From 4afaab424036e36f7c0946575306151e14685940 Mon Sep 17 00:00:00 2001 From: shahkv95 <35930270+shahkv95@users.noreply.github.com> Date: Sat, 25 Nov 2023 22:28:42 +0530 Subject: [PATCH 1/3] cert-manager installation using argocd Signed-off-by: shahkv95 <35930270+shahkv95@users.noreply.github.com> --- .../continuous-deployment-and-gitops.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/content/docs/installation/continuous-deployment-and-gitops.md b/content/docs/installation/continuous-deployment-and-gitops.md index aaa3a07886..de1d010c41 100644 --- a/content/docs/installation/continuous-deployment-and-gitops.md +++ b/content/docs/installation/continuous-deployment-and-gitops.md @@ -112,3 +112,146 @@ Check the cert-manager logs for warnings and errors: ```bash kubectl logs -n cert-manager -l app.kubernetes.io/instance=cert-manager --prefix --all-containers ``` + + +## Using ArgoCD +Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. + +### Pre-requisites +Ensure, the following are in place before proceeding: +- A Kubernetes cluster +- ArgoCD deployed on the Kubernetes cluster: [installation guide](https://argo-cd.readthedocs.io/en/stable/getting_started/) +- Optional: A GitOps repository connected with ArgoCD: [setup guide](https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/) + +### Setting up cert-manager +1. Create an ArgoCD Application manifest file with the provided configuration to set up cert-manager. + + ```yaml + apiVersion: argoproj.io/v1alpha1 + kind: Application + metadata: + name: cert-manager + namespace: argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + finalizers: + - resources-finalizer.argocd.argoproj.io + spec: + destination: + namespace: cert-manager + server: https://kubernetes.default.svc + project: default + source: + chart: cert-manager + repoURL: https://charts.jetstack.io + targetRevision: 1.10.1 + helm: + values: | + installCRDs: true + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ``` +2. Commit the manifest file and sync the changes in ArgoCD. If a GitOps repository is not set up, use `kubectl apply -f ` to apply the manifest [installation guide for kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl). +3. ArgoCD will synchronize the Desired manifest and deploy cert-manager on Kubernetes based on the configuration provided. + + +### Troubleshooting + +#### Scenario 1: +Out-of-sync cert-manager in AKS(Azure Kubernetes Service) cluster + +##### Issue: +Cert-manager in the AKS cluster remains out-of-sync due to discrepancies between the Desired and Live manifest files. + +##### Potential Reasons +Multiple factors could cause the OutOfSync issue; refer to [ArgoCD documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#diffing-customization) for potential causes. + +##### Example configuration differences +Below configurations are observed to be present in the Live manifest but not in the Desired manifest file. + +```yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +... +webhooks: +- admissionReviewVersions: + namespaceSelector: + matchExpressions: + ... + ... + - key: control-plane + operator: NotIn + values: + - 'true' + - key: kubernetes.azure.com/managedby + operator: NotIn + values: + - aks +``` + +##### Root Cause Analysis +The discrepancy is rooted in how AKS manages admission controllers to protect internal services in the kube-system namespace. More details can be found [here](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) + +##### Suggested Fix +It is also possible to ignore differences from fields owned by specific managers defined in `metadata.managedFields` in live resources. More details can be found [here](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#application-level-configuration) + +To resolve this issue, modify the cert-manager manifest file under spec to ignore specific differences: +``` +ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: cert-manager-webhook + jqPathExpressions: + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane") + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "kubernetes.azure.com/managedby") +``` + +In that case, the updated cert-manager manifest would be as follows: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: cert-manager + server: https://kubernetes.default.svc + project: default + source: + chart: cert-manager + repoURL: https://charts.jetstack.io + targetRevision: 1.10.1 + helm: + values: | + installCRDs: true + podLabels: + azure.workload.identity/use: "true" + serviceAccount: + labels: + azure.workload.identity/use: "true" + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: cert-manager-webhook + jqPathExpressions: + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane") + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "kubernetes.azure.com/managedby") + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +``` + +Once ArgoCD syncs the updated manifest, the differences due to above 2 keys would be ignored and cert-manager would be in complete synchronization state. From 4ce05d15236bb176e5d701d9b9dd328de76ff316 Mon Sep 17 00:00:00 2001 From: shahkv95 <35930270+shahkv95@users.noreply.github.com> Date: Sat, 25 Nov 2023 22:36:13 +0530 Subject: [PATCH 2/3] removed unnecessary configurations Signed-off-by: shahkv95 <35930270+shahkv95@users.noreply.github.com> --- .../docs/installation/continuous-deployment-and-gitops.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/content/docs/installation/continuous-deployment-and-gitops.md b/content/docs/installation/continuous-deployment-and-gitops.md index de1d010c41..d67f5f1d1a 100644 --- a/content/docs/installation/continuous-deployment-and-gitops.md +++ b/content/docs/installation/continuous-deployment-and-gitops.md @@ -234,11 +234,6 @@ spec: helm: values: | installCRDs: true - podLabels: - azure.workload.identity/use: "true" - serviceAccount: - labels: - azure.workload.identity/use: "true" ignoreDifferences: - group: admissionregistration.k8s.io kind: ValidatingWebhookConfiguration From 5098cdbdbdd039e1e6572a67007cfc12e2ca2a2d Mon Sep 17 00:00:00 2001 From: shahkv95 <35930270+shahkv95@users.noreply.github.com> Date: Sun, 26 Nov 2023 10:43:07 +0530 Subject: [PATCH 3/3] formatting updates for installing cert-manager via argocd Signed-off-by: shahkv95 <35930270+shahkv95@users.noreply.github.com> --- .../continuous-deployment-and-gitops.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/docs/installation/continuous-deployment-and-gitops.md b/content/docs/installation/continuous-deployment-and-gitops.md index d67f5f1d1a..5801c67fe2 100644 --- a/content/docs/installation/continuous-deployment-and-gitops.md +++ b/content/docs/installation/continuous-deployment-and-gitops.md @@ -118,7 +118,7 @@ kubectl logs -n cert-manager -l app.kubernetes.io/instance=cert-manager --prefix Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. ### Pre-requisites -Ensure, the following are in place before proceeding: +Ensure the following are in place before proceeding: - A Kubernetes cluster - ArgoCD deployed on the Kubernetes cluster: [installation guide](https://argo-cd.readthedocs.io/en/stable/getting_started/) - Optional: A GitOps repository connected with ArgoCD: [setup guide](https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/) @@ -156,22 +156,22 @@ Ensure, the following are in place before proceeding: - CreateNamespace=true ``` 2. Commit the manifest file and sync the changes in ArgoCD. If a GitOps repository is not set up, use `kubectl apply -f ` to apply the manifest [installation guide for kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl). -3. ArgoCD will synchronize the Desired manifest and deploy cert-manager on Kubernetes based on the configuration provided. +3. ArgoCD will synchronize the `DESIRED MANIFEST` and deploy cert-manager on Kubernetes based on the provided configuration. ### Troubleshooting #### Scenario 1: -Out-of-sync cert-manager in AKS(Azure Kubernetes Service) cluster +Out-of-sync cert-manager in the AKS (Azure Kubernetes Service) cluster ##### Issue: -Cert-manager in the AKS cluster remains out-of-sync due to discrepancies between the Desired and Live manifest files. +Cert-manager in the AKS cluster remains out-of-sync due to discrepancies between the `DESIRED MANIFEST` and `LIVE MANIFEST` files. ##### Potential Reasons Multiple factors could cause the OutOfSync issue; refer to [ArgoCD documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#diffing-customization) for potential causes. ##### Example configuration differences -Below configurations are observed to be present in the Live manifest but not in the Desired manifest file. +The below configurations are observed to be present in the `LIVE MANIFEST` but not in the `DESIRED MANIFEST` file. ```yaml apiVersion: admissionregistration.k8s.io/v1 @@ -194,10 +194,10 @@ webhooks: ``` ##### Root Cause Analysis -The discrepancy is rooted in how AKS manages admission controllers to protect internal services in the kube-system namespace. More details can be found [here](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) +The discrepancy stems from how AKS manages admission controllers to protect internal services in the kube-system namespace. More details can be found in [Frequently Asked Questions about Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) ##### Suggested Fix -It is also possible to ignore differences from fields owned by specific managers defined in `metadata.managedFields` in live resources. More details can be found [here](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#application-level-configuration) +It is also possible to ignore differences from fields owned by specific managers defined in `metadata.managedFields` in live resources. More details can be found in [(ArgoCD) Diffing Customization](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#application-level-configuration) To resolve this issue, modify the cert-manager manifest file under spec to ignore specific differences: ``` @@ -249,4 +249,4 @@ spec: - CreateNamespace=true ``` -Once ArgoCD syncs the updated manifest, the differences due to above 2 keys would be ignored and cert-manager would be in complete synchronization state. +Once ArgoCD syncs the updated manifest, the differences due to the above two keys will be ignored, and cert-manager will be in a complete synchronization state.