KB Platform
kb.erickguedes.com
ArgoCD: GitOps na Prática

Projects e Repositórios

Aula 2 de 5

AppProject — Namespace Lógico

Projects agrupam aplicações e definem limites de segurança.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: production
  namespace: argocd
spec:
  description: "Projeto de produção"
  
  # Fontes permitidas (repositórios Git)
  sourceRepos:
    - 'https://github.com/org/prod-apps/*'
    - 'https://github.com/org/infra/*'
  
  # Destinos permitidos (clusters + namespaces)
  destinations:
    - namespace: 'prod-*'
      server: https://kubernetes.default.svc
    - namespace: 'staging-*'
      server: https://192.168.1.100:6443
  
  # ClusterResourceWhitelist (CRDs permitidos)
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  
  # Namespaced resources permitidos
  namespaceResourceBlacklist:
    - group: 'rbac.authorization.k8s.io'
      kind: 'ClusterRole'
  
  # Roles e permissões
  roles:
    - name: developer
      description: "Dev read-only access"
      policies:
        - p, proj:production:developer, applications, get, production/*, allow
      groups:
        - my-org/developers
  
  # Sync Windows (horários permitidos)
  syncWindows:
    - kind: allow
      schedule: '0 9 * * 1-5'
      duration: 8h
      applications:
        - 'prod-*'

Múltiplos Repositórios

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: multi-source
spec:
  project: default
  sources:
    - repoURL: 'https://github.com/org/manifests.git'
      targetRevision: HEAD
      path: base
      ref: base
    - repoURL: 'https://github.com/org/env-overlay.git'
      targetRevision: HEAD
      path: production
      helm:
        valueFiles:
          - $base/values/global.yaml
          - values.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: app

Private Repos — SSH / HTTPS

# SSH
apiVersion: v1
kind: Secret
metadata:
  name: private-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: [email protected]:org/private-repo.git
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----
---
# HTTPS (Access Token)
apiVersion: v1
kind: Secret
metadata:
  name: private-https-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: https://github.com/org/private-repo.git
  password: ghp_xxxxxxxxxxxxxxxxxxxx
  username: not-used
---

argocd repo add https://github.com/org/private-repo.git \
  --ssh-private-key-path ~/.ssh/id_ed25519 \
  --name private-repo

Config Management Plugins (CMP)

Para ferramentas além de Helm/Kustomize:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  configManagementPlugins: |
    - name: kustomize
    - name: helm
    - name: jsonnet
      generate:
        command: ["jsonnet"]
        args: ["--ext-code", "env=prod", "main.jsonnet"]

Repo Structure Patterns

# Padrão 1: Monorepo
apps/
├── app1/
│   ├── kustomization.yaml (overlays: dev/prod)
│   └── base/
├── app2/
│   └── Chart.yaml + values/
└── argocd/
    └── app1.yaml, app2.yaml

# Padrão 2: App-of-Apps (recomendado)
root-app.yaml → app1.yaml, app2.yaml, infra.yaml

# Padrão 3: Git submodules
apps-repo/
├── app1 → submodule para k8s-manifests
└── app2 → submodule para helm-chart

Projects isolam ambientes e definem políticas. Use AppProject para produção (restrito) e dev (aberto). Prefira SSH keys para repos privados. CMP permite qualquer gerador de manifest.