Argo CICD 权限配置
1. ECR pull 权限配置
获取token
aws ecr get-login-password --region ap-northeast-1
创建权限secrets
kubectl create secret docker-registry regcred --docker-server=https://xxxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com --docker-username=AWS --docker-password=xxxxxxxxxxxxxxxxxxxxxxVNGs4TTFIS3k4cTFYeDNXdzMxck1TY3dPdEJTRGRGMUJGS2hpc2tmMG92L2ptM3J1Zm01SUd3NklWZGRIK3VwMkhlcHg0eE5Hc3lGTlEydjIwY3ZWRms5SUczTStBditneXBUNm5QcEhLemQvZ0VtK1ZYWkxnK3U5Z0lrUHQwSjZMdHQ5YjhlK2NMakxZTXRnTDByc1ozRG5scmF5YitYRm1ncHordTBmQzJwcGdycURRM3RiQ1JEV2c5K2VNTStBcDJ3MEhnSXE3R3AzUUMySjFoMndQdGxRbm9lSW9qSHBUaTRmdjIxxxxxxxxxxxxxxxxxxxxxxSt4eG1WMXRZd0RIbCt5MXgrSFdZcFcxd1ZGekEzc3FhU3VORkM0VkZ3UHBrRzQvV1k3S213OGJqREJ0VGhXZDFuNzRXbnlvakc4K0g3ZmZkcVpmRk1pSjZhMm9JWnVublBPTmp3NGFZRzFGQmFrSVFxSTdnS1ByMDlBcUNNS1NCZTN1VWI4UlpRY3hNM1VoSGpCUmsraExIU2ZDYkNaSzhRZlRiNHRSSGV6VnVmLzVUNzRHxxxxxxxxxxxxxxxxxxxxxx1RuYjRpMWxHc1lxRkR2dzlXYW5qVG9QcWZ4K0ZuUXVmRFpVdGxxxxxxxxxxxxxxxxxxxxxx9kTVBjUWEzR3NZVGp6RFF0U3hpc0MxV29rT0hiTUF0UXNSS3VhcDVJSDFhaTg5cDU5VHNvQXE4ZFoyRUJsc1dSTDBLVW1pVi9qbjVrUEsyZ1oxL2dTVFVYZTl6MGxSVXRGUmtEK1lEVjFGeDU2SVBxVEdDcjBUMlVRZXdMV3h1QXZVS0wrbVNjMFN1RzkzM3pLVnhGNGdBbjlzclV6L1U2VU16MjVuenFRTjAyWkhnWFdmT1k4R0RMVCtpRkVtbnYwUkNORWhWTWM3NEh0ZDV5TDZ5dUVWWTlHN2FKbVpOQVJ1b3hab0ViK0p5WUQwUVM2WjZEK3NFSmREMWwxeUVnSVFUVFAwWHU5eXEwaGg1T1pmU2hxxxxxxxxxxxxxxxxxxxxxxhlMTBuNXhSZFVpMUhkTXQ5eSt5U2VFSkNhUlVXSHJ6RWRVU25wTmRESFpLUlYvMjR0ZU5JV3QrTmNyUllFWUE2SnA1SmxVS1VieXpCc2d4ZnNIY01KQU1tZGQ0SzJkWm1nWFl1Y1hkY0kzN0tHRml0TVV5NmJCMG1iN25GTytDaE5Way8rQVZyNFB3a1dOcjF1ZDZJMW9DbXcxVlZFOWl6M0cxTFFYRjFDWFZoK29aUUtRRDlodDQxxxxxxxxxxxxxxxxxxxxxxYUlPN1JNalovQ0lvZGY5a24zQzUxaEVoek1IN0tyN2p6MkJsd0o5RFJ6THVWTVVEQiIsImRhdGFrZXkiOiJBUUVCQUhnQU1mS0RsSW9wQzZ6czBiTWRScllTSGEvQzM5a0NyY1A4a1ZwckU5ZitrUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVEQXVYNzlrSjgrQ3JkT2w1c0FJQkVJQTdYbE9Xb3d2TWk1bnQ5ZWExbmRsRjdPUlgraG40RmEwZkJiVXFnZXZ2eXdTRxxxxxxxxxxxxxxxxxxxxxxhWcmM1YUtjPSIsInZlcnNpb24iOiIyIiwidHlwZSI6IkRBVEFfS0VZIiwiZXhwaXJhdGlvbiI6MTYyNjgxNzQxOX0= --docker-email=YOUREMAIL@ADDRESS -n argo
通过imagePullSecrets
triggers:
- template:
name: build-workflow-trigger
argoWorkflow:
group: argoproj.io
version: v1alpha1
resource: workflows
operation: submit
source:
resource:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: buildbebuildkit-
namespace: argo
spec:
# serviceAccountName: operate-workflow-sa
entrypoint: main
onExit: exit-handler
imagePullSecrets:
- name: regcred
或者
entrypoint: main
onExit: exit-handler
imagePullSecrets:
- name: regcred
2. 如果需要手动向ECR上传
aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin xxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com
3. 使用Kaniko上传到ECR
4. Github 权限
创建secrets
apiVersion: v1
data:
password: xxxxxx=
username: xxxxxxxxx
kind: Secret
metadata:
name: github-creds
namespace: default
type: Opaque
然后引用
- name: clone
inputs:
artifacts:
- name: argo-source
path: /src
git:
repo: '{{workflow.parameters.repo}}'
revision: '{{workflow.parameters.branch}}'
usernameSecret:
name: github-creds
key: username
passwordSecret:
name: github-creds
key: password
如果要在环境变量中引用可以使用
- name: deploy
inputs:
parameters:
- name: depfileyaml
container:
name: ''
image: 'xxxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com/xxxxxx'
command:
- /main.sh
args:
- '{{inputs.parameters.depfileyaml}}'
workingDir: /
env:
- name: GIT_URL
valueFrom:
secretKeyRef:
key: mykey
name: giturl
apiVersion: v1
data:
mykey: xxxxxxxxxxxxxxxx
kind: Secret
metadata:
name: giturl
namespace: default
type: Opaque