> For the complete documentation index, see [llms.txt](https://liujinye.gitbook.io/openshift-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://liujinye.gitbook.io/openshift-docs/cicd/helm-an-zhuang-argocd.md).

# helm安装argocd

## 下载chart

```
helm repo add argo https://argoproj.github.io/argo-helm
helm pull argo/argo-cd
```

## 编写values.yaml

```yaml
redis-ha:
  enabled: true

controller:
  enableStatefulSet: true

server:
  replicas: 2
  env:
    - name: ARGOCD_API_SERVER_REPLICAS
      value: '2'
  ingress:
    enabled: false
    https: false
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    ingressClassName: nginx
    hosts:
      - argocd-server.example.com
    tls:
      - hosts:
          - argocd-server.example.com
        secretName: example-com-tls
    certificate:
      enabled: false

repoServer:
  replicas: 2
  config:
    # Argo CD's externally facing base URL (optional). Required when configuring SSO
    url: https://argocd-server.example.com
    # Argo CD instance label key
    application.instanceLabelKey: argocd.argoproj.io/instance
		# keycloak sso
    oidc.config: |
      name: Keycloak
      issuer: https://sso.example.com/auth/realms/oc
      clientID: argocd
      clientSecret: $oidc.keycloak.clientSecret
      requestedScopes: ["openid", "profile", "email", "groups"]
```

## 执行安装

```shell
helm upgrade --install argo argo-cd-3.29.4.tgz -f values.yaml -n cicd --create-namespace
```

## 安装argocd cli

```
curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x /usr/local/bin/argocd
```

## 配置keycloak sso

### keycloak 添加client ，配置ArgoCD用户组

略

参考：<https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/>

### 编辑argocd-cm

```shell
kubectl -n cicd edit cm argocd-cm
```

如下所示：

```yaml
apiVersion: v1
data:
  application.instanceLabelKey: argocd.argoproj.io/instance
  oidc.config: |
    name: Keycloak
    issuer: https://sso.paradeum.com/auth/realms/oc
    clientID: argocd
    clientSecret: $oidc.keycloak.clientSecret
    requestedScopes: ["openid", "profile", "email", "groups"]
  url: https://argocd-server-apps92250.solarfs.io
kind: ConfigMap
```

**注意：如果使用 helm upgrade 更新argocd 服务， 需要重新修改 argocd-cm**

```
kubectl -n cicd edit cm argocd-cm
```

### 配置ArgoCD权限策略

```
kubectl edit cm -n cicd argocd-rbac-cm
```

keycloak中 `/ArgoCDAdmins` 组用户默认admin角色，如下所示：

```
apiVersion: v1
data:
  policy.csv: |
    g, /ArgoCDAdmins, role:admin
kind: ConfigMap
```

**注意：组名ArgoCDAdmins前面必须有/, 否则不能匹配**

## 添加集群

### 使用argocd cli 登录 argocd

```
# 获取默认的admin 密码，登录
PASSWORD=$(kubectl get secret -n cicd argocd-secret -o jsonpath="{.data.admin\.password}"|base64 -d)
argocd login argo-argocd-server.cicd.svc --username admin --password "$PASSWORD"
```

### 添加rancher 集群

rancher 管理的K8s 集群，不能直接使用argocd cli添加到clusters, argocd clusters 实际是与k8s crd 交互 ，所以我们手动添加k8s secret ，会自动添加到 argocd clusters 中

#### 创建cicd用户并创建 apikey，指定集群范围

略

#### 编写k8s-test-argocd-secret，apikey 显示值填写到下面yaml 内容中

```
apiVersion: v1
kind: Secret
metadata:
  namespace: cicd
  name: k8s-test-argocd-secret
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: k8s-test
  server: "https://rancher.cattle-system.svc/k8s/clusters/<集群id>"
  config: |
    {
      "bearerToken": "<apikey 中显示的 bearerToken 信息>",
      "tlsClientConfig": {
        "insecure": true
      }
    }
```

```
kubectl apply -f k8s-test-argocd-secret.yaml
```

## 使用argocd cli 查看clusters 列表

```
argocd cluster list
```

显示如下

```
SERVER                                                       NAME             VERSION  STATUS      MESSAGE                                              PROJECT
https://rancher.cattle-system.svc/k8s/clusters/c-m-xxxxxxxx  k8s-test  1.22     Successful
https://kubernetes.default.svc                               in-cluster                Unknown     Cluster has no application and not being monitored.
```

## 添加 gitlab webhook

Argo CD每三分钟轮询一次Git存储库，以检测清单的更改。为了消除轮询的延迟，API服务器可以被配置为接收webhook事件。Argo CD支持GitHub, GitLab, Bitbucket, Bitbucket Server和Gogs的Git webhook通知。

### 添加webhook secret

#### 编辑 argocd-secret

```
kubectl edit secret -n cicd argocd-secret
```

在 data 中添加 webhook.github.secret，值需要使用base64编码

```
data:
  ...
  webhook.gitlab.secret: xxxxx
```

#### helm chart 项目添加webhook

\*\*Chart 项目 --> `设置`->`集成` \*\*

URL 输入

```
https://argocd-server.example.com/api/webhook
```

Secret Token 输入

```
<argocd-secret 中 webhook.gitlab.secret值base64解码>
```

选择`Trigger`

`Tag push events` 、`Push events`

点击 `Add webhhok`

## 参考

<https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd>

<https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/>

<https://docs.openshift.com/container-platform/4.7/cicd/gitops/configuring-sso-for-argo-cd-on-openshift.html>

<https://argo-cd.readthedocs.io/en/stable/operator-manual/webhook/>

<https://www.cnblogs.com/novwind/p/15358792.html>

<https://gist.github.com/janeczku/b16154194f7f03f772645303af8e9f80>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://liujinye.gitbook.io/openshift-docs/cicd/helm-an-zhuang-argocd.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.