A GitOps continuous delivery tool for Kubernetes
Nothing but the Truth
Private Repos
Argo CD can interact with private Git repositories, allowing you to manage your applications even if their manifests are stored in a private repository. This interaction is achieved by providing Argo CD with the necessary credentials to access the private repository. To configure repository credentials, you need to create a Secret in the same namespace as the Argo CD API server (Listing 5). Secret should contain the necessary credentials to access the private repository.
Listing 5
Private GitHub Repo Secret
apiVersion: v1 kind: Secret metadata: name: my-repo-secret labels: argocd.argoproj.io/secret-type: repository type: Opaque stringData: url: https://github.com/my-org/my-repo.git username: my-username password: my-password
If your private repository uses SSH keys for authentication, you can provide the SSH private key in the Secret instead of a username and password (Listing 6). The url
field specifies the SSH URL of the private repository, and the sshPrivateKey
field provides the SSH private key. Once the Secret is created, Argo CD can use the provided credentials to access the private repository and manage your applications.
Listing 6
SSH Private Key in a Secret
apiVersion: v1 kind: Secret metadata: name: my-repo-secret labels: argocd.argoproj.io/secret-type: repository type: Opaque stringData: url: git@github.com:my-org/my-repo.git sshPrivateKey: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Multicluster Management
Argo CD supports multicluster deployments, allowing you to manage applications across multiple Kubernetes clusters. Multicluster deployments are particularly useful for managing large-scale deployments and multitenant environments. For example, you can create Argo CD applications for different clusters (Listing 7).
Listing 7
Apps for Different Clusters
# Cluster 1 argocd app create my-app-cluster1 --repo https://github.com/my-org/my-repo.git --path /path/to/application/manifests --dest-namespace default --dest-server https://cluster1.kubernetes.default.svc --sync-policy automated # Cluster 2 argocd app create my-app-cluster2 --repo https://github.com/my-org/my-repo.git --path /path/to/application/manifests --dest-namespace default --dest-server https://cluster2.kubernetes.default.svc --sync-policy automated
In this example,
https://cluster1.kubernetes.default.svc
and
https://cluster2.kubernetes.default.svc
are the API servers for the two clusters.
User Management
User management is a crucial aspect of any system, and Argo CD is no exception. Argo CD provides robust user management capabilities, including integration with various authentication providers. It has a built-in user management system that allows you to create and manage users. By default, Argo CD comes with an admin user, for whom you can change the password:
argocd account update-password --current-password <current-password> --new-password <new-password>
Argo CD supports integration with various authentication providers with Dex, which can authenticate users against a variety of sources, including static users and the LDAP, SAML, and OAuth2 standards. For example, to integrate Argo CD with GitHub for authentication, you can configure Dex in the argocd-cm
ConfigMap (Listing 8).
Listing 8
Integrating Argo CD with GitHub
apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd data: dex.config: | connectors: - type: github id: github name: GitHub config: clientID: <github-client-id> clientSecret: <github-client-secret> redirectURI: <argo-cd-redirect-uri> orgs: - name: my-org
Replace <github-client-id>
and <github-client-secret>
with your GitHub OAuth app's client ID and client secret, respectively. Replace <argo-cd-redirect-uri>
with the redirect URI for your Argo CD instance. Once you've configured Dex, users can log in to Argo CD with their GitHub credentials.
Argo CD also supports role-based access control (RBAC), allowing you to define what actions users can perform in Argo CD. Listing 9 shows how to define roles and bind them to users or groups.
Listing 9
RBAC
apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm namespace: argocd data: policy.csv: | p, role:developer, applications, get, my-app/*, allow p, role:developer, applications, sync, my-app/*, allow g, my-org:developers, role:developer
The role:developer
role can get and sync applications in the my-app
project. The my-org:developers
group from the identity provider is bound to the role:developer
role.
Buy this article as PDF
(incl. VAT)