Integrate Argo CD

KubeRocketCI employs Argo CD as a Continuous Deployment tool for its purposes. This page provides guidance on the installation procedure for Argo CD.

Installation

To install Argo CD, follow the steps below:

1. Add a Helm Chart repository:

   helm repo add argocd https://argoproj.github.io/argo-helm
   helm repo update

2. Create the argocd-values.yaml file and paste the following data:

   View: argocd-values.yaml

   redis-ha:
     enabled: false
   redis:
     enabled: true
   
   server:
     replicas: 1
     env:
       - name: ARGOCD_API_SERVER_REPLICAS
         value: '1'
   
     ingress:
       enabled: true
       hosts:
         # after domain creation update
         - "argocd-dev.example.com"
   
       # Disabled for multitenancy env with single instance deployment
     applicationSet:
       allowAnyNamespace: true
       serviceAccount:
         # -- Annotations applied to created service account
         annotations: {}
       extraEnv:
       - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
         value: 'false'
   
     # we use Keycloak so no DEX is required
   dex:
     enabled: false
   
   configs:
     secret:
       # -- Create the argocd-secret
       createSecret: true
     cm:
       application.instanceLabelKey: argocd.argoproj.io/instance-kuberocketci
   
     params:
       server.insecure: true
       applicationsetcontroller.namespaces: krci
       application.namespaces: krci

3. Apply the argocd-values.yaml file using the helm install command:

   helm install argo-cd argocd/argo-cd --values argocd-values.yaml --version 8.5.6 --create-namespace --atomic -n argocd

info

It may take a while for the Argo CD to be installed. The installation time depends on cluster capabilities.

Integration

The next step is to integrate Argo CD with the platform. Proceed with the instructions below:

1. Navigate to the directory that stores the ed25519 key created during the GitHub integration.

2. Copy the SSH private key to the Argo CD namespace. Make sure to provide the appropriate value for the ACCOUNT_NAME variable:

   KRCI_NAMESPACE=krci
   VCS_HOST="github.com"
   ACCOUNT_NAME="<github_account>"
   URL="ssh://git@${VCS_HOST}:22/${ACCOUNT_NAME}"
   kubectl create secret generic ${KRCI_NAMESPACE} -n argocd \
   --from-file=sshPrivateKey=ed25519 \
   --from-literal=url="${URL}"
   kubectl label --overwrite secret ${KRCI_NAMESPACE} -n argocd "argocd.argoproj.io/secret-type=repo-creds"

3. Add GitHub host to the Argo CD config map with known hosts:

   VCS_HOST="github.com"
   KNOWN_HOSTS_FILE="/tmp/ssh_known_hosts"
   ARGOCD_KNOWN_HOSTS_NAME="argocd-ssh-known-hosts-cm"
   rm -f ${KNOWN_HOSTS_FILE}
   kubectl get cm ${ARGOCD_KNOWN_HOSTS_NAME} -n argocd -o jsonpath='{.data.ssh_known_hosts}' > ${KNOWN_HOSTS_FILE}
   ssh-keyscan ${VCS_HOST} >> ${KNOWN_HOSTS_FILE}
   kubectl create configmap ${ARGOCD_KNOWN_HOSTS_NAME} -n argocd --from-file ${KNOWN_HOSTS_FILE} -o yaml --dry-run=client | kubectl apply -f -

4. Create the argocd-project.yaml file, using, for example, the krci name:

   View: argocd-project.yaml

     apiVersion: argoproj.io/v1alpha1
     kind: AppProject
     metadata:
       name: krci
       namespace: argocd
       # Finalizer that ensures that project is not deleted until it is not referenced by any application
       finalizers:
         - resources-finalizer.argocd.argoproj.io
     spec:
       description: CD pipelines for my application
       roles:
         - name: developer
           description: Users for kuberocketci tenant
           policies:
             - p, proj:krci:developer, applications, create, krci/*, allow
             - p, proj:krci:developer, applications, delete, krci/*, allow
             - p, proj:krci:developer, applications, get, krci/*, allow
             - p, proj:krci:developer, applications, override, krci/*, allow
             - p, proj:krci:developer, applications, sync, krci/*, allow
             - p, proj:krci:developer, applications, update, krci/*, allow
             - p, proj:krci:developer, repositories, create, krci/*, allow
             - p, proj:krci:developer, repositories, delete, krci/*, allow
             - p, proj:krci:developer, repositories, update, krci/*, allow
             - p, proj:krci:developer, repositories, get, krci/*, allow
       destinations:
         # ensure we can deploy to ns with tenant prefix
         - namespace: 'krci-*'
         # allow to deploy to specific server (local in our case)
           server: https://kubernetes.default.svc
       # Deny all cluster-scoped resources from being created, except for Namespace
       clusterResourceWhitelist:
       - group: ''
         kind: Namespace
       # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
       namespaceResourceBlacklist:
       - group: ''
         kind: ResourceQuota
       - group: ''
         kind: LimitRange
       - group: ''
         kind: NetworkPolicy
       # we are ok to create any resources inside namespace
       namespaceResourceWhitelist:
       - group: '*'
         kind: '*'
       # enable access only for specific git server. The example below 'krci' - it is namespace where KubeRocketCI is deployed
       sourceRepos:
         - ssh://git@github.com:22/<github_account>/*
       # enable capability to deploy objects from namespaces
       sourceNamespaces:
         - krci

   info

   Please enter your GitHub account name at <github_account>.

5. Retrieve the Argo CD admin secret and securely save it, as it will be required for further steps:

   kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Now that all the necessary preparations are completed, we can proceed with the Application Deployment.