# 使用ArgoCD在Kubernetes上实现GitOps
简介
GitOps是一种现代持续交付方法,以Git作为基础设施和应用定义的唯一事实来源。ArgoCD是Kubernetes最流行的GitOps工具,通过监视Git仓库并同步集群状态来自动化部署。
本教程将带你构建完整的GitOps流水线:从安装ArgoCD到部署具有自动同步、健康监控和密钥管理的多环境应用。
前置条件
- Kubernetes集群(minikube、kind或云托管)
kubectl已配置helmv3 已安装- Git仓库(GitHub/GitLab)
- Kubernetes基础知识
步骤1: 安装ArgoCD
# 创建命名空间
kubectl create namespace argocd
# 安装ArgoCD
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
# 等待Pod就绪
kubectl wait --for=condition=Ready pods --all -n argocd --timeout=300s
# 获取初始管理员密码
argocd_password=$(kubectl -n argocd get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d)
echo "ArgoCD管理员密码: $argocd_password"
暴露ArgoCD服务器:
kubectl port-forward svc/argocd-server -n argocd 8080:443 &
# 安装ArgoCD CLI
curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x argocd && sudo mv argocd /usr/local/bin/
argocd login localhost:8080 --username admin --password $argocd_password --insecure
步骤2: 设置GitOps仓库结构
gitops-demo/
├── apps/ # ArgoCD应用定义
│ ├── dev/
│ ├── staging/
│ └── production/
├── base/ # 基础Kubernetes清单
│ ├── deployment.yaml
│ ├── service.yaml
│ └── kustomization.yaml
├── overlays/ # 环境特定补丁
│ ├── dev/
│ ├── staging/
│ └── production/
└── sealed-secrets/
步骤3: 创建基础Kubernetes清单
base/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
replicas: 1
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
containers:
- name: web-app
image: nginx:1.25-alpine
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /healthz
port: 80
readinessProbe:
httpGet:
path: /ready
port: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
步骤4: 创建环境Overlay
overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: production
namePrefix: prod-
bases:
- ../../base
patchesStrategicMerge:
- patch-replicas.yaml
- patch-resources.yaml
步骤5: 定义ArgoCD应用
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: web-app-dev
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/your-org/gitops-demo.git
targetRevision: main
path: overlays/dev
destination:
server: https://kubernetes.default.svc
namespace: dev
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
步骤6: 使用Sealed Secrets管理密钥
# 安装Sealed Secrets控制器
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets sealed-secrets/sealed-secrets -n kube-system
# 创建并密封Secret
kubectl create secret generic web-app-secrets \
--from-literal=DATABASE_URL='postgresql://user:pass@db:5432/app' \
--dry-run=client -o yaml > /tmp/secret.yaml
kubeseal --format yaml < /tmp/secret.yaml > sealed-secrets/web-app-secrets.yaml
rm /tmp/secret.yaml
步骤7: App of Apps模式
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: root-app
namespace: argocd
spec:
source:
repoURL: https://github.com/your-org/gitops-demo.git
path: apps
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
syncPolicy:
automated:
prune: true
selfHeal: true
步骤8: 使用Argo Rollouts实现金丝雀发布
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: web-app
spec:
replicas: 3
strategy:
canary:
steps:
- setWeight: 10
- pause: { duration: 2m }
- setWeight: 30
- pause: { duration: 2m }
- setWeight: 60
- pause: { duration: 2m }
- setWeight: 100
步骤9: 构建晋级流水线
# .github/workflows/promote.yaml
name: Promote to Production
on:
workflow_dispatch:
inputs:
image_tag:
description: '要晋级的镜像标签'
required: true
jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 更新生产环境镜像
run: |
cd overlays/production
kustomize edit set image nginx=your-registry/web-app:${{ inputs.image_tag }}
- name: 提交并推送
run: |
git config user.name "GitHub Actions"
git add . && git commit -m "promote: ${{ inputs.image_tag }} to production"
git push
总结
你已经构建了一个生产级GitOps流水线:
GitOps确保集群状态始终与Git一致——可审计、可复现、可恢复。