argocd: Deploy Argo CD

[Argo CD] is a Kubernetes-native GitOps/continuous deployment manager.
It monitors the state of Kubnernetes resources, such as Pods,
Deployments, ConfigMaps, Secrets, and Custom Resources, and synchronizes
them with their canonical definitions from a Git repository.

*Argo CD* consists of various components, including a Repository
Service, an Application Controller, a Notification Controller, and an
API server/Web UI.  It also has some optional components, such as a
bundled Dex server for authentication/authorization, and an
ApplicationSet controller, which we will not be using.

[Argo CD]: https://argo-cd.readthedocs.io/

argocd/README.md

@@ -0,0 +1,46 @@
+# Argo CD
+
+> [Argo CD] is a declarative GitOps continuous delivery tool, which allows
+> developers to define and control deployment of Kubernetes application
+> resources from within their existing Git workflow.
+
+```sh
+kubectl apply -k argocd
+kubectl apply -f argocd/applications
+```
+
+## Components
+
+Argo CD consists of several components, some of which are not used:
+
+- [x] Application Controller
+- [x] Repository Service
+- [x] Web Server
+- [x] Notification Controller
+- [ ] ApplicationSet Controller[^1]
+- [ ] Dex Server[^2]
+
+[^1]: ApplicationSets are "generators" that can be used to apply applications
+    to multiple clusters.  As we only have a single cluster, it is not useful.
+[^2]: Argo CD includes Dex to handle authentication and authorization, but we
+    are using Authelia instead.
+    
+
+## Applications
+
+*Applications* are the core resource in Argo CD.  They form a collection of
+resources associated with a particular application deployment.  They are
+themselves defined as Kubernetes resources (see [applications]).
+
+
+## Git Webhook
+
+*Argo CD* will automatically refresh the desired state of applications whenever
+a changeset is pushed to the Git repository where manifests are stored.  The
+[infra/kubernetes] repository has a Webhook configured in Gitea that notifies
+the Argo CD server on Git push events.
+
+
+[Argo CD]: https://argo-cd.readthedocs.io/
+[applications]: ./applications/
+[infra/kubernetes]: https://git.pyrocufflink.blue/infra/kubernetes

argocd/applications/dynk8s-provisioner.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dynk8s-provisioner
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: dynk8s-provisioner
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/firefly-iii.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: firefly-iii
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: firefly-iii
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/home-assistant.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: home-assistant
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: home-assistant
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/jenkins.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jenkins
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: jenkins
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/ntfy.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ntfy
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: ntfy
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/paperless-ngx.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paperless-ngx
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: paperless-ngx
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/applications/phpipam.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: phpipam
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: phpipam
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

argocd/argocd-cm.yml

@@ -0,0 +1,7 @@
+url: https://argocd.pyrocufflink.blue
+
+oidc.config: |
+  name: Authelia
+  issuer: https://auth.pyrocufflink.blue
+  clientID: argocd
+  clientSecret: $oidc.authelia.clientSecret

argocd/hooks.yaml

@@ -0,0 +1,20 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: jenkins-snapshot-
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  template:
+    spec:
+      containers:
+      - name: jenkins-snapshot
+        image: docker.io/curlimages/curl
+        command:
+        - curl
+        - http://longhorn-frontend.longhorn-system/v1/volumes/pvc-4d42f4d3-2f9d-4edd-b82c-b51a385a3276?action=snapshotCreate
+        - -H
+        - Content-Type application/json
+        - -d
+        - '{}'
+      restartPolicy: Never

argocd/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-ingress
+  namespace: argocd
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  rules:
+  - host: argocd.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
+  tls:
+  - hosts:
+    - argocd.example.com

argocd/kustomization.yaml

@@ -0,0 +1,116 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: argocd
+
+resources:
+- namespace.yaml
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.8.4/manifests/install.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: argocd-cm
+  behavior: merge
+  literals:
+  - url=https://argocd.pyrocufflink.blue
+  files:
+  - oidc.config
+
+- name: argocd-rbac-cm
+  behavior: merge
+  literals:
+  - policy.default=role:readonly
+  files:
+  - policy.csv
+
+patches:
+- patch: |-
+    $patch: delete
+    apiVersion: apiextensions.k8s.io/v1
+    kind: CustomResourceDefinition
+    metadata:
+      name: applicationsets.argoproj.io
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: argocd-applicationset-controller-network-policy
+
+- patch: |-
+    $patch: delete
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: argocd-dex-server-network-policy

argocd/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd

argocd/oidc.config

@@ -0,0 +1,4 @@
+name: Authelia
+issuer: https://auth.pyrocufflink.blue
+clientID: argocd
+clientSecret: $oidc.authelia.clientSecret

argocd/policy.csv

@@ -0,0 +1 @@
+g, Argo CD Admins, role:admin

authelia/configuration.yml

@@ -65,6 +65,12 @@ identity_providers:
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 7d
+    - id: argocd
+      description: Argo CD
+      redirect_uris:
+      - https://argocd.pyrocufflink.blue/auth/callback
+      secret: >-
+        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
 
 log:
   level: trace