar.size
2187
              name: argocd-cmd-params-cm
2188
              optional: true
2189
        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
2190
          valueFrom:
2191
            configMapKeyRef:
2192
              key: reposerver.streamed.manifest.max.extracted.size
2193
              name: argocd-cmd-params-cm
2194
              optional: true
2195
        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
2196
          valueFrom:
2197
            configMapKeyRef:
2198
              key: reposerver.helm.manifest.max.extracted.size
2199
              name: argocd-cmd-params-cm
2200
              optional: true
2201
        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
2202
          valueFrom:
2203
            configMapKeyRef:
2204
              key: reposerver.disable.helm.manifest.max.extracted.size
2205
              name: argocd-cmd-params-cm
2206
              optional: true
2207
        - name: ARGOCD_GIT_MODULES_ENABLED
2208
          valueFrom:
2209
            configMapKeyRef:
2210
              key: reposerver.enable.git.submodule
2211
              name: argocd-cmd-params-cm
2212
              optional: true
2213
        - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
2214
          valueFrom:
2215
            configMapKeyRef:
2216
              key: reposerver.git.lsremote.parallelism.limit
2217
              name: argocd-cmd-params-cm
2218
              optional: true
2219
        - name: ARGOCD_GIT_REQUEST_TIMEOUT
2220
          valueFrom:
2221
            configMapKeyRef:
2222
              key: reposerver.git.request.timeout
2223
              name: argocd-cmd-params-cm
2224
              optional: true
2225
        - name: HELM_CACHE_HOME
2226
          value: /helm-working-dir
2227
        - name: HELM_CONFIG_HOME
2228
          value: /helm-working-dir
2229
        - name: HELM_DATA_HOME
2230
          value: /helm-working-dir
2231
        image: quay.io/argoproj/argocd:latest
2232
        imagePullPolicy: Always
2233
        livenessProbe:
2234
          failureThreshold: 3
2235
          httpGet:
2236
            path: /healthz?full=true
2237
            port: 8084
2238
          initialDelaySeconds: 30
2239
          periodSeconds: 30
2240
          timeoutSeconds: 5
2241
        name: argocd-repo-server
2242
        ports:
2243
        - containerPort: 8081
2244
        - containerPort: 8084
2245
        readinessProbe:
2246
          httpGet:
2247
            path: /healthz
2248
            port: 8084
2249
          initialDelaySeconds: 5
2250
          periodSeconds: 10
2251
        securityContext:
2252
          allowPrivilegeEscalation: false
2253
          capabilities:
2254
            drop:
2255
            - ALL
2256
          readOnlyRootFilesystem: true
2257
          runAsNonRoot: true
2258
          seccompProfile:
2259
            type: RuntimeDefault
2260
        volumeMounts:
2261
        - mountPath: /app/config/ssh
2262
          name: ssh-known-hosts
2263
        - mountPath: /app/config/tls
2264
          name: tls-certs
2265
        - mountPath: /app/config/gpg/source
2266
          name: gpg-keys
2267
        - mountPath: /app/config/gpg/keys
2268
          name: gpg-keyring
2269
        - mountPath: /app/config/reposerver/tls
2270
          name: argocd-repo-server-tls
2271
        - mountPath: /tmp
2272
          name: tmp
2273
        - mountPath: /helm-working-dir
2274
          name: helm-working-dir
2275
        - mountPath: /home/argocd/cmp-server/plugins
2276
          name: plugins
2277
      initContainers:
2278
      - command:
2279
        - /bin/cp
2280
        - -n
2281
        - /usr/local/bin/argocd
2282
        - /var/run/argocd/argocd-cmp-server
2283
        image: quay.io/argoproj/argocd:latest
2284
        name: copyutil
2285
        securityContext:
2286
          allowPrivilegeEscalation: false
2287
          capabilities:
2288
            drop:
2289
            - ALL
2290
          readOnlyRootFilesystem: true
2291
          runAsNonRoot: true
2292
          seccompProfile:
2293
            type: RuntimeDefault
2294
        volumeMounts:
2295
        - mountPath: /var/run/argocd
2296
          name: var-files
2297
      serviceAccountName: argocd-repo-server
2298
      volumes:
2299
      - configMap:
2300
          name: argocd-ssh-known-hosts-cm
2301
        name: ssh-known-hosts
2302
      - configMap:
2303
          name: argocd-tls-certs-cm
2304
        name: tls-certs
2305
      - configMap:
2306
          name: argocd-gpg-keys-cm
2307
        name: gpg-keys
2308
      - emptyDir: {}
2309
        name: gpg-keyring
2310
      - emptyDir: {}
2311
        name: tmp
2312
      - emptyDir: {}
2313
        name: helm-working-dir
2314
      - name: argocd-repo-server-tls
2315
        secret:
2316
          items:
2317
          - key: tls.crt
2318
            path: tls.crt
2319
          - key: tls.key
2320
            path: tls.key
2321
          - key: ca.crt
2322
            path: ca.crt
2323
          optional: true
2324
          secretName: argocd-repo-server-tls
2325
      - emptyDir: {}
2326
        name: var-files
2327
      - emptyDir: {}
2328
        name: plugins
2329
---
2330
apiVersion: apps/v1
2331
kind: Deployment
2332
metadata:
2333
  labels:
2334
    app.kubernetes.io/component: server
2335
    app.kubernetes.io/name: argocd-server
2336
    app.kubernetes.io/part-of: argocd
2337
  name: argocd-server
2338
spec:
2339
  replicas: 2
2340
  selector:
2341
    matchLabels:
2342
      app.kubernetes.io/name: argocd-server
2343
  template:
2344
    metadata:
2345
      labels:
2346
        app.kubernetes.io/name: argocd-server
2347
    spec:
2348
      affinity:
2349
        podAntiAffinity:
2350
          preferredDuringSchedulingIgnoredDuringExecution:
2351
          - podAffinityTerm:
2352
              labelSelector:
2353
                matchLabels:
2354
                  app.kubernetes.io/name: argocd-server
2355
              topologyKey: topology.kubernetes.io/zone
2356
            weight: 100
2357
          requiredDuringSchedulingIgnoredDuringExecution:
2358
          - labelSelector:
2359
              matchLabels:
2360
                app.kubernetes.io/name: argocd-server
2361
            topologyKey: kubernetes.io/hostname
2362
      containers:
2363
      - args:
2364
        - /usr/local/bin/argocd-server
2365
        env:
2366
        - name: ARGOCD_API_SERVER_REPLICAS
2367
          value: "2"
2368
        - name: ARGOCD_SERVER_INSECURE
2369
          valueFrom:
2370
            configMapKeyRef:
2371
              key: server.insecure
2372
              name: argocd-cmd-params-cm
2373
              optional: true
2374
        - name: ARGOCD_SERVER_BASEHREF
2375
          valueFrom:
2376
            configMapKeyRef:
2377
              key: server.basehref
2378
              name: argocd-cmd-params-cm
2379
              optional: true
2380
        - name: ARGOCD_SERVER_ROOTPATH
2381
          valueFrom:
2382
            configMapKeyRef:
2383
              key: server.rootpath
2384
              name: argocd-cmd-params-cm
2385
              optional: true
2386
        - name: ARGOCD_SERVER_LOGFORMAT
2387
          valueFrom:
2388
            configMapKeyRef:
2389
              key: server.log.format
2390
              name: argocd-cmd-params-cm
2391
              optional: true
2392
        - name: ARGOCD_SERVER_LOG_LEVEL
2393
          valueFrom:
2394
            configMapKeyRef:
2395
              key: server.log.level
2396
              name: argocd-cmd-params-cm
2397
              optional: true
2398
        - name: ARGOCD_SERVER_REPO_SERVER
2399
          valueFrom:
2400
            configMapKeyRef:
2401
              key: repo.server
2402
              name: argocd-cmd-params-cm
2403
              optional: true
2404
        - name: ARGOCD_SERVER_DEX_SERVER
2405
          valueFrom:
2406
            configMapKeyRef:
2407
              key: server.dex.server
2408
              name: argocd-cmd-params-cm
2409
              optional: true
2410
        - name: ARGOCD_SERVER_DISABLE_AUTH
2411
          valueFrom:
2412
            configMapKeyRef:
2413
              key: server.disable.auth
2414
              name: argocd-cmd-params-cm
2415
              optional: true
2416
        - name: ARGOCD_SERVER_ENABLE_GZIP
2417
          valueFrom:
2418
            configMapKeyRef:
2419
              key: server.enable.gzip
2420
              name: argocd-cmd-params-cm
2421
              optional: true
2422
        - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
2423
          valueFrom:
2424
            configMapKeyRef:
2425
              key: server.repo.server.timeout.seconds
2426
              name: argocd-cmd-params-cm
2427
              optional: true
2428
        - name: ARGOCD_SERVER_X_FRAME_OPTIONS
2429
          valueFrom:
2430
            configMapKeyRef:
2431
              key: server.x.frame.options
2432
              name: argocd-cmd-params-cm
2433
              optional: true
2434
        - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY
2435
          valueFrom:
2436
            configMapKeyRef:
2437
              key: server.content.security.policy
2438
              name: argocd-cmd-params-cm
2439
              optional: true
2440
        - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
2441
          valueFrom:
2442
            configMapKeyRef:
2443
              key: server.repo.server.plaintext
2444
              name: argocd-cmd-params-cm
2445
              optional: true
2446
        - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
2447
          valueFrom:
2448
            configMapKeyRef:
2449
              key: server.repo.server.strict.tls
2450
              name: argocd-cmd-params-cm
2451
              optional: true
2452
        - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
2453
          valueFrom:
2454
            configMapKeyRef:
2455
              key: server.dex.server.plaintext
2456
              name: argocd-cmd-params-cm
2457
              optional: true
2458
        - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
2459
          valueFrom:
2460
            configMapKeyRef:
2461
              key: server.dex.server.strict.tls
2462
              name: argocd-cmd-params-cm
2463
              optional: true
2464
        - name: ARGOCD_TLS_MIN_VERSION
2465
          valueFrom:
2466
            configMapKeyRef:
2467
              key: server.tls.minversion
2468
              name: argocd-cmd-params-cm
2469
              optional: true
2470
        - name: ARGOCD_TLS_MAX_VERSION
2471
          valueFrom:
2472
            configMapKeyRef:
2473
              key: server.tls.maxversion
2474
              name: argocd-cmd-params-cm
2475
              optional: true
2476
        - name: ARGOCD_TLS_CIPHERS
2477
          valueFrom:
2478
            configMapKeyRef:
2479
              key: server.tls.ciphers
2480
              name: argocd-cmd-params-cm
2481
              optional: true
2482
        - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
2483
          valueFrom:
2484
            configMapKeyRef:
2485
              key: server.connection.status.cache.expiration
2486
              name: argocd-cmd-params-cm
2487
              optional: true
2488
        - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
2489
          valueFrom:
2490
            configMapKeyRef:
2491
              key: server.oidc.cache.expiration
2492
              name: argocd-cmd-params-cm
2493
              optional: true
2494
        - name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
2495
          valueFrom:
2496
            configMapKeyRef:
2497
              key: server.login.attempts.expiration
2498
              name: argocd-cmd-params-cm
2499
              optional: true
2500
        - name: ARGOCD_SERVER_STATIC_ASSETS
2501
          valueFrom:
2502
            configMapKeyRef:
2503
              key: server.staticassets
2504
              name: argocd-cmd-params-cm
2505
              optional: true
2506
        - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
2507
          valueFrom:
2508
            configMapKeyRef:
2509
              key: server.app.state.cache.expiration
2510
              name: argocd-cmd-params-cm
2511
              optional: true
2512
        - name: REDIS_SERVER
2513
          valueFrom:
2514
            configMapKeyRef:
2515
              key: redis.server
2516
              name: argocd-cmd-params-cm
2517
              optional: true
2518
        - name: REDIS_COMPRESSION
2519
          valueFrom:
2520
            configMapKeyRef:
2521
              key: redis.compression
2522
              name: argocd-cmd-params-cm
2523
              optional: true
2524
        - name: REDISDB
2525
          valueFrom:
2526
            configMapKeyRef:
2527
              key: redis.db
2528
              name: argocd-cmd-params-cm
2529
              optional: true
2530
        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
2531
          valueFrom:
2532
            configMapKeyRef:
2533
              key: server.default.cache.expiration
2534
              name: argocd-cmd-params-cm
2535
              optional: true
2536
        - name: ARGOCD_MAX_COOKIE_NUMBER
2537
          valueFrom:
2538
            configMapKeyRef:
2539
              key: server.http.cookie.maxnumber
2540
              name: argocd-cmd-params-cm
2541
              optional: true
2542
        - name: ARGOCD_SERVER_LISTEN_ADDRESS
2543
          valueFrom:
2544
            configMapKeyRef:
2545
              key: server.listen.address
2546
              name: argocd-cmd-params-cm
2547
              optional: true
2548
        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
2549
          valueFrom:
2550
            configMapKeyRef:
2551
              key: server.metrics.listen.address
2552
              name: argocd-cmd-params-cm
2553
              optional: true
2554
        - name: ARGOCD_SERVER_OTLP_ADDRESS
2555
          valueFrom:
2556
            configMapKeyRef:
2557
              key: otlp.address
2558
              name: argocd-cmd-params-cm
2559
              optional: true
2560
        - name: ARGOCD_SERVER_OTLP_INSECURE
2561
          valueFrom:
2562
            configMapKeyRef:
2563
              key: otlp.insecure
2564
              name: argocd-cmd-params-cm
2565
              optional: true
2566
        - name: ARGOCD_SERVER_OTLP_HEADERS
2567
          valueFrom:
2568
            configMapKeyRef:
2569
              key: otlp.headers
2570
              name: argocd-cmd-params-cm
2571
              optional: true
2572
        - name: ARGOCD_APPLICATION_NAMESPACES
2573
          valueFrom:
2574
            configMapKeyRef:
2575
              key: application.namespaces
2576
              name: argocd-cmd-params-cm
2577
              optional: true
2578
        - name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION
2579
          valueFrom:
2580
            configMapKeyRef:
2581
              key: server.enable.proxy.extension
2582
              name: argocd-cmd-params-cm
2583
              optional: true
2584
        - name: ARGOCD_K8SCLIENT_RETRY_MAX
2585
          valueFrom:
2586
            configMapKeyRef:
2587
              key: server.k8sclient.retry.max
2588
              name: argocd-cmd-params-cm
2589
              optional: true
2590
        - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
2591
          valueFrom:
2592
            configMapKeyRef:
2593
              key: server.k8sclient.retry.base.backoff
2594
              name: argocd-cmd-params-cm
2595
              optional: true
2596
        - name: ARGOCD_API_CONTENT_TYPES
2597
          valueFrom:
2598
            configMapKeyRef:
2599
              key: server.api.content.types
2600
              name: argocd-cmd-params-cm
2601
              optional: true
2602
        image: quay.io/argoproj/argocd:latest
2603
        imagePullPolicy: Always
2604
        livenessProbe:
2605
          httpGet:
2606
            path: /healthz?full=true
2607
            port: 8080
2608
          initialDelaySeconds: 3
2609
          periodSeconds: 30
2610
          timeoutSeconds: 5
2611
        name: argocd-server
2612
        ports:
2613
        - containerPort: 8080
2614
        - containerPort: 8083
2615
        readinessProbe:
2616
          httpGet:
2617
            path: /healthz
2618
            port: 8080
2619
          initialDelaySeconds: 3
2620
          periodSeconds: 30
2621
        securityContext:
2622
          allowPrivilegeEscalation: false
2623
          capabilities:
2624
            drop:
2625
            - ALL
2626
          readOnlyRootFilesystem: true
2627
          runAsNonRoot: true
2628
          seccompProfile:
2629
            type: RuntimeDefault
2630
        volumeMounts:
2631
        - mountPath: /app/config/ssh
2632
          name: ssh-known-hosts
2633
        - mountPath: /app/config/tls
2634
          name: tls-certs
2635
        - mountPath: /app/config/server/tls
2636
          name: argocd-repo-server-tls
2637
        - mountPath: /app/config/dex/tls
2638
          name: argocd-dex-server-tls
2639
        - mountPath: /home/argocd
2640
          name: plugins-home
2641
        - mountPath: /tmp
2642
          name: tmp
2643
      serviceAccountName: argocd-server
2644
      volumes:
2645
      - emptyDir: {}
2646
        name: plugins-home
2647
      - emptyDir: {}
2648
        name: tmp
2649
      - configMap:
2650
          name: argocd-ssh-known-hosts-cm
2651
        name: ssh-known-hosts
2652
      - configMap:
2653
          name: argocd-tls-certs-cm
2654
        name: tls-certs
2655
      - name: argocd-repo-server-tls
2656
        secret:
2657
          items:
2658
          - key: tls.crt
2659
            path: tls.crt
2660
          - key: tls.key
2661
            path: tls.key
2662
          - key: ca.crt
2663
            path: ca.crt
2664
          optional: true
2665
          secretName: argocd-repo-server-tls
2666
      - name: argocd-dex-server-tls
2667
        secret:
2668
          items:
2669
          - key: tls.crt
2670
            path: tls.crt
2671
          - key: ca.crt
2672
            path: ca.crt
2673
          optional: true
2674
          secretName: argocd-dex-server-tls
2675
---
2676
apiVersion: apps/v1
2677
kind: StatefulSet
2678
metadata:
2679
  labels:
2680
    app.kubernetes.io/component: application-controller
2681
    app.kubernetes.io/name: argocd-application-controller
2682
    app.kubernetes.io/part-of: argocd
2683
  name: argocd-application-controller
2684
spec:
2685
  replicas: 1
2686
  selector:
2687
    matchLabels:
2688
      app.kubernetes.io/name: argocd-application-controller
2689
  serviceName: argocd-application-controller
2690
  template:
2691
    metadata:
2692
      labels:
2693
        app.kubernetes.io/name: argocd-application-controller
2694
    spec:
2695
      affinity:
2696
        podAntiAffinity:
2697
          preferredDuringSchedulingIgnoredDuringExecution:
2698
          - podAffinityTerm:
2699
              labelSelector:
2700
                matchLabels:
2701
                  app.kubernetes.io/name: argocd-application-controller
2702
              topologyKey: kubernetes.io/hostname
2703
            weight: 100
2704
          - podAffinityTerm:
2705
              labelSelector:
2706
                matchLabels:
2707
                  app.kubernetes.io/part-of: argocd
2708
              topologyKey: kubernetes.io/hostname
2709
            weight: 5
2710
      containers:
2711
      - args:
2712
        - /usr/local/bin/argocd-application-controller
2713
        env:
2714
        - name: ARGOCD_CONTROLLER_REPLICAS
2715
          value: "1"
2716
        - name: ARGOCD_RECONCILIATION_TIMEOUT
2717
          valueFrom:
2718
            configMapKeyRef:
2719
              key: timeout.reconciliation
2720
              name: argocd-cm
2721
              optional: true
2722
        - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
2723
          valueFrom:
2724
            configMapKeyRef:
2725
              key: timeout.hard.reconciliation
2726
              name: argocd-cm
2727
              optional: true
2728
        - name: ARGOCD_RECONCILIATION_JITTER
2729
          valueFrom:
2730
            configMapKeyRef:
2731
              key: timeout.reconciliation.jitter
2732
              name: argocd-cm
2733
              optional: true
2734
        - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
2735
          valueFrom:
2736
            configMapKeyRef:
2737
              key: controller.repo.error.grace.period.seconds
2738
              name: argocd-cmd-params-cm
2739
              optional: true
2740
        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
2741
          valueFrom:
2742
            configMapKeyRef:
2743
              key: repo.server
2744
              name: argocd-cmd-params-cm
2745
              optional: true
2746
        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
2747
          valueFrom:
2748
            configMapKeyRef:
2749
              key: controller.repo.server.timeout.seconds
2750
              name: argocd-cmd-params-cm
2751
              optional: true
2752
        - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
2753
          valueFrom:
2754
            configMapKeyRef:
2755
              key: controller.status.processors
2756
              name: argocd-cmd-params-cm
2757
              optional: true
2758
        - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
2759
          valueFrom:
2760
            configMapKeyRef:
2761
              key: controller.operation.processors
2762
              name: argocd-cmd-params-cm
2763
              optional: true
2764
        - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
2765
          valueFrom:
2766
            configMapKeyRef:
2767
              key: controller.log.format
2768
              name: argocd-cmd-params-cm
2769
              optional: true
2770
        - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
2771
          valueFrom:
2772
            configMapKeyRef:
2773
              key: controller.log.level
2774
              name: argocd-cmd-params-cm
2775
              optional: true
2776
        - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
2777
          valueFrom:
2778
            configMapKeyRef:
2779
              key: controller.metrics.cache.expiration
2780
              name: argocd-cmd-params-cm
2781
              optional: true
2782
        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
2783
          valueFrom:
2784
            configMapKeyRef:
2785
              key: controller.self.heal.timeout.seconds
2786
              name: argocd-cmd-params-cm
2787
              optional: true
2788
        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
2789
          valueFrom:
2790
            configMapKeyRef:
2791
              key: controller.repo.server.plaintext
2792
              name: argocd-cmd-params-cm
2793
              optional: true
2794
        - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
2795
          valueFrom:
2796
            configMapKeyRef:
2797
              key: controller.repo.server.strict.tls
2798
              name: argocd-cmd-params-cm
2799
              optional: true
2800
        - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
2801
          valueFrom:
2802
            configMapKeyRef:
2803
              key: controller.resource.health.persist
2804
              name: argocd-cmd-params-cm
2805
              optional: true
2806
        - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
2807
          valueFrom:
2808
            configMapKeyRef:
2809
              key: controller.app.state.cache.expiration
2810
              name: argocd-cmd-params-cm
2811
              optional: true
2812
        - name: REDIS_SERVER
2813
          valueFrom:
2814
            configMapKeyRef:
2815
              key: redis.server
2816
              name: argocd-cmd-params-cm
2817
              optional: true
2818
        - name: REDIS_COMPRESSION
2819
          valueFrom:
2820
            configMapKeyRef:
2821
              key: redis.compression
2822
              name: argocd-cmd-params-cm
2823
              optional: true
2824
        - name: REDISDB
2825
          valueFrom:
2826
            configMapKeyRef:
2827
              key: redis.db
2828
              name: argocd-cmd-params-cm
2829
              optional: true
2830
        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
2831
          valueFrom:
2832
            configMapKeyRef:
2833
              key: controller.default.cache.expiration
2834
              name: argocd-cmd-params-cm
2835
              optional: true
2836
        - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
2837
          valueFrom:
2838
            configMapKeyRef:
2839
              key: otlp.address
2840
              name: argocd-cmd-params-cm
2841
              optional: true
2842
        - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
2843
          valueFrom:
2844
            configMapKeyRef:
2845
              key: otlp.insecure
2846
              name: argocd-cmd-params-cm
2847
              optional: true
2848
        - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
2849
          valueFrom:
2850
            configMapKeyRef:
2851
              key: otlp.headers
2852
              name: argocd-cmd-params-cm
2853
              optional: true
2854
        - name: ARGOCD_APPLICATION_NAMESPACES
2855
          valueFrom:
2856
            configMapKeyRef:
2857
              key: application.namespaces
2858
              name: argocd-cmd-params-cm
2859
              optional: true
2860
        - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
2861
          valueFrom:
2862
            configMapKeyRef:
2863
              key: controller.sharding.algorithm
2864
              name: argocd-cmd-params-cm
2865
              optional: true
2866
        - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
2867
          valueFrom:
2868
            configMapKeyRef:
2869
              key: controller.kubectl.parallelism.limit
2870
              name: argocd-cmd-params-cm
2871
              optional: true
2872
        - name: ARGOCD_K8SCLIENT_RETRY_MAX
2873
          valueFrom:
2874
            configMapKeyRef:
2875
              key: controller.k8sclient.retry.max
2876
              name: argocd-cmd-params-cm
2877
              optional: true
2878
        - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
2879
          valueFrom:
2880
            configMapKeyRef:
2881
              key: controller.k8sclient.retry.base.backoff
2882
              name: argocd-cmd-params-cm
2883
              optional: true
2884
        - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
2885
          valueFrom:
2886
            configMapKeyRef:
2887
              key: controller.diff.server.side
2888
              name: argocd-cmd-params-cm
2889
              optional: true
2890
        image: quay.io/argoproj/argocd:latest
2891
        imagePullPolicy: Always
2892
        name: argocd-application-controller
2893
        ports:
2894
        - containerPort: 8082
2895
        readinessProbe:
2896
          httpGet:
2897
            path: /healthz
2898
            port: 8082
2899
          initialDelaySeconds: 5
2900
          periodSeconds: 10
2901
        securityContext:
2902
          allowPrivilegeEscalation: false
2903
          capabilities:
2904
            drop:
2905
            - ALL
2906
          readOnlyRootFilesystem: true
2907
          runAsNonRoot: true
2908
          seccompProfile:
2909
            type: RuntimeDefault
2910
        volumeMounts:
2911
        - mountPath: /app/config/controller/tls
2912
          name: argocd-repo-server-tls
2913
        - mountPath: /home/argocd
2914
          name: argocd-home
2915
        workingDir: /home/argocd
2916
      serviceAccountName: argocd-application-controller
2917
      volumes:
2918
      - emptyDir: {}
2919
        name: argocd-home
2920
      - name: argocd-repo-server-tls
2921
        secret:
2922
          items:
2923
          - key: tls.crt
2924
            path: tls.crt
2925
          - key: tls.key
2926
            path: tls.key
2927
          - key: ca.crt
2928
            path: ca.crt
2929
          optional: true
2930
          secretName: argocd-repo-server-tls
2931
---
2932
apiVersion: apps/v1
2933
kind: StatefulSet
2934
metadata:
2935
  labels:
2936
    app.kubernetes.io/component: redis
2937
    app.kubernetes.io/name: argocd-redis-ha
2938
    app.kubernetes.io/part-of: argocd
2939
  name: argocd-redis-ha-server
2940
spec:
2941
  podManagementPolicy: OrderedReady
2942
  replicas: 3
2943
  selector:
2944
    matchLabels:
2945
      app.kubernetes.io/name: argocd-redis-ha
2946
  serviceName: argocd-redis-ha
2947
  template:
2948
    metadata:
2949
      annotations:
2950
        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
2951
      labels:
2952
        app.kubernetes.io/name: argocd-redis-ha
2953
    spec:
2954
      affinity:
2955
        podAntiAffinity:
2956
          requiredDuringSchedulingIgnoredDuringExecution:
2957
          - labelSelector:
2958
              matchLabels:
2959
                app.kubernetes.io/name: argocd-redis-ha
2960
            topologyKey: kubernetes.io/hostname
2961
      automountServiceAccountToken: false
2962
      containers:
2963
      - args:
2964
        - /data/conf/redis.conf
2965
        command:
2966
        - redis-server
2967
        image: redis:7.0.14-alpine
2968
        imagePullPolicy: IfNotPresent
2969
        lifecycle:
2970
          preStop:
2971
            exec:
2972
              command:
2973
              - /bin/sh
2974
              - /readonly-config/trigger-failover-if-master.sh
2975
        livenessProbe:
2976
          exec:
2977
            command:
2978
            - sh
2979
            - -c
2980
            - /health/redis_liveness.sh
2981
          failureThreshold: 5
2982
          initialDelaySeconds: 30
2983
          periodSeconds: 15
2984
          successThreshold: 1
2985
          timeoutSeconds: 15
2986
        name: redis
2987
        ports:
2988
        - containerPort: 6379
2989
          name: redis
2990
        readinessProbe:
2991
          exec:
2992
            command:
2993
            - sh
2994
            - -c
2995
            - /health/redis_readiness.sh
2996
          failureThreshold: 5
2997
          initialDelaySeconds: 30
2998
          periodSeconds: 15
2999
          successThreshold: 1
3000
          timeoutSeconds: 15
3001
        securityContext:
3002
          allowPrivilegeEscalation: false
3003
          capabilities:
3004
            drop:
3005
            - ALL
3006
          readOnlyRootFilesystem: true
3007
          seccompProfile:
3008
            type: RuntimeDefault
3009
        volumeMounts:
3010
        - mountPath: /readonly-config
3011
          name: config
3012
          readOnly: true
3013
        - mountPath: /data
3014
          name: data
3015
        - mountPath: /health
3016
          name: health
3017
      - args:
3018
        - /data/conf/sentinel.conf
3019
        command:
3020
        - redis-sentinel
3021
        image: redis:7.0.14-alpine
3022
        imagePullPolicy: IfNotPresent
3023
        lifecycle: {}
3024
        livenessProbe:
3025
          exec:
3026
            command:
3027
            - sh
3028
            - -c
3029
            - /health/sentinel_liveness.sh
3030
          failureThreshold: 5
3031
          initialDelaySeconds: 30
3032
          periodSeconds: 15
3033
          successThreshold: 1
3034
          timeoutSeconds: 15
3035
        name: sentinel
3036
        ports:
3037
        - containerPort: 26379
3038
          name: sentinel
3039
        readinessProbe:
3040
          exec:
3041
            command:
3042
            - sh
3043
            - -c
3044
            - /health/sentinel_liveness.sh
3045
          failureThreshold: 5
3046
          initialDelaySeconds: 30
3047
          periodSeconds: 15
3048
          successThreshold: 3
3049
          timeoutSeconds: 15
3050
        securityContext:
3051
          allowPrivilegeEscalation: false
3052
          capabilities:
3053
            drop:
3054
            - ALL
3055
          readOnlyRootFilesystem: true
3056
          seccompProfile:
3057
            type: RuntimeDefault
3058
        volumeMounts:
3059
        - mountPath: /data
3060
          name: data
3061
        - mountPath: /health
3062
          name: health
3063
      - args:
3064
        - /readonly-config/fix-split-brain.sh
3065
        command:
3066
        - sh
3067
        env:
3068
        - name: SENTINEL_ID_0
3069
          value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
3070
        - name: SENTINEL_ID_1
3071
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
3072
        - name: SENTINEL_ID_2
3073
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
3074
        image: redis:7.0.14-alpine
3075
        imagePullPolicy: IfNotPresent
3076
        name: split-brain-fix
3077
        resources: {}
3078
        securityContext:
3079
          allowPrivilegeEscalation: false
3080
          capabilities:
3081
            drop:
3082
            - ALL
3083
          readOnlyRootFilesystem: true
3084
          seccompProfile:
3085
            type: RuntimeDefault
3086
        volumeMounts:
3087
        - mountPath: /readonly-config
3088
          name: config
3089
          readOnly: true
3090
        - mountPath: /data
3091
          name: data
3092
      initContainers:
3093
      - args:
3094
        - /readonly-config/init.sh
3095
        command:
3096
        - sh
3097
        env:
3098
        - name: SENTINEL_ID_0
3099
          value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
3100
        - name: SENTINEL_ID_1
3101
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
3102
        - name: SENTINEL_ID_2
3103
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
3104
        image: redis:7.0.14-alpine
3105
        imagePullPolicy: IfNotPresent
3106
        name: config-init
3107
        securityContext:
3108
          allowPrivilegeEscalation: false
3109
          capabilities:
3110
            drop:
3111
            - ALL
3112
          readOnlyRootFilesystem: true
3113
          seccompProfile:
3114
            type: RuntimeDefault
3115
        volumeMounts:
3116
        - mountPath: /readonly-config
3117
          name: config
3118
          readOnly: true
3119
        - mountPath: /data
3120
          name: data
3121
      securityContext:
3122
        fsGroup: 1000
3123
        runAsNonRoot: true
3124
        runAsUser: 1000
3125
      serviceAccountName: argocd-redis-ha
3126
      terminationGracePeriodSeconds: 60
3127
      volumes:
3128
      - configMap:
3129
          name: argocd-redis-ha-configmap
3130
        name: config
3131
      - configMap:
3132
          defaultMode: 493
3133
          name: argocd-redis-ha-health-configmap
3134
        name: health
3135
      - emptyDir: {}
3136
        name: data
3137
  updateStrategy:
3138
    type: RollingUpdate
3139
---
3140
apiVersion: networking.k8s.io/v1
3141
kind: NetworkPolicy
3142
metadata:
3143
  name: argocd-application-controller-network-policy
3144
spec:
3145
  ingress:
3146
  - from:
3147
    - namespaceSelector: {}
3148
    ports:
3149
    - port: 8082
3150
  podSelector:
3151
    matchLabels:
3152
      app.kubernetes.io/name: argocd-application-controller
3153
  policyTypes:
3154
  - Ingress
3155
---
3156
apiVersion: networking.k8s.io/v1
3157
kind: NetworkPolicy
3158
metadata:
3159
  name: argocd-applicationset-controller-network-policy
3160
spec:
3161
  ingress:
3162
  - from:
3163
    - namespaceSelector: {}
3164
    ports:
3165
    - port: 7000
3166
      protocol: TCP
3167
    - port: 8080
3168
      protocol: TCP
3169
  podSelector:
3170
    matchLabels:
3171
      app.kubernetes.io/name: argocd-applicationset-controller
3172
  policyTypes:
3173
  - Ingress
3174
---
3175
apiVersion: networking.k8s.io/v1
3176
kind: NetworkPolicy
3177
metadata:
3178
  name: argocd-dex-server-network-policy
3179
spec:
3180
  ingress:
3181
  - from:
3182
    - podSelector:
3183
        matchLabels:
3184
          app.kubernetes.io/name: argocd-server
3185
    ports:
3186
    - port: 5556
3187
      protocol: TCP
3188
    - port: 5557
3189
      protocol: TCP
3190
  - from:
3191
    - namespaceSelector: {}
3192
    ports:
3193
    - port: 5558
3194
      protocol: TCP
3195
  podSelector:
3196
    matchLabels:
3197
      app.kubernetes.io/name: argocd-dex-server
3198
  policyTypes:
3199
  - Ingress
3200
---
3201
apiVersion: networking.k8s.io/v1
3202
kind: NetworkPolicy
3203
metadata:
3204
  labels:
3205
    app.kubernetes.io/component: notifications-controller
3206
    app.kubernetes.io/name: argocd-notifications-controller
3207
    app.kubernetes.io/part-of: argocd
3208
  name: argocd-notifications-controller-network-policy
3209
spec:
3210
  ingress:
3211
  - from:
3212
    - namespaceSelector: {}
3213
    ports:
3214
    - port: 9001
3215
      protocol: TCP
3216
  podSelector:
3217
    matchLabels:
3218
      app.kubernetes.io/name: argocd-notifications-controller
3219
  policyTypes:
3220
  - Ingress
3221
---
3222
apiVersion: networking.k8s.io/v1
3223
kind: NetworkPolicy
3224
metadata:
3225
  name: argocd-redis-ha-proxy-network-policy
3226
spec:
3227
  egress:
3228
  - ports:
3229
    - port: 6379
3230
      protocol: TCP
3231
    - port: 26379
3232
      protocol: TCP
3233
    to:
3234
    - podSelector:
3235
        matchLabels:
3236
          app.kubernetes.io/name: argocd-redis-ha
3237
  - ports:
3238
    - port: 53
3239
      protocol: UDP
3240
    - port: 53
3241
      protocol: TCP
3242
  ingress:
3243
  - from:
3244
    - podSelector:
3245
        matchLabels:
3246
          app.kubernetes.io/name: argocd-server
3247
    - podSelector:
3248
        matchLabels:
3249
          app.kubernetes.io/name: argocd-repo-server
3250
    - podSelector:
3251
        matchLabels:
3252
          app.kubernetes.io/name: argocd-application-controller
3253
    ports:
3254
    - port: 6379
3255
      protocol: TCP
3256
    - port: 26379
3257
      protocol: TCP
3258
  podSelector:
3259
    matchLabels:
3260
      app.kubernetes.io/name: argocd-redis-ha-haproxy
3261
  policyTypes:
3262
  - Ingress
3263
  - Egress
3264
---
3265
apiVersion: networking.k8s.io/v1
3266
kind: NetworkPolicy
3267
metadata:
3268
  name: argocd-redis-ha-server-network-policy
3269
spec:
3270
  egress:
3271
  - ports:
3272
    - port: 6379
3273
      protocol: TCP
3274
    - port: 26379
3275
      protocol: TCP
3276
    to:
3277
    - podSelector:
3278
        matchLabels:
3279
          app.kubernetes.io/name: argocd-redis-ha
3280
  - ports:
3281
    - port: 53
3282
      protocol: UDP
3283
    - port: 53
3284
      protocol: TCP
3285
  ingress:
3286
  - from:
3287
    - podSelector:
3288
        matchLabels:
3289
          app.kubernetes.io/name: argocd-redis-ha-haproxy
3290
    - podSelector:
3291
        matchLabels:
3292
          app.kubernetes.io/name: argocd-redis-ha
3293
    ports:
3294
    - port: 6379
3295
      protocol: TCP
3296
    - port: 26379
3297
      protocol: TCP
3298
  podSelector:
3299
    matchLabels:
3300
      app.kubernetes.io/name: argocd-redis-ha
3301
  policyTypes:
3302
  - Ingress
3303
  - Egress
3304
---
3305
apiVersion: networking.k8s.io/v1
3306
kind: NetworkPolicy
3307
metadata:
3308
  name: argocd-repo-server-network-policy
3309
spec:
3310
  ingress:
3311
  - from:
3312
    - podSelector:
3313
        matchLabels:
3314
          app.kubernetes.io/name: argocd-server
3315
    - podSelector:
3316
        matchLabels:
3317
          app.kubernetes.io/name: argocd-application-controller
3318
    - podSelector:
3319
        matchLabels:
3320
          app.kubernetes.io/name: argocd-notifications-controller
3321
    - podSelector:
3322
        matchLabels:
3323
          app.kubernetes.io/name: argocd-applicationset-controller
3324
    ports:
3325
    - port: 8081
3326
      protocol: TCP
3327
  - from:
3328
    - namespaceSelector: {}
3329
    ports:
3330
    - port: 8084
3331
  podSelector:
3332
    matchLabels:
3333
      app.kubernetes.io/name: argocd-repo-server
3334
  policyTypes:
3335
  - Ingress
3336
---
3337
apiVersion: networking.k8s.io/v1
3338
kind: NetworkPolicy
3339
metadata:
3340
  name: argocd-server-network-policy
3341
spec:
3342
  ingress:
3343
  - {}
3344
  podSelector:
3345
    matchLabels:
3346
      app.kubernetes.io/name: argocd-server
3347
  policyTypes:
3348
  - Ingress
3349