Argo CD

Contents

Introduction

Argo CD is an open source GitOps operator for Kubernetes. The project is a part of the Argo family, a set of cloud-native tools for running and managing jobs and applications on Kubernetes:

  • Argo CD: Declarative continuous delivery with a fully-loaded UI.
  • Argo Rollouts: Advanced Kubernetes deployment strategies such as Canary and Blue-Green made easy.
  • Argo Events: Event based dependency management for Kubernetes.

In 2020 Argo CD was accepted by the Cloud Native Computing Foundation (CNCF) as an incubation-level hosted project. In 2022 Argo family was CNCF graduated project (Graduated projects are considered stable and used successfully in production).

Continuous Deployment (CD)

Continuous deployment (CD) is a strategy or methodology for software releases where any new code update or change made through the rigorous automated test process is deployed directly into the live production environment, where it will be visible to customers (users).

GitOps

Git is the most widely used version-control system in the software industry today. GitOps is a set of procedures that uses the power of Git to provide both revision and change control within the Kubernetes platform.

Using GitOps with Kubernetes is a natural fit, with the deployment of declara- tive Kubernetes manifest files being controlled by common Git operations. GitOps brings the core benefits of Infrastructure as Code and immutable infrastructure to the deployment, monitoring, and life-cycle management of Kubernetes applications in an intuitive, accessible way.

ArgoCD Operation overview

Argo CD follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. Kubernetes manifests can be specified in several ways:

  • kustomize applications
  • helm charts
  • jsonnet files
  • Plain directory of YAML/json manifests
  • Any custom config management tool configured as a config management plugin

Argo CD automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit.

Installation

You can install ArgoCD in two different fashions, one of them is fully of features, and the other one is a sort of headless installation without UI, SSO and other features.

Fully installation

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

This will create a new namespace, argocd, where Argo CD services and application resources will live. The installation manifests include ClusterRoleBinding resources that reference argocd namespace. If you are installing Argo CD into a different namespace then make sure to update the namespace reference.

This installation creates a set of:

  • customresourcedefinitions
  • serviceaccounts
  • role.rbac, clusterrole.rbac, rolebinding.rbac, clusterrolebinding.rbac
  • configmaps
  • secrets
  • deployment, statefulsets
  • networkpolicy

Only Core installation

The core installation is most suitable for cluster administrators who independently use Argo CD and don’t need multi-tenancy features. This installation includes fewer components and is easier to setup. The bundle does not include the API server or UI, and installs the lightweight (non-HA) version of each component.

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml

Download Argo CD CLI

curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
mv argocd-linux-amd64 $HOME/.local/bin/argocd
chmod +x $HOME/.local/bin/argocd

argocd version

argocd: v2.5.4+86b2dde
  BuildDate: 2022-12-06T20:09:11Z
  GitCommit: 86b2dde8e4bf1187acd2b4294e94451cd104dad8
  GitTreeState: clean
  GoVersion: go1.18.8
  Compiler: gc
  Platform: linux/amd64
FATA[0000] Argo CD server address unspecified

Inspect ArgoCD components

kubectl get po -n argocd
NAME                                                READY   STATUS    RESTARTS   AGE
argocd-application-controller-0                     1/1     Running   0          3m38s
argocd-applicationset-controller-66b744f75b-jw9n4   1/1     Running   0          3m39s
argocd-dex-server-d5848bfff-d77d8                   1/1     Running   0          3m39s
argocd-notifications-controller-69996dd789-9sr4p    1/1     Running   0          3m38s
argocd-redis-684fb8c6dd-bmn62                       1/1     Running   0          3m38s
argocd-repo-server-5b9d7dfb9b-sxt4x                 1/1     Running   0          3m38s
argocd-server-6f4bf59f96-kdr7r                      1/1     Running   0          3m38s

Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes’ etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.

  • argocd-repo-server

The argocd-repo-server is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.

  • argocd-application-controller

The argocd-application-controller uses argocd-repo-server to get generated manifests and Kubernetes API server to get actual cluster state.

  • argocd-server

The argocd-server is stateless and probably least likely to cause issues. You might consider increasing number of replicas to 3 or more to ensure there is no downtime during upgrades.

  • argocd-dex-server, argocd-redis

The argocd-dex-server uses an in-memory database, and two or more instances would have inconsistent data. argocd-redis is pre-configured with the understanding of only three total redis servers/sentinels.

ArgoCD UI Access

By default, the Argo CD API server is not exposed with an external IP. A simple way of accessing tho the UI server is using kubectl port-forwarding to the API server without exposing the service:

kubectl port-forward svc/argocd-server -n argocd 8080:443

The API server can then be accessed using https://localhost:8080

The initial password for the admin account is auto-generated and stored as clear text in the field password in a secret named argocd-initial-admin-secret in your Argo CD installation namespace. You can simply retrieve this password using kubectl:

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
k4tynBk3hzJ8i82Q

The API server can then be accessed using https://localhost:8080 (admin/k4tynBk3hzJ8i82Q)

Note: You should delete the argocd-initial-admin-secret from the Argo CD namespace once you changed the password. The secret serves no other purpose than to store the initially generated password in clear and can safely be deleted at any time. It will be re-created on demand by Argo CD if a new admin password must be re-generated.

Changing the user/password with the CLI

argocd login localhost:8080
    WARNING: server certificate had error: x509: certificate signed by unknown authority. Proceed insecurely (y/n)? y
    Username: admin
    Password: 
    'admin:login' logged in successfully
    Context 'localhost:8080' updated

argocd account update-password

Note: The CLI environment must be able to communicate with the Argo CD API server. If it isn’t directly accessible with the running “Kubectl port-forwarding”, you can tell the CLI to access it using port forwarding through one of these mechanisms: 1) add --port-forward-namespace argocd flag to every CLI command; or 2) set ARGOCD_OPTS environment variable: export ARGOCD_OPTS='--port-forward-namespace argocd'.