argoproj · alexmt · Sep 24, 2018 · Sep 22, 2018
@@ -78,9 +78,8 @@ cli-darwin: clean-debug
 argocd-util: clean-debug
 	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
 
-.PHONY: install-manifest
-install-manifest:
-	if [ "${IMAGE_NAMESPACE}" = "" ] ; then echo "IMAGE_NAMESPACE must be set to build install manifest" ; exit 1 ; fi
+.PHONY: manifests
+manifests:
 	./hack/update-manifests.sh
 
 .PHONY: server

@@ -1,33 +1,34 @@
 # ArgoCD Release Instructions
 
-1. Tag and build argo-cd-ui
+1. Tag, build, and push argo-cd-ui
 ```bash
 cd argo-cd-ui
 git tag vX.Y.Z
 git push upstream vX.Y.Z
 IMAGE_NAMESPACE=argoproj IMAGE_TAG=vX.Y.Z DOCKER_PUSH=true yarn docker
 ```
 
-2. Edit CHANGELOG.md, getting_started.md, install manifests with new version
+2. Create release-X.Y branch (if creating initial X.Y release)
 ```bash
-make install-manifest IMAGE_NAMESPACE=argoproj IMAGE_TAG=vX.Y.Z
+git checkout -b release-X.Y
+git push upstream release-X.Y
+```
+
+3. Update manifests with new version
+```bash
+vi manifests/base/kustomization.yaml # update with new image tags
+make manifests
 git commit -a -m "Update manifests to vX.Y.Z"
 git push upstream master
 ```
 
-3. Tag, build the release, and push to docker hub
+4. Tag, build, and push release to docker hub
 ```bash
 git tag vX.Y.Z
 make release IMAGE_NAMESPACE=argoproj IMAGE_TAG=vX.Y.Z DOCKER_PUSH=true
 git push upstream vX.Y.Z
 ```
 
-4. Create release-X.Y branch (if necessary)
-```bash
-git checkout -b release-X.Y
-git push upstream release-X.Y
-```
-
 5. Update argocd brew formula
 ```bash
 git clone https://github.com/argoproj/homebrew-tap
@@ -37,3 +38,8 @@ shasum -a 256 ~/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64
 git commit -a -m "Update argocd to vX.Y.Z"
 git push
 ```
+
+6. Update documentation:
+* Edit CHANGELOG.md with release notes
+* Update getting_started.md with new version
+* Create GitHub release from new tag and upload binaries (e.g. dist/argocd-darwin-amd64)
@@ -1,11 +1,22 @@
 #!/bin/sh
 
-IMAGE_NAMESPACE=${IMAGE_NAMESPACE:='argoproj'}
-IMAGE_TAG=${IMAGE_TAG:='latest'}
+SRCROOT="$( cd "$(dirname "$0")/.." ; pwd -P )"
+AUTOGENMSG="# This is an auto-generated file. DO NOT EDIT"
 
-for i in "$(ls manifests/components/*.yaml)"; do
-    sed -i '' 's@\( image: \(.*\)/\(argocd-.*\):.*\)@ image: '"${IMAGE_NAMESPACE}"'/\3:'"${IMAGE_TAG}"'@g' $i
-done
+update_image () {
+  if [ ! -z "${IMAGE_NAMESPACE}" ]; then
+    sed -i '' 's| image: \(.*\)/\(argocd-.*\)| image: '"${IMAGE_NAMESPACE}"'/\2|g' ${1}
+  fi
+  if [ ! -z "${IMAGE_TAG}" ]; then
+    sed -i '' 's|\( image: .*/argocd-.*\)\:.*|\1:'"${IMAGE_TAG}"'|g' ${1}
+  fi
+}
+
+echo "${AUTOGENMSG}" > ${SRCROOT}/manifests/install.yaml
+kustomize build ${SRCROOT}/manifests/cluster-install >> ${SRCROOT}/manifests/install.yaml
+update_image ${SRCROOT}/manifests/install.yaml
+
+echo "${AUTOGENMSG}" > ${SRCROOT}/manifests/namespace-install.yaml
+kustomize build ${SRCROOT}/manifests/base >> ${SRCROOT}/manifests/namespace-install.yaml
+update_image ${SRCROOT}/manifests/namespace-install.yaml
 
-echo "# This is an auto-generated file. DO NOT EDIT" > manifests/install.yaml
-cat manifests/components/*.yaml >> manifests/install.yaml
@@ -0,0 +1,16 @@
+# ArgoCD Installation Manifests
+
+Two sets of installation manifests are provided:
+
+* [install.yaml](install.yaml) - Standard ArgoCD installation with cluster-admin access. Use this
+  manifest set if you plan to use ArgoCD to deploy applications in the same cluster that ArgoCD runs
+  in (i.e. kubernetes.svc.default). Will still be able to deploy to external clusters with inputted
+  credentials.
+
+* [namespace-install.yaml](namespace-install.yaml) - Installation of ArgoCD which requires only
+  namespace level privileges (does not need cluster roles). Use this manifest set if you do not
+  need ArgoCD to deploy applications in the same cluster that ArgoCD runs in, and will rely solely
+  on inputted cluster credentials. An example of using this set of manifests is if you run several
+  ArgoCD instances for different teams, where each instance will bedeploying applications to
+  external clusters. Will still be possible to deploy to the same cluster (kubernetes.svc.default)
+  with inputted credentials (i.e. `argocd cluster add <CONTEXT> --in-cluster`).
@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+# data:
+#   # ArgoCD's externally facing base URL. Required for configuring SSO
+#   # url: https://argo-cd-demo.argoproj.io
+#
+#   # A dex connector configuration. See documentation on how to configure SSO:
+#   # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
+#   dex.config: |
+#     connectors:
+#       # GitHub example
+#       - type: github
+#         id: github
+#         name: GitHub
+#         config:
+#           clientID: aabbccddeeff00112233
+#           clientSecret: $dex.github.clientSecret
+#           orgs:
+#           - name: your-github-org
+#             teams:
+#             - red-team
@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+# data:
+#   # An RBAC policy .csv file containing additional policy and role definitions.
+#   # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
+#   policy.csv: |
+#     # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
+#     p, my-org:team-alpha, applications, sync, my-project/*, allow
+#     # Make all members of "my-org:team-beta" admins
+#     g, my-org:team-beta, role:admin
+#
+#   # The default role ArgoCD will fall back to, when authorizing API requests
+#   policy.default: role:readonly
@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+type: Opaque
+# data:
+#   # TLS certificate and private key for API server.
+#   # Autogenerated with a self-signed ceritificate if keys are missing.
+#   tls.crt: 
+#   tls.key:
+#
+#   # bcrypt hash of the admin password and it's last modified time. Autogenerated on initial
+#   # startup. To reset a forgotten password, delete both keys and restart argocd-server.
+#   admin.password:
+#   admin.passwordMtime: 
+#
+#   # random server signature key for session validation. Autogenerated on initial startup
+#   server.secretkey:
+#
+#   # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
+#   # events. To enable webhooks, configure one or more of the following keys with the shared git
+#   # provider webhook secret. The payload URL configured in the git provider should use the 
+#   # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
+#   github.webhook.secret: 
+#   gitlab.webhook.secret:
+#   bitbucket.webhook.uuid: 
@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -14,12 +13,6 @@ spec:
     spec:
       serviceAccountName: argocd-server
       initContainers:
-      - name: copyutil
-        image: argoproj/argocd-server:latest
-        command: [cp, /argocd-util, /shared]
-        volumeMounts:
-        - mountPath: /shared
-          name: static-files
       - name: ui
         image: argoproj/argocd-ui:latest
         command: [cp, -r, /app, /shared]

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,11 +21,11 @@ spec:
           name: static-files
       containers:
       - name: dex
-        image: quay.io/coreos/dex:v2.10.0
+        image: quay.io/dexidp/dex:v2.11.0
         command: [/shared/argocd-util, rundex]
         ports:
-          - containerPort: 5556
-          - containerPort: 5557
+        - containerPort: 5556
+        - containerPort: 5557
         volumeMounts:
         - mountPath: /shared
           name: static-files

@@ -1,14 +1,10 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: dex-server-role
 rules:
 - apiGroups:
   - ""
-  resourceNames:
-  - argocd-cm
-  - argocd-secret
   resources:
   - secrets
   - configmaps

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:

@@ -0,0 +1,31 @@
+resources:
+- application-crd.yaml
+- appproject-crd.yaml
+- argocd-cm.yaml
+- argocd-secret.yaml
+- argocd-rbac-cm.yaml
+- application-controller-sa.yaml
+- application-controller-role.yaml
+- application-controller-rolebinding.yaml
+- application-controller-deployment.yaml
+- argocd-server-sa.yaml
+- argocd-server-role.yaml
+- argocd-server-rolebinding.yaml
+- argocd-server-deployment.yaml
+- argocd-server-service.yaml
+- argocd-metrics-service.yaml
+- argocd-repo-server-deployment.yaml
+- argocd-repo-server-service.yaml
+- dex-server-sa.yaml
+- dex-server-role.yaml
+- dex-server-rolebinding.yaml
+- dex-server-deployment.yaml
+- dex-server-service.yaml
+
+imageTags:
+- name: argoproj/argocd-server
+  newTag: latest
+- name: argoproj/argocd-repo-server
+  newTag: latest
+- name: argoproj/application-controller
+  newTag: latest
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: application-controller-clusterrole
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: application-controller-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: application-controller-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: application-controller
+  namespace: argocd
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-server-clusterrole
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - delete
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-server-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: argocd-server
+  namespace: argocd