HowToArgoCD Deployment & Configuration

calendar Sep 13, 2024 · 4 min read · Kubernetes CI/CD VMware Tanzu VMware Tanzu Kubernetes Grid  ·
Share on: linkedin copy

Intro

ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It's designed to make application deployment and lifecycle management automated, auditable, and easy to understand.

Key features and concepts of ArgoCD include:

  • GitOps Methodology: Argo CD uses Git repositories as the source of truth for defining the desired application state.
  • Kubernetes-native: It's implemented as a Kubernetes controller that continuously monitors running applications and compares their current state against the desired state specified in Git.

This blog post explains the deployment of ArgoCD in a Tanzu Kubernetes Grid Cluster. There is also the option to provision ArgoCD as a supervisor Service.

Overview

ArgoCD typically uses a centralized deployment model with one instance managing multiple Kubernetes clusters. ArgoCD uses a push-based architecture where workloads are pushed from a centralized cluster to remote clusters. Best Practise is to deploy ArgoCD on a dedicated Infrastructure/Management Kubernetes Cluster.

ArgoCD Deployment on TKGS Guest Cluster

Create a namespace for ArgoCD

kubectl create namespace argocd

*** if you are in a restricted environment, where you can pull images from the internet ***

  • Set up a local container registry within your air-gapped environment (for example Harbor)
  • Mirror all required ArgoCD images to your local registry.
docker pull quay.io/argoproj/argocd:v2.13.0
docker pull quay.io/argoproj/argocd-repo-server:v2.13.0
docker pull quay.io/argoproj/argocd-applicationset-controller:v2.13.0

Tag images for your local registry
docker tag quay.io/argoproj/argocd:v2.13.0 local-registry.example.com/argoproj/argocd:v2.13.0
docker tag quay.io/argoproj/argocd-repo-server:v2.13.0 local-registry.example.com/argoproj/argocd-repo-server:v2.13.0
docker tag quay.io/argoproj/argocd-applicationset-controller:v2.13.0 local-registry.example.com/argoproj/argocd-applicationset-controller:v2.13.0

Push images to your local registry

docker push local-registry.example.com/argoproj/argocd:v2.13.0
docker push local-registry.example.com/argoproj/argocd-repo-server:v2.13.0
docker push local-registry.example.com/argoproj/argocd-applicationset-controller:v2.13.0

Download the ArgoCD installation manifests and modify them to use your local registry:

curl -o argocd-install.yaml https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.0/manifests/install.yaml

# Update image references in the YAML file
sed -i 's|quay.io/argoproj/argocd|local-registry.example.com/argoproj/argocd|g' argocd-install.yaml

Apply the Argo CD installation manifest

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Expose ArgoCD via nginx Ingress (Example):


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - host: argocd.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port: 
              name: https
tls:
- hosts:
  - argocd.example.com
  secretName: argocd-secret

If you have AKO installed:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: avi
    ako.vmware.com/enable-tls: "true"
    ako.vmware.com/ssl-passthrough: "true"
spec:
  rules:
  - host: argocd.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port: 
              number: 443
  tls:
  - hosts:
    - argocd.example.com
    secretName: argocd-secret

Or you could use a standard Layer 4 LoadBalancer:

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

To get the IP of your LoadBalancer (to create DNS Records):

export ARGOCD_SERVER=$(kubectl get svc argocd-server -n argocd -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Get the Initial Admin Password:

export ARGO_PWD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)```

Now go ahead on Login to your ArgoCD UI for the first time.

ArgoCD Configuration - TLS Certificates

To use your own Certificates for the ArgoCD UI:

kubectl create -n argocd secret tls argocd-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem

Custom Root CA

Edit the argocd-cm ConfigMap:

kubectl edit configmap argocd-cm -n argocd

Add the Root CA certificate to the ConfigMap under the tls.certs key. The format should be:

data:
  tls.certs: |
    -----BEGIN CERTIFICATE-----
    <Your Root CA certificate content here>
    -----END CERTIFICATE-----

After updating the ConfigMap, you need to restart the Argo CD server pod for the changes to take effect:

kubectl rollout restart deployment argocd-server -n argocd

ArgoCD Configuration - SSO

ArgoCD can use OpenID Connect (OIDC) Providers for SSO-Logins. In this example we use GitLab.

Configure GitLab:

Register a new application in GitLab:

  • Go to Settings > Applications > New Application
  • Set the Redirect URI to: https://argocd-domain.com/auth/callback
  • Enable the scopes: API and read_user
  • Save and note down the Application ID and Secret
kubectl edit configmap argocd-cm -n argocd

data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        config:
          baseURL: https://gitlab.com
          clientID: $GITLAB_APPLICATION_ID
          clientSecret: $GITLAB_CLIENT_SECRET
          redirectURI: https://argocd.example.com/api/dex/callback
  users.anonymous.enabled: "false"

Restart the deployment:

kubectl rollout restart deployment argocd-server -n argocd

Now a new Login Button appears on the ArgoCD UI.

ArgoCD Configuration - Forward Proxy

If you run ArgoCD behind a Forward Proxy and want to use external Git-Repositories, adjust your deployment the following:

kubectl edit configmap argocd-cm -n argocd


data:
   HTTP_PROXY: "http://your-proxy-server:port"
  HTTPS_PROXY: "http://your-proxy-server:port"
  NO_PROXY: |
    argocd-repo-server,
    argocd-application-controller,
    argocd-applicationset-controller,
    argocd-metrics,
    argocd-server,
    argocd-server-metrics,
    argocd-redis,
    argocd-redis-ha-haproxy,
    argocd-dex-server,
    localhost,
    127.0.0.1,
    kubernetes.default.svc,
    .svc.cluster.local,
    10.0.0.0/8 - use your own internal CIDR here!

ArgoCD Complete Config:

Your whole ConfigMap (argocd-cm) should now look like:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        config:
          baseURL: https://gitlab.com
          clientID: $GITLAB_APPLICATION_ID
          clientSecret: $GITLAB_CLIENT_SECRET
          redirectURI: https://argocd.example.com/api/dex/callback
  users.anonymous.enabled: "false"
  HTTP_PROXY: "http://your-proxy-server:port"
  HTTPS_PROXY: "http://your-proxy-server:port"
  NO_PROXY: |
    argocd-repo-server,
    argocd-application-controller,
    argocd-applicationset-controller,
    argocd-metrics,
    argocd-server,
    argocd-server-metrics,
    argocd-redis,
    argocd-redis-ha-haproxy,
    argocd-dex-server,
    localhost,
    127.0.0.1,
    kubernetes.default.svc,
    .svc.cluster.local,
    10.0.0.0/8
  tls.certs: |
    -----BEGIN CERTIFICATE-----
    <Your Root CA certificate content here>
    -----END CERTIFICATE-----