Skip to content

ArgoCD as core deployment engine

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

METIS extensively relies on Argo CD for maintaining the platform state. To fully exploit METIS capabilities, you need to have a comprehensive understanding of Argo CD concepts and operations.

We encourage you to read Argo CD documentation.

Installation

Install Argo CD

Add Argo Helm chart repository

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update

Install the Helm chart with default values

helm install argocd argo/argo-cd --namespace argocd --create-namespace

Configure access to private repositories

METIS modules are stored in private repositories so you need to provide the required credentials to Argo CD: go directly to Credentials for METIS modules for initial setup.

You can set them either after Argo CD is deployed (see private repositories documentation), or set them using declarative setup through Kubernetes manifests.

For both cases, you can:

  • either provide a tuple {user,password/token} for each repository,
  • or use the credentials templates to avoid repeating these.

To summarize this, see the table bellow:

Argo WebUI declarative: Kubernetes secret declarative: Helm chart
one repository: credentials connect button secret-type repository configs.repositories in values file
group of repositories: credentials templates save as credentials template button secret-type repo-creds configs.credentialTemplates in values file

The declarative setup through Kubernetes secret allows to store your Argo CD values in git without sensitive information inside.

Credentials for METIS modules

The recommended setup is using repository credentials Kubernetes secret like this: 

apiVersion: v1
kind: Secret
metadata:
  name: metis-repo-creds
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repo-creds
stringData:
  type: git
  url: https://gitlab.si.c-s.fr/space_platforms/metis/modules
  username: <GITLAB-DEPLOY-TOKEN-NAME>
  password: <GITLAB-TOKEN>
Where METIS team will provide you a deploy token (/) to access the modules code.

Copy this content to a file (metis-repo-creds.yaml for example), and apply it: 

kubectl apply -f metis-repo-creds.yaml
Remark: this file should not be stored in a VCS like git.

Optional ArgoCD configuration

Default values of ArgoCD helm chart can be found in ArtifactHub

Reach out to Argo CD operator manual for more configuration options.

If needed, you may configure ArgoCD using the following paragraphs. In order to do this, you will provide additional configuration in a helm values file (thus create a argocd-values.yaml for example) file containing the option.

Then upgrade the Argo CD deployment: 

helm upgrade argocd argo/argo-cd --namespace argocd --values argocd-values.yaml

Expose Argo CD with Ingress

Update your Helm chart values with the following configuration to:

Declare Web UI in Ingress

server:

  certificate:
    enabled: true
    domain: argocd.<domain_name>
    issuer:
      kind: ClusterIssuer
      name: letsencrypt-prod

  certificateSecret:
    enabled: true
    secretName: argocd.<domain_name>-tls

  ingress:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      cert-manager.io/cluster-issuer: letsencrypt-prod
    ingressClassName: nginx
    hosts:
      - argocd.<domain_name>
    https: true
    tls:
      - secretName: argocd.<domain_name>-tls
        hosts:
          - argocd.<domain_name>

  config:
    url: https://argocd.<domain_name>
Where:

  • <domain_name>: platform base URL
Declare WebHook in Ingress

By default, Argo CD poll git repositories every 3 minutes. If you want to remove the delay between a change pushed to your git repository an the Argo CD synchronization, we need to configure a web-hook.

applicationSet:
  webhook:
    ingress:
      annotations:
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
        cert-manager.io/cluster-issuer: letsencrypt-prod
      enabled: true
      hosts:
      - argocd.<domain_name>
      ingressClassName: nginx
      tls:
      - hosts:
        - argocd.<domain_name>
        secretName: argocd.<domain_name>-tls

configs:
  secret:
    gitlabSecret: <GITLAB_WEBHOOK_SECRET>
Where:

  • <domain_name>: platform base URL
  • <GITLAB_WEBHOOK_SECRET>: a randomly generated secret shared between Argo CD and GitLab.

Read Argo CD documentation related to Ingress configuration to see all the available possibilities.

Enable authentication with Keycloak

Please read official documentation for detailed information!

To enable Argo CD authentication with OpenID Connect and Keycloak, update your Argo CD values to add the following parameters

server:
  rbac:
    Config:
      policy.default: role:readonly
      policy.csv: |
        g, ArgoCDAdmins, role:admin
      scopes: '[groups]'

  # disable default admin login
  admin.enabled: "false"

configs:
  cm:
    oidc.config:
      name: Keycloak
      issuer: https://<KEYCLOAK_URL>/realms/<KEYCLOAK_REALM>
      clientID: <KEYCLOAK_OIDC_CLIENT_ID>
      clientSecret: $oidc.keycloak.clientSecret
      requestedScopes: ["openid", "profile", "email", "groups"]
      requestedIDTokenClaims: {"groups": {"essential": true}}
      logoutURL: http://<KEYCLOAK_URL>/realms/<KEYCLOAK_REALM>/protocol/openid-connect/logout

  secret:
    extra:
      oidc.keycloak.clientSecret: <KEYCLOAK_OIDC_CLIENT_SECRET>
Where:

  • <KEYCLOAK_URL>: base URL of Keycloak. E.g. https://auth.myplatform.com
  • <KEYCLOAK_REALM>: name of Keycloak realm.
  • <KEYCLOAK_OIDC_CLIENT_ID>: OIDC client ID
  • <KEYCLOAK_OIDC_CLIENT_SECRET>: OIDC client secret