From 030fc66ae113f3967074915a8741aa51e5e10712 Mon Sep 17 00:00:00 2001 From: Nick Adam Date: Mon, 19 Jan 2026 00:37:04 +0100 Subject: [PATCH] fix kube client side error --- apps/argocd-config/argocd-ha-patch-rbac.yaml | 37 ++++++++++ .../argocd-config/argocd-server-ha-patch.yaml | 23 ------- .../argocd-server-ha-sync-hook.yaml | 69 +++++++++++++++++++ apps/argocd-config/kustomization.yaml | 8 +-- 4 files changed, 108 insertions(+), 29 deletions(-) create mode 100644 apps/argocd-config/argocd-ha-patch-rbac.yaml delete mode 100644 apps/argocd-config/argocd-server-ha-patch.yaml create mode 100644 apps/argocd-config/argocd-server-ha-sync-hook.yaml diff --git a/apps/argocd-config/argocd-ha-patch-rbac.yaml b/apps/argocd-config/argocd-ha-patch-rbac.yaml new file mode 100644 index 0000000..1f81f75 --- /dev/null +++ b/apps/argocd-config/argocd-ha-patch-rbac.yaml @@ -0,0 +1,37 @@ +# RBAC für ArgoCD HA Patch Job +# WICHTIG: Job braucht Rechte zum Patchen von Deployments + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-ha-patch + namespace: argocd +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "patch", "update"] + - apiGroups: ["apps"] + resources: ["deployments/status"] + verbs: ["get"] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-ha-patch + namespace: argocd + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-ha-patch + namespace: argocd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-ha-patch +subjects: + - kind: ServiceAccount + name: argocd-ha-patch + namespace: argocd diff --git a/apps/argocd-config/argocd-server-ha-patch.yaml b/apps/argocd-config/argocd-server-ha-patch.yaml deleted file mode 100644 index eba7a32..0000000 --- a/apps/argocd-config/argocd-server-ha-patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# ArgoCD Server HA Patch -# WICHTIG: Nur Deployment-Patch, PDB ist separate Resource - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-server - namespace: argocd -spec: - replicas: 2 # HA: Mindestens 2 Replicas für Ausfallsicherheit - template: - spec: - affinity: - podAntiAffinity: - # Hard Rule: Pods müssen auf verschiedenen Nodes laufen - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - argocd-server - topologyKey: kubernetes.io/hostname diff --git a/apps/argocd-config/argocd-server-ha-sync-hook.yaml b/apps/argocd-config/argocd-server-ha-sync-hook.yaml new file mode 100644 index 0000000..776e674 --- /dev/null +++ b/apps/argocd-config/argocd-server-ha-sync-hook.yaml @@ -0,0 +1,69 @@ +# ArgoCD Server HA Patch via Sync Hook +# WICHTIG: Dieses Resource wird nach dem Standard-ArgoCD Deployment angewendet +# und patcht es für HA + +apiVersion: batch/v1 +kind: Job +metadata: + name: argocd-server-ha-patch + namespace: argocd + annotations: + # WICHTIG: Sync Hook - wird nach Deployment-Sync ausgeführt + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + # Sync Wave: Nach ArgoCD Deployment (Wave 0 oder später) + argocd.argoproj.io/sync-wave: "1" +spec: + ttlSecondsAfterFinished: 300 # Job wird nach 5 Minuten gelöscht + backoffLimit: 3 + template: + spec: + # WICHTIG: argocd-server ServiceAccount hat keine Rechte zum Patchen + # Wir verwenden stattdessen default ServiceAccount oder erstellen eine RBAC-Rolle + serviceAccountName: argocd-ha-patch + restartPolicy: Never + containers: + - name: kubectl + image: bitnami/kubectl:latest + command: + - /bin/sh + - -c + - | + set -e + echo "Patching argocd-server Deployment für HA..." + + # Patch Replicas auf 2 + kubectl patch deployment argocd-server -n argocd --type='json' -p='[ + {"op": "replace", "path": "/spec/replicas", "value": 2} + ]' || echo "Replicas Patch fehlgeschlagen (möglicherweise bereits 2)" + + # Patch Anti-Affinity + kubectl patch deployment argocd-server -n argocd --type='json' -p='[ + { + "op": "add", + "path": "/spec/template/spec/affinity", + "value": { + "podAntiAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": [ + { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/name", + "operator": "In", + "values": ["argocd-server"] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + } + ] + } + } + } + ]' || echo "Affinity Patch fehlgeschlagen" + + echo "✅ ArgoCD Server HA Patch erfolgreich angewendet" + + # Warte auf Rollout + kubectl rollout status deployment/argocd-server -n argocd --timeout=300s diff --git a/apps/argocd-config/kustomization.yaml b/apps/argocd-config/kustomization.yaml index bdee850..feb89b1 100644 --- a/apps/argocd-config/kustomization.yaml +++ b/apps/argocd-config/kustomization.yaml @@ -4,10 +4,6 @@ resources: - external-secret.yaml - argocd-cm.yaml - argocd-rbac-cm.yaml + - argocd-ha-patch-rbac.yaml # HA: RBAC für Patch Job - argocd-server-pdb.yaml # HA: Pod Disruption Budget - -# WICHTIG: patchesStrategicMerge für Deployment Patch -# Der Patch muss nur die zu ändernden Felder enthalten -# Container-Spezifikation wird vom Original übernommen -patchesStrategicMerge: - - argocd-server-ha-patch.yaml \ No newline at end of file + - argocd-server-ha-sync-hook.yaml # HA: Sync Hook patcht Deployment nach Installation \ No newline at end of file