Introduction
Argo CD stands as a notably lightweight and streamlined solution for managing Kubernetes deployments with ease and efficiency.
This tool is seamlessly integrated into Kubernetes as a Custom Resource Definition (CRD) accompanied by a set of controllers. One key controller persistently observes the Kubernetes manifest files, ensuring their alignment with the desired state as defined in a specific Git repository. When the live state of deployed resources does not match this desired state, Argo CD identifies them as “out of sync.” It then provides detailed reports and visualizations of these discrepancies, along with options for automatic or manual reconciliation to align the states. The true essence of Argo CD is found in its ability to accurately mirror your code repository, thereby simplifying the management of incidents and offering a transparent and straightforward view of your entire deployment process.
Install ArgoCD
For more in depth overview, you can see the official documentation around architectureand Official Getting started Guide
Requirements
- Installed kubectl command-line tool.
- Have a kubeconfig file (default location is
~/.kube/config). - CoreDNS in the Kubernetes cluster (your k3s cluster has this already)
Install using helm
Argo CD Installation into Kubernetes can be done using Helm or Manifest. I followed this guide to install it using Helm:
- Install Argo CD using helm
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install argo-cd argo/argo-cd \
--version 5.35.0 \
--namespace argocd \
--create-namespace
After running the helm install you will see an output similar to the following:
In order to access the server UI you have the following options:
1. kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
and then open the browser on http://localhost:8080 and accept the certificate
2. enable ingress in the values file `server.ingress.enabled` and either
- Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
- Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
(You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
Self-signed or Valid certs
By default, this installation comes with a self-signed certificate, and in the homelab context, you can safely ignore any insecure TLS errors. You can choose one of the following options for handling this:
- Follow the instructions to configure a certificate and ensure your client OS trusts it.
- Configure your client OS to trust the self-signed certificate (e.g. MacOS)
- Use the
--insecureflag for all Argo CD CLI operations.
Argo CD CLI
The Argo CD CLI provides almost the same features as the Web GUI. The CLI provides some flexibility on how to manage ArgoCS. and you can perform most operations via the UI using CLI.
Detailed installation instructions can be found via the CLI installation documentation.
- Install Argo CD CLI on your client machine.
For example on Linux:
curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
rm argocd-linux-amd64
Homebrew
brew install argocd
- Check installation with the check version command
argocd version
Access Argo CD API Server:
Like any Kubernetes Service are several ways to expose Argo Server.
Port Forwarding
Kubectl port-forwarding can also be used to connect to the API server without exposing the service:
kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
LoadBalancer
Since I have LoadBalancer already available I can access my Management UI on that service
- Change the
argocd-serverservice type to `LoadBalancer
kubectl patch svc argo-cd-argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
# Get IP
k get service/argo-cd-argocd-server -n argocd
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
argo-cd-argocd-server LoadBalancer 10.43.146.178 172.16.111.245 80:31903/TCP,443:31208/TCP 7m8s
armand@beelink:~$
Ingress
Follow the ingress documentation on how to configure Argo CD with ingress.
I will expose Argo CD using Ingress once I have installed Ingress Controller.
Log in to the UI for the first time
Initial password
The initial password for the ‘admin’ account is automatically generated and stored in plain text in the ‘password’ field of a secret called ‘argocd-initial-admin-secret’ in your Argo CD installation namespace.
- You can retrieve this password using
kubectlget secret or using theargocdCLI:
Using kubectl:
# Get admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
Using the argocd CLI:
argocd admin initial-password -n argocd
- It is recommended you update the password using
argocd account update-password.
First login to Argo using initial password
# Using the username `admin` and the password from above, login to Argo CD's IP or hostname:
argocd login <ARGOCD_SERVER>
# Example
argocd login 172.16.111.245
WARNING: server certificate had error: tls: failed to verify certificate: x509: cannot validate certificate for 172.16.111.245 because it doesn't contain any IP SANs. Proceed insecurely (y/n)? y
Username: admin
Password:
'admin:login' logged in successfully
Context '172.16.111.245' updated
Then, Change the password using the command:
argocd account update-password
# Example
argocd account update-password
*** Enter password of currently logged in user (admin):
*** Enter new password for user admin:
*** Confirm new password for user admin:
Password updated
Context '172.16.111.245' updated
Access Web UI
- You can now access the the Argo’s webUI using
adminand the updated password you provided on the IP Address of your exposed service (in my case the loadBalancer IP)
Register an external cluster to deploy applications to (Optional)
Internal Cluster where ArgoCD is deployed
When managing an internal cluster where ArgoCD is deployed, registering a cluster’s credentials with Argo CD is unnecessary. For deployments within the same cluster, Argo CD operates in, the Kubernetes API server address for applications should be set to https://kubernetes.default.svc. This simplifies the process as it leverages the cluster’s internal configuration.
External Cluster where ArgoCD is not deployed
To configure access and management of an external cluster you can see the instructions here
Practice Create An Application From A Git Repository
Follow the steps in the official Getting Started Guide to Create An Application From A Git Repository and another great article is Configuring private Git repo in Argo CD to deploy Kubernetes apps