ArgoCD
ArgoCD is used for the deployment of your application.
Prerequisites
Before configuring ArgoCD, ensure you have the following:
- Azure AD Group: Create a new Azure group. Members of this group will be granted the appropriate admin permissions in ArgoCD.
Configuring AppProject
Create an AppProject to manage your deployments. This object defines destinations, source repositories, roles, and allowed resources.
Here is a sample AppProject configuration for a client:
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: satoshi-port
namespace: kube360-system
spec:
description: Satoshi Port project
# Allow deploying to specific namespaces within the cluster
destinations:
- namespace: satoshi-sandbox
server: https://kubernetes.default.svc
- namespace: satoshi-mainnet
server: https://kubernetes.default.svc
# Allow manifests from a specific Git repository
sourceRepos:
- 'https://github.com/Satoshi-Port/devops.git'
# Define roles and link them to Azure AD groups
roles:
- name: satoshi-staff
description: Admin access to satoshi-port
policies:
- p, proj:satoshi-port:satoshi-staff, applications, *, satoshi-port/*, allow
- p, proj:satoshi-port:satoshi-staff, projects, get, satoshi-port, allow
# Assign your Azure AD group to this role
groups:
- Satoshi Staff
# Restrict deployments to specific kinds of cluster resources
clusterResourceWhitelist:
namespaceResourceWhitelist:
- group: ''
kind: 'Pod'
- group: ''
kind: 'Service'
- group: ''
kind: 'Secret'
- group: 'apps'
kind: 'Deployment'
- group: 'apps'
kind: 'ReplicaSet'
- group: 'networking.k8s.io'
kind: 'Ingress'
- group: 'bitnami.com'
kind: 'SealedSecret'
- group: 'cert-manager.io'
kind: 'Certificate'
- group: 'traefik.io'
kind: 'IngressRoute'
- group: 'barmancloud.cnpg.io'
kind: 'ObjectStore'
- group: 'postgresql.cnpg.io'
kind: 'Cluster'
- group: 'postgresql.cnpg.io'
kind: 'ScheduledBackup'
- group: 'postgresql.cnpg.io'
kind: 'Backup'
- group: 'postgresql.cnpg.io'
kind: 'Database'
- group: 'monitoring.coreos.com'
kind: 'PodMonitor'
Note: You can similarly create a read-only role and grant appropriate permissions if required.
Secret for Repository Communication
To allow ArgoCD to communicate securely with your repository, you need to provide a secret. Below is an example of how this looks when using SealedSecret:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: argo-satoshi-github
namespace: kube360-system
spec:
encryptedData:
password: REDACTED
type: REDACTED
url: REDACTED
username: REDACTED
template:
metadata:
labels:
argocd.argoproj.io/secret-type: repository
name: argo-satoshi-github
namespace: kube360-system
Generating the Secret via CLI
You can generate the required SealedSecret manifest using the CLI like so:
kubectl create secret generic argo-satoshi-github \
--from-literal=type=git \
--from-literal=password=REDACTED \
--from-literal=url=https://github.com/Satoshi-Port/devops \
--from-literal=username=psibi \
--dry-run=client -o=json | \
jq '.metadata.labels = {"argocd.argoproj.io/secret-type":"repository"}' | kubeseal --cert=./kubeseal.crt --namespace=kube360-system -o=yaml
Creating an Application
Finally, create an Application resource linked to the AppProject.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: satoshi-sandbox
spec:
project: satoshi-port
source:
repoURL: https://github.com/Satoshi-Port/devops.git
targetRevision: main
path: k3s/staging
destination:
server: https://kubernetes.default.svc
namespace: satoshi-sandbox
# An empty syncPolicy block defaults to manual sync.
syncPolicy: {}