Project 概述

Projects负责为Application提供逻辑分组，它主要实现如下功能：
1. 限制可以部署的内容（指定受信任的Git Source仓库）
2. 限制Application可以部署到的目标位置（指定目标Cluster和Namespace）
3. 限制能够及不能够部署的对象类型，例如RBAC、CRD、DeamonSets、NetworkPolicy等
4. 定义Project Role，从而为Application提供RBAC机制，以绑定到OIDC组或JWT token

Default Project

每个应用程序都属于一个项目。如果未指定，应用程序属于default project，该项目是自动创建的，默认情况下允许从任何源存储库部署到任何集群以及所有资源种类。default project可以修改，但不能删除。

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: default
  namespace: argocd
spec:
  sourceRepos:                     # 允许从任意SourceRepos获取资源配置
  - '*'
  destinations:                    # 允许将Application部署至任意目标Cluster和NameSpace
  - namespace: '*'
    server: '*'
  clusterResourceWhitelist:        # 允许部署任意类型的资源
  - group: '*'
    kind: '*'

AppProject CRD

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: my-project
  namespace: argocd
  # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:                       # 删除终结器，当使用此终结器删除应用程序时，Argo CD 应用程序控制器将执行应用程序资源的级联删除。级联删除的默认传播策略是foreground级联删除。
    - resources-finalizer.argocd.argoproj.io
    # - resources-finalizer.argocd.argoproj.io/background
spec:
  description: Example Project      # 该Projects的描述信息
  # Allow manifests to deploy from any Git repos
  sourceRepos:                      # 可读取资源配置的Repo
  - '*'
  # Only permit applications to deploy to the guestbook namespace in the same cluster
  destinations:                     # 可部署Application的目标集群和名称空间
  - namespace: guestbook
    server: https://kubernetes.default.svc
  # Deny all cluster-scoped resources from being created, except for Namespace
  clusterResourceWhitelist:         # 可用的资源类型
  - group: ''
    kind: Namespace
  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
  namespaceResourceBlacklist:
  - group: ''
    kind: ResourceQuota
  - group: ''
    kind: LimitRange
  - group: ''
    kind: NetworkPolicy
  # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
  namespaceResourceWhitelist:
  - group: 'apps'
    kind: Deployment
  - group: 'apps'
    kind: StatefulSet
  roles:                          # 该Projects上的可用角色
  # A role which provides read-only access to all applications in the project
  - name: read-only
    description: Read-only privileges to my-project
    policies:
    - p, proj:my-project:read-only, applications, get, my-project/*, allow
    groups:
    - my-oidc-group
  # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
  # sync privileges to a CI system
  - name: ci-role
    description: Sync privileges for guestbook-dev
    policies:
    - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
    # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
    # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
    jwtTokens:
    - iat: 1535390316
  syncWindows:                       # 该资源的同步窗口
  - kind: allow
    schedule: '10 1 * * *'
    duration: 1h
    applications:
    - '*-prod'
    manualSync: true
  - kind: deny
    schedule: '0 22 * * *'
    duration: 1h
    namespaces:
    - default
  - kind: allow
    schedule: '0 23 * * *'
    duration: 1h
    clusters:
    - in-cluster
    - cluster1

参考文档

https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#projects