ArgoCD GitOps 实战:应用同步、多集群管理、ApplicationSet 与发布策略
GitOps 将 Git 仓库视为集群状态的唯一真实来源。ArgoCD 持续比较 Git 中的期望状态与 Kubernetes 中的实际状态,并协调任何偏差。本指南涵盖生产级 ArgoCD 模式,从基本的 Application 资源到多集群 ApplicationSet,以及结合 Argo Rollouts 的渐进式交付。
核心概念
- Application 将 Git 路径映射到 Kubernetes 集群/命名空间
- AppProject 定义 RBAC 范围,包括允许的仓库、集群和资源类型
- ApplicationSet 从模板生成多个 Application
- Argo Rollouts 是一个用于金丝雀和蓝绿部署的渐进式交付控制器
安装
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl rollout status deploy/argocd-server -n argocd
kubectl -n argocd get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
argocd login argocd.example.com --grpc-web
Application 资源
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-api
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: production
source:
repoURL: https://github.com/my-org/k8s-manifests
targetRevision: main
path: apps/my-api/overlays/production
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
ignoreDifferences:
- group: apps
kind: Deployment
jsonPointers:
- /spec/replicas
AppProject:RBAC 边界
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: production
namespace: argocd
spec:
description: Production workloads
sourceRepos:
- 'https://github.com/my-org/*'
destinations:
- namespace: 'production'
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: ''
kind: Namespace
namespaceResourceWhitelist:
- group: 'apps'
kind: Deployment
- group: 'apps'
kind: StatefulSet
roles:
- name: developer
description: Can sync but not delete
policies:
- p, proj:production:developer, applications, get, production/*, allow
- p, proj:production:developer, applications, sync, production/*, allow
groups:
- my-org:developers
ApplicationSet:大规模生成 Application
List 生成器
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: microservices
namespace: argocd
spec:
generators:
- list:
elements:
- service: api
namespace: production
replicas: "3"
- service: worker
namespace: production
replicas: "5"
template:
metadata:
name: '{{service}}'
namespace: argocd
spec:
project: production
source:
repoURL: https://github.com/my-org/k8s-manifests
targetRevision: main
path: 'apps/{{service}}'
helm:
parameters:
- name: replicaCount
value: '{{replicas}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{namespace}}'
syncPolicy:
automated:
prune: true
selfHeal: true
Git 生成器:自动发现
generators:
- git:
repoURL: https://github.com/my-org/k8s-manifests
revision: main
directories:
- path: 'apps/*/overlays/production'
Matrix 生成器:服务 x 环境
generators:
- matrix:
generators:
- list:
elements:
- env: staging
cluster: https://staging-cluster.example.com
- env: production
cluster: https://prod-cluster.example.com
- git:
repoURL: https://github.com/my-org/k8s-manifests
revision: main
directories:
- path: 'apps/*'
Pull Request 生成器:预览环境
generators:
- pullRequest:
github:
owner: my-org
repo: my-app
tokenRef:
secretName: github-token
key: token
labels:
- preview
requeueAfterSeconds: 60
template:
metadata:
name: 'preview-{{number}}'
spec:
source:
path: apps/my-app
helm:
parameters:
- name: image.tag
value: 'pr-{{number}}'
destination:
namespace: 'preview-{{number}}'
多集群管理
注册外部集群
argocd cluster add prod-cluster-west --name prod-west
argocd cluster list
使用 Cluster 生成器的 ApplicationSet
generators:
- clusters:
selector:
matchLabels:
argocd.argoproj.io/secret-type: cluster
environment: production
template:
spec:
destination:
server: '{{server}}'
namespace: production
Argo Rollouts:渐进式交付
金丝雀发布
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: my-api
spec:
replicas: 10
strategy:
canary:
steps:
- setWeight: 10
- pause: { duration: 5m }
- analysis:
templates:
- templateName: error-rate-check
- setWeight: 50
- pause: { duration: 10m }
- setWeight: 100
canaryService: my-api-canary
stableService: my-api-stable
trafficRouting:
nginx:
stableIngress: my-api-ingress
用于自动提升的 AnalysisTemplate
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: error-rate-check
spec:
metrics:
- name: error-rate
interval: 1m
count: 5
successCondition: result[0] < 0.01
failureLimit: 1
provider:
prometheus:
address: http://prometheus.monitoring:9090
query: |
sum(rate(http_requests_total{status=~"5..",rollout_type="canary"}[5m]))
/
sum(rate(http_requests_total{rollout_type="canary"}[5m]))
Image Updater
kubectl apply -n argocd \
-f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml
metadata:
annotations:
argocd-image-updater.argoproj.io/image-list: myapp=registry.example.com/my-app
argocd-image-updater.argoproj.io/myapp.update-strategy: semver
argocd-image-updater.argoproj.io/write-back-method: git
argocd-image-updater.argoproj.io/git-branch: main
结论
ArgoCD 将 Kubernetes 操作从命令式 kubectl 命令转变为声明式 Git 驱动的工作流。ApplicationSet 消除了管理数十个服务或集群时的繁琐工作。Argo Rollouts 增加了流量权重的金丝雀部署,并带有自动分析。它们共同构成了一个完整的 GitOps 平台,使团队在部署到生产环境时既能获得速度,又能保证安全。