[HowTo] ArgoCD Deployment & Configuration
Intro
ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It's designed to make application deployment and lifecycle management automated, auditable, and easy to understand.
Key features and concepts of ArgoCD include:
- GitOps Methodology: Argo CD uses Git repositories as the source of truth for defining the desired application state.
- Kubernetes-native: It's implemented as a Kubernetes controller that continuously monitors running applications and compares their current state against the desired state specified in Git.
This blog post explains the deployment of ArgoCD in a Tanzu Kubernetes Grid Cluster. There is also the option to provision ArgoCD as a supervisor Service.
Overview
ArgoCD typically uses a centralized deployment model with one instance managing multiple Kubernetes clusters. ArgoCD uses a push-based architecture where workloads are pushed from a centralized cluster to remote clusters. Best Practise is to deploy ArgoCD on a dedicated Infrastructure/Management Kubernetes Cluster.
ArgoCD Deployment on TKGS Guest Cluster
Create a namespace for ArgoCD
1kubectl create namespace argocd
*** if you are in a restricted environment, where you can pull images from the internet ***
- Set up a local container registry within your air-gapped environment (for example Harbor)
- Mirror all required ArgoCD images to your local registry.
1docker pull quay.io/argoproj/argocd:v2.13.0
2docker pull quay.io/argoproj/argocd-repo-server:v2.13.0
3docker pull quay.io/argoproj/argocd-applicationset-controller:v2.13.0
1Tag images for your local registry
2docker tag quay.io/argoproj/argocd:v2.13.0 local-registry.example.com/argoproj/argocd:v2.13.0
3docker tag quay.io/argoproj/argocd-repo-server:v2.13.0 local-registry.example.com/argoproj/argocd-repo-server:v2.13.0
4docker tag quay.io/argoproj/argocd-applicationset-controller:v2.13.0 local-registry.example.com/argoproj/argocd-applicationset-controller:v2.13.0
Push images to your local registry
1docker push local-registry.example.com/argoproj/argocd:v2.13.0
2docker push local-registry.example.com/argoproj/argocd-repo-server:v2.13.0
3docker push local-registry.example.com/argoproj/argocd-applicationset-controller:v2.13.0
Download the ArgoCD installation manifests and modify them to use your local registry:
1curl -o argocd-install.yaml https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.0/manifests/install.yaml
2
3# Update image references in the YAML file
4sed -i 's|quay.io/argoproj/argocd|local-registry.example.com/argoproj/argocd|g' argocd-install.yaml
Apply the Argo CD installation manifest
1kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
Expose ArgoCD via nginx Ingress (Example):
1
2apiVersion: networking.k8s.io/v1
3kind: Ingress
4metadata:
5 name: argocd-server-ingress
6 namespace: argocd
7 annotations:
8 kubernetes.io/ingress.class: nginx
9 nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
10 nginx.ingress.kubernetes.io/ssl-passthrough: "true"
11 nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
12spec:
13 rules:
14 - host: argocd.example.com
15 http:
16 paths:
17 - path: /
18 pathType: Prefix
19 backend:
20 service:
21 name: argocd-server
22 port:
23 name: https
24tls:
25- hosts:
26 - argocd.example.com
27 secretName: argocd-secret
If you have AKO installed:
1
2apiVersion: networking.k8s.io/v1
3kind: Ingress
4metadata:
5 name: argocd-server-ingress
6 namespace: argocd
7 annotations:
8 kubernetes.io/ingress.class: avi
9 ako.vmware.com/enable-tls: "true"
10 ako.vmware.com/ssl-passthrough: "true"
11spec:
12 rules:
13 - host: argocd.example.com
14 http:
15 paths:
16 - path: /
17 pathType: Prefix
18 backend:
19 service:
20 name: argocd-server
21 port:
22 number: 443
23 tls:
24 - hosts:
25 - argocd.example.com
26 secretName: argocd-secret
Or you could use a standard Layer 4 LoadBalancer:
1kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
To get the IP of your LoadBalancer (to create DNS Records):
1export ARGOCD_SERVER=$(kubectl get svc argocd-server -n argocd -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
Get the Initial Admin Password:
1export ARGO_PWD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)```
Now go ahead on Login to your ArgoCD UI for the first time.
ArgoCD Configuration - TLS Certificates
To use your own Certificates for the ArgoCD UI:
1kubectl create -n argocd secret tls argocd-server-tls \
2 --cert=/path/to/cert.pem \
3 --key=/path/to/key.pem
Custom Root CA
Edit the argocd-cm ConfigMap:
1kubectl edit configmap argocd-cm -n argocd
Add the Root CA certificate to the ConfigMap under the tls.certs key. The format should be:
1data:
2 tls.certs: |
3 -----BEGIN CERTIFICATE-----
4 <Your Root CA certificate content here>
5 -----END CERTIFICATE-----
After updating the ConfigMap, you need to restart the Argo CD server pod for the changes to take effect:
1kubectl rollout restart deployment argocd-server -n argocd
ArgoCD Configuration - SSO
ArgoCD can use OpenID Connect (OIDC) Providers for SSO-Logins. In this example we use GitLab.
Configure GitLab:
Register a new application in GitLab:
- Go to Settings > Applications > New Application
- Set the Redirect URI to: https://argocd-domain.com/auth/callback
- Enable the scopes: API and read_user
- Save and note down the Application ID and Secret
1kubectl edit configmap argocd-cm -n argocd
1data:
2 url: https://argocd.example.com
3 dex.config: |
4 connectors:
5 - type: gitlab
6 id: gitlab
7 name: GitLab
8 config:
9 baseURL: https://gitlab.com
10 clientID: $GITLAB_APPLICATION_ID
11 clientSecret: $GITLAB_CLIENT_SECRET
12 redirectURI: https://argocd.example.com/api/dex/callback
13 users.anonymous.enabled: "false"
Restart the deployment:
1kubectl rollout restart deployment argocd-server -n argocd
Now a new Login Button appears on the ArgoCD UI.
ArgoCD Configuration - Forward Proxy
If you run ArgoCD behind a Forward Proxy and want to use external Git-Repositories, adjust your deployment the following:
1kubectl edit configmap argocd-cm -n argocd
1
2data:
3 HTTP_PROXY: "http://your-proxy-server:port"
4 HTTPS_PROXY: "http://your-proxy-server:port"
5 NO_PROXY: |
6 argocd-repo-server,
7 argocd-application-controller,
8 argocd-applicationset-controller,
9 argocd-metrics,
10 argocd-server,
11 argocd-server-metrics,
12 argocd-redis,
13 argocd-redis-ha-haproxy,
14 argocd-dex-server,
15 localhost,
16 127.0.0.1,
17 kubernetes.default.svc,
18 .svc.cluster.local,
19 10.0.0.0/8 - use your own internal CIDR here!
ArgoCD Complete Config:
Your whole ConfigMap (argocd-cm) should now look like:
1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: argocd-cm
5 namespace: argocd
6 labels:
7 app.kubernetes.io/name: argocd-cm
8 app.kubernetes.io/part-of: argocd
9data:
10 url: https://argocd.example.com
11 dex.config: |
12 connectors:
13 - type: gitlab
14 id: gitlab
15 name: GitLab
16 config:
17 baseURL: https://gitlab.com
18 clientID: $GITLAB_APPLICATION_ID
19 clientSecret: $GITLAB_CLIENT_SECRET
20 redirectURI: https://argocd.example.com/api/dex/callback
21 users.anonymous.enabled: "false"
22 HTTP_PROXY: "http://your-proxy-server:port"
23 HTTPS_PROXY: "http://your-proxy-server:port"
24 NO_PROXY: |
25 argocd-repo-server,
26 argocd-application-controller,
27 argocd-applicationset-controller,
28 argocd-metrics,
29 argocd-server,
30 argocd-server-metrics,
31 argocd-redis,
32 argocd-redis-ha-haproxy,
33 argocd-dex-server,
34 localhost,
35 127.0.0.1,
36 kubernetes.default.svc,
37 .svc.cluster.local,
38 10.0.0.0/8
39 tls.certs: |
40 -----BEGIN CERTIFICATE-----
41 <Your Root CA certificate content here>
42 -----END CERTIFICATE-----