argocd: use native http client, apply fallback on sync timeout, local ITs instance script (#193)

Author: benbroadaway

tasks/argocd/README.md

@@ -0,0 +1,87 @@
+# `argocd` plugin for Concord
+
+
+## Integration Tests
+
+Integration tests run against a local ArgoCD instance. Run the [`install_argo.sh`](./local_argo/install_argo.sh)
+script to set up an instance including
+
+- Local K3s cluster in Docker
+- Basic ArgoCD installation
+- LDAP Dex connector
+- Git repository server
+- Default Repository in ArgoCD, with SSH keypair auth
+
+### Prerequisites
+
+- `git`
+- `docker` or `rancher`
+- `kubectl` (optionally `k9s`)
+- `ansible` with [`kubernetes` module](https://pypi.org/project/kubernetes/)
+    and [`kubernetes.core` collection](https://galaxy.ansible.com/ui/repo/published/kubernetes/core/)
+
+### Things To Know
+
+#### Ingress Hostname
+
+The trickiest part is getting a hostname to work both within docker (e.g. ITs executing
+through Concord testcontainers) and outside (e.g. direct JUnit ITs). The default
+setup uses `host.docker.internal`. That solves the internal problem. However, this
+requires some manual intervention on the host machine to resolve the hostname. This
+should be as simple as adding an `/etc/hosts` entry.
+
+```
+# ...leave existing entries
+
+# this is needed for the integration tests to work
+127.0.0.1 host.docker.internal
+```
+
+Alternatively, use a hostname or IP address which is accessible on your
+network (e.g. your workstation's IP address).
+
+#### Generated Files
+
+Some required values and files must be generated at install-time, and it's just
+cleaner to keep "secrets" (event for testing) out of the repository. All of these
+generated files are saved to the
+[`local_argo/playbook/roles/argocd/files`](./local_argo/playbook/roles/argocd/files)
+directory.
+
+- `argo_install_manifest.yml` - ArgoCD k8ts install manifest
+- `k3s_server_ca.crt` - kubernetes CA certificate
+- `k3s_token.txt` - init token for k3s
+- `kubeconfig.yaml` - kubeconfig for the k3s cluster
+- `ldap_cfg.txt` - admin password and user ldap info
+- `test_key` and `test_key.pub` - ssh keypair for git repo access
+- `test_input.properties` - consolidated info for integration test input
+
+### Install ArgoCD in K3s
+
+Use [install_argo.sh](./local_argo/install_argo.sh) to start a `k3s` instance with
+ArgoCD in the `argocd` namespace. This will also generate a `kubeconfig.yaml` which
+can be used to interact with the cluster (e.g. with `kubectl` or `k9s`) for debugging.
+
+```
+$ cd local_argo
+$ ./install_argo.sh --ingress-host <your-hostname-or-ip>
+```
+
+Optionally, skip downloading argocd manifest on first rut. Note: download will be
+skipped if the destination file already exists.
+
+```
+$ ./install_argo.sh --skip-manifest-download
+```
+
+### Run Integration Tests
+
+```
+# run mvn from project root
+$ mvn clean install --pl tasks/argocd
+$ mvn verify --pl tasks/argocd -DskipArgoITs=false
+...
+[INFO] Results:
+[INFO]
+[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0
+```

tasks/argocd/local_argo/.gitignore

@@ -0,0 +1,2 @@
+playbook/roles/argocd/files/generated
+*venv

tasks/argocd/local_argo/docker-compose.yml

@@ -0,0 +1,65 @@
+# to run define K3S_TOKEN, K3S_VERSION is optional, eg:
+#   K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} docker-compose up
+
+services:
+
+  server:
+    image: "rancher/k3s:${K3S_VERSION:-latest}"
+    command: server
+    tmpfs:
+      - /run
+      - /var/run
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 65535
+        hard: 65535
+    privileged: true
+    restart: always
+    environment:
+      - K3S_TOKEN=${K3S_TOKEN:?err}
+      - K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml
+      - K3S_KUBECONFIG_MODE=666
+    volumes:
+      - k3s-server:/var/lib/rancher/k3s
+      # This is just so that we get the kubeconfig file out
+      - ./playbook/roles/argocd/files/generated:/output
+    ports:
+      - 6443:6443  # Kubernetes API Server
+      - 80:80      # Ingress controller port 80
+      - 443:443    # Ingress controller port 443
+      - 8080:8080  # port forward TODO be smarter (set up ingress to argo through ^^443^^)
+    networks:
+      - argo-net
+
+  agent:
+    image: "rancher/k3s:${K3S_VERSION:-latest}"
+    tmpfs:
+      - /run
+      - /var/run
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 65535
+        hard: 65535
+    privileged: true
+    restart: always
+    environment:
+      - K3S_URL=https://server:6443
+      - K3S_TOKEN=${K3S_TOKEN:?err}
+    volumes:
+      - k3s-agent:/var/lib/rancher/k3s
+    networks:
+      - argo-net
+
+volumes:
+  k3s-server: {}
+  k3s-agent: {}
+
+networks:
+  argo-net:
+    ipam:
+      config:
+        - ip_range: "192.168.90.0/24"
+          subnet: "192.168.90.0/24"
+          gateway: "192.168.90.1"

tasks/argocd/local_argo/install_argo.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+set -o pipefail
+set -o errexit
+
+printHelp() {
+    echo "usage: $0 [-h] [---skip-manifest-download]"
+}
+
+function join_by {
+    local IFS="$1";
+    shift;
+    echo "$*";
+}
+
+ingressHostname="host.docker.internal"
+generatedFilesDir="playbook/roles/argocd/files/generated"
+
+while [ "$1" != "" ]; do
+    case $1 in
+        -h | --help )             printHelp
+                                  exit
+                                  ;;
+        -i | --ingress-hostname ) shift
+                                  ingressHostname="${1}"
+                                  ;;
+        -s | --skip-manifest-download )
+                                  skipManifestDownload="true"
+                                  ;;
+        * )
+            echo "Invalid parameter '$1'"
+            printHelp
+            exit 1
+    esac
+    # Shift all the parameters down by one
+    shift
+done
+
+# install argocd
+
+mkdir -p "${generatedFilesDir}"
+
+if [ -f "${generatedFilesDir}/k3s_token.txt" ]; then
+  K3S_TOKEN=$(cat "${generatedFilesDir}/k3s_token.txt")
+else
+  K3S_TOKEN=$(head /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 32 | tee "${generatedFilesDir}/k3s_token.txt")
+fi
+
+export K3S_TOKEN
+docker compose up -d
+
+sleep 5
+
+mkdir -p "${generatedFilesDir}"
+
+# export server ca so ansible is less cranky
+docker cp local_argo-server-1:/var/lib/rancher/k3s/server/tls/server-ca.crt "${generatedFilesDir}/k3s_server_ca.crt"
+
+if [ -f "${generatedFilesDir}/ldap_cfg.txt" ]; then
+  ldapAdminPassword=$(grep 'adminPassword:' "${generatedFilesDir}/ldap_cfg.txt" | sed 's/adminPassword://')
+  ldapUsername=$(grep 'username:' "${generatedFilesDir}/ldap_cfg.txt" | sed 's/username://')
+  ldapPassword=$(grep 'password:' "${generatedFilesDir}/ldap_cfg.txt" | sed 's/password://')
+else
+  ldapAdminPassword=$(head /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c 32)
+  read -r -p    "Enter LDAP username: " ldapUsername
+  read -r -s -p "Enter LDAP password: " ldapPassword
+
+  echo "adminPassword:${ldapAdminPassword}" >  "${generatedFilesDir}/ldap_cfg.txt"
+  echo "username:${ldapUsername}"           >> "${generatedFilesDir}/ldap_cfg.txt"
+  echo "password:${ldapPassword}"           >> "${generatedFilesDir}/ldap_cfg.txt"
+fi
+
+# argocd kubernetes manifest
+if [[ -f "${generatedFilesDir}/argo_install_manifest.yml" || "${skipManifestDownload}" == *"true"* ]]; then
+    echo "Skipping manifest download"
+else
+    echo "Downloading latest ArgoCD manifest"
+    curl -o "${generatedFilesDir}/argo_install_manifest.yml" https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+fi
+
+# keypair for git in-cluster git operations
+if [[ ! -f "${generatedFilesDir}/test_key" ]]
+then
+   ssh-keygen -t rsa -b 4096 -C "[email protected]" -m pem -N '' -f "${generatedFilesDir}/test_key"
+fi
+
+# python3 -m venv localvenv
+# source localvenv/bin/activate
+# pip install kubernetes
+# ansible-galaxy collection install kubernetes.core
+ansible-playbook -i ./playbook/inventory.yml \
+  -e ingress_hostname="${ingressHostname}" \
+  -e ldap_admin_password="${ldapAdminPassword}" \
+  -e ldap_username="${ldapUsername}" \
+  -e ldap_password="${ldapPassword}" \
+  ./playbook/main.yml
+
+cat > "${generatedFilesDir}/test_input.properties" << EOF
+ARGO_IT_APP_NAMESPACE=test-namespace
+ARGO_IT_BASE_API=https://${ingressHostname}
+ARGO_IT_BASIC_ADMIN_PASSWORD=$(< "${generatedFilesDir}/argocd_admin_password.txt")
+ARGO_IT_KUBECONFIG_PATH=local_argo/${generatedFilesDir}/kubeconfig.yaml
+ARGO_IT_LDAP_USERNAME=${ldapUsername}
+ARGO_IT_LDAP_PASSWORD=${ldapPassword}
+EOF

tasks/argocd/local_argo/playbook/inventory.yml

@@ -0,0 +1,9 @@
+---
+local:
+  hosts:
+    k3s:
+      ansible_host: localhost
+      kubconfig_path: roles/argocd/files/generated/kubeconfig.yaml
+      k8s_ca_cert: roles/argocd/files/generated/k3s_server_ca.crt
+      ansible_connection: local
+      k8s_ns: argocd

tasks/argocd/local_argo/playbook/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Main playbook
+  hosts: all
+  gather_facts: false
+  roles:
+    - role: argocd

tasks/argocd/local_argo/playbook/roles/argocd/files/test_deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: nginx-cm
+  name: nginx-cm
+data:
+  index.html: "hello world"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      volumes:
+        - name: nginx-static-volume
+          configMap:
+            name: nginx-cm
+            items:
+              - key: "index.html"
+                path: "index.html"
+      containers:
+        - name: nginx
+          image: library/nginx:latest
+          startupProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 15 # force a slow-ish startup, useful for testing timeouts
+            periodSeconds: 5
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: nginx-static-volume
+              mountPath: "/usr/share/nginx/html"
+              readOnly: true