A GitOps continuous delivery tool for Kubernetes

Nothing but the Truth

Private Repos

Argo CD can interact with private Git repositories, allowing you to manage your applications even if their manifests are stored in a private repository. This interaction is achieved by providing Argo CD with the necessary credentials to access the private repository. To configure repository credentials, you need to create a Secret in the same namespace as the Argo CD API server (Listing 5). Secret should contain the necessary credentials to access the private repository.

Listing 5

Private GitHub Repo Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-repo-secret
  labels:
    argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
  url: https://github.com/my-org/my-repo.git
  username: my-username
  password: my-password

If your private repository uses SSH keys for authentication, you can provide the SSH private key in the Secret instead of a username and password (Listing 6). The url field specifies the SSH URL of the private repository, and the sshPrivateKey field provides the SSH private key. Once the Secret is created, Argo CD can use the provided credentials to access the private repository and manage your applications.

Listing 6

SSH Private Key in a Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-repo-secret
  labels:
    argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
  url: git@github.com:my-org/my-repo.git
  sshPrivateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Multicluster Management

Argo CD supports multicluster deployments, allowing you to manage applications across multiple Kubernetes clusters. Multicluster deployments are particularly useful for managing large-scale deployments and multitenant environments. For example, you can create Argo CD applications for different clusters (Listing 7).

Listing 7

Apps for Different Clusters

# Cluster 1
argocd app create my-app-cluster1 --repo https://github.com/my-org/my-repo.git --path /path/to/application/manifests --dest-namespace default --dest-server https://cluster1.kubernetes.default.svc --sync-policy automated
# Cluster 2
argocd app create my-app-cluster2 --repo https://github.com/my-org/my-repo.git --path /path/to/application/manifests --dest-namespace default --dest-server https://cluster2.kubernetes.default.svc --sync-policy automated

In this example,

https://cluster1.kubernetes.default.svc

and

https://cluster2.kubernetes.default.svc

are the API servers for the two clusters.

User Management

User management is a crucial aspect of any system, and Argo CD is no exception. Argo CD provides robust user management capabilities, including integration with various authentication providers. It has a built-in user management system that allows you to create and manage users. By default, Argo CD comes with an admin user, for whom you can change the password:

argocd account update-password --current-password <current-password> --new-password <new-password>

Argo CD supports integration with various authentication providers with Dex, which can authenticate users against a variety of sources, including static users and the LDAP, SAML, and OAuth2 standards. For example, to integrate Argo CD with GitHub for authentication, you can configure Dex in the argocd-cm ConfigMap (Listing 8).

Listing 8

Integrating Argo CD with GitHub

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  dex.config: |
    connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: <github-client-id>
        clientSecret: <github-client-secret>
        redirectURI: <argo-cd-redirect-uri>
        orgs:
        - name: my-org

Replace <github-client-id> and <github-client-secret> with your GitHub OAuth app's client ID and client secret, respectively. Replace <argo-cd-redirect-uri> with the redirect URI for your Argo CD instance. Once you've configured Dex, users can log in to Argo CD with their GitHub credentials.

Argo CD also supports role-based access control (RBAC), allowing you to define what actions users can perform in Argo CD. Listing 9 shows how to define roles and bind them to users or groups.

Listing 9

RBAC

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    p, role:developer, applications, get, my-app/*, allow
    p, role:developer, applications, sync, my-app/*, allow
    g, my-org:developers, role:developer

The role:developer role can get and sync applications in the my-app project. The my-org:developers group from the identity provider is bound to the role:developer role.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus