Initial commit

skills/gitops-workflow/references/argocd-setup.md

@@ -0,0 +1,134 @@
+# ArgoCD Setup and Configuration
+
+## Installation Methods
+
+### 1. Standard Installation
+```bash
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+```
+
+### 2. High Availability Installation
+```bash
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/ha/install.yaml
+```
+
+### 3. Helm Installation
+```bash
+helm repo add argo https://argoproj.github.io/argo-helm
+helm install argocd argo/argo-cd -n argocd --create-namespace
+```
+
+## Initial Configuration
+
+### Access ArgoCD UI
+```bash
+# Port forward
+kubectl port-forward svc/argocd-server -n argocd 8080:443
+
+# Get initial admin password
+argocd admin initial-password -n argocd
+```
+
+### Configure Ingress
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: argocd.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 443
+  tls:
+  - hosts:
+    - argocd.example.com
+    secretName: argocd-secret
+```
+
+## CLI Configuration
+
+### Login
+```bash
+argocd login argocd.example.com --username admin
+```
+
+### Add Repository
+```bash
+argocd repo add https://github.com/org/repo --username user --password token
+```
+
+### Create Application
+```bash
+argocd app create my-app \
+  --repo https://github.com/org/repo \
+  --path apps/my-app \
+  --dest-server https://kubernetes.default.svc \
+  --dest-namespace production
+```
+
+## SSO Configuration
+
+### GitHub OAuth
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  namespace: argocd
+data:
+  url: https://argocd.example.com
+  dex.config: |
+    connectors:
+      - type: github
+        id: github
+        name: GitHub
+        config:
+          clientID: $GITHUB_CLIENT_ID
+          clientSecret: $GITHUB_CLIENT_SECRET
+          orgs:
+          - name: my-org
+```
+
+## RBAC Configuration
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  namespace: argocd
+data:
+  policy.default: role:readonly
+  policy.csv: |
+    p, role:developers, applications, *, */dev, allow
+    p, role:operators, applications, *, */*, allow
+    g, my-org:devs, role:developers
+    g, my-org:ops, role:operators
+```
+
+## Best Practices
+
+1. Enable SSO for production
+2. Implement RBAC policies
+3. Use separate projects for teams
+4. Enable audit logging
+5. Configure notifications
+6. Use ApplicationSets for multi-cluster
+7. Implement resource hooks
+8. Configure health checks
+9. Use sync windows for maintenance
+10. Monitor with Prometheus metrics

skills/gitops-workflow/references/sync-policies.md

@@ -0,0 +1,131 @@
+# GitOps Sync Policies
+
+## ArgoCD Sync Policies
+
+### Automated Sync
+```yaml
+syncPolicy:
+  automated:
+    prune: true       # Delete resources removed from Git
+    selfHeal: true    # Reconcile manual changes
+    allowEmpty: false # Prevent empty sync
+```
+
+### Manual Sync
+```yaml
+syncPolicy:
+  syncOptions:
+  - PrunePropagationPolicy=foreground
+  - CreateNamespace=true
+```
+
+### Sync Windows
+```yaml
+syncWindows:
+- kind: allow
+  schedule: "0 8 * * *"
+  duration: 1h
+  applications:
+  - my-app
+- kind: deny
+  schedule: "0 22 * * *"
+  duration: 8h
+  applications:
+  - '*'
+```
+
+### Retry Policy
+```yaml
+syncPolicy:
+  retry:
+    limit: 5
+    backoff:
+      duration: 5s
+      factor: 2
+      maxDuration: 3m
+```
+
+## Flux Sync Policies
+
+### Kustomization Sync
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: my-app
+spec:
+  interval: 5m
+  prune: true
+  wait: true
+  timeout: 5m
+  retryInterval: 1m
+  force: false
+```
+
+### Source Sync Interval
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: my-app
+spec:
+  interval: 1m
+  timeout: 60s
+```
+
+## Health Assessment
+
+### Custom Health Checks
+```yaml
+# ArgoCD
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  namespace: argocd
+data:
+  resource.customizations.health.MyCustomResource: |
+    hs = {}
+    if obj.status ~= nil then
+      if obj.status.conditions ~= nil then
+        for i, condition in ipairs(obj.status.conditions) do
+          if condition.type == "Ready" and condition.status == "False" then
+            hs.status = "Degraded"
+            hs.message = condition.message
+            return hs
+          end
+          if condition.type == "Ready" and condition.status == "True" then
+            hs.status = "Healthy"
+            hs.message = condition.message
+            return hs
+          end
+        end
+      end
+    end
+    hs.status = "Progressing"
+    hs.message = "Waiting for status"
+    return hs
+```
+
+## Sync Options
+
+### Common Sync Options
+- `PrunePropagationPolicy=foreground` - Wait for pruned resources to be deleted
+- `CreateNamespace=true` - Auto-create namespace
+- `Validate=false` - Skip kubectl validation
+- `PruneLast=true` - Prune resources after sync
+- `RespectIgnoreDifferences=true` - Honor ignore differences
+- `ApplyOutOfSyncOnly=true` - Only apply out-of-sync resources
+
+## Best Practices
+
+1. Use automated sync for non-production
+2. Require manual approval for production
+3. Configure sync windows for maintenance
+4. Implement health checks for custom resources
+5. Use selective sync for large applications
+6. Configure appropriate retry policies
+7. Monitor sync failures with alerts
+8. Use prune with caution in production
+9. Test sync policies in staging
+10. Document sync behavior for teams