Setup Argo CD
This setup guide will walk you through the process of setting up Argo CD in your environment.
Requirements
In order to deploy Argo CD, EKS must be fully deployed and functional. In particular, the user deploying the cluster must have a working VPN connection to the targeted account. See the EKS documentation for details.
All deployment steps below assume that the environment has been successfully set up with the following steps.
Authentication
- Sign into AWS via Leapp
- Connect to the VPN
- Open Geodesic
Setup Steps
1 Vendor Argo CD components
First vendor all related components for the Argo CD layer:
2 Create Argo CD GitHub Repositories
- Create the two required Argo CD GitHub repos:
3 Prepare Authentication
Argo CD can be integrated with GitHub using either GitHub Apps (recommended) or Personal Access Tokens (PATs). GitHub Apps provide more granular permissions, better security, and improved audit capabilities.
Argo CD requires several different types of GitHub authentication for various components and workflows. While these could be combined, we follow the principle of least privilege by creating separate authentication credentials for each specific purpose. The following authentication methods are required:
-
Terraform
argocd-repo
AccessFirst we will need to apply the Argo CD desired state repositories configuration with Terraform. By default, we use local access to apply the component. This requires an engineer to locally authenticate with GitHub and apply this component locally. Since this component is rarely updated, this can be a reasonable trade-off.
-
Argo CD Instance
Next, we need a GitHub App for Terraform and the
eks/argocd
component. This app is used to register the webhook in GitHub for the Argo CD Application created with this given component.After creating the GitHub App, add the app's private key to AWS SSM Parameter Store in each account with Argo CD, typically the
plat-dev
,plat-staging
, andplat-prod
accounts, and add the App ID to the stack catalog. Detailed instructions linked below. -
Argo CD Desired State Repository Access (2)
We will need two more GitHub Apps for accessing the ArgoCD desired state repositories from GitHub Actions. GitHub Actions running for an application repositories will build and update application manifests in the Argo CD desired state repositories and therefore will need write access to that respective non-prod or prod repository.
This GitHub App does not need to be added to the stack catalog or SSM since it will be used by GitHub Actions, not Terraform.
-
Argo CD GitHub Notification Access
The last GitHub App is used by the Argo CD notifications system to update the GitHub commit status on deployments. This is stored in SSM and pulled by the
eks/argocd
component. That component will pass the ID and private key to the Argo CD instance in the given EKS cluster. That Argo CD instance uses that app only when synchronous mode is enabled.After creating the GitHub App, add the app's private key to AWS SSM Parameter Store in each account with Argo CD, typically the
plat-dev
,plat-staging
, andplat-prod
accounts, and add the App ID to the stack catalog. Detailed instructions linked below.
Follow the instructions in Argo CD Integrations: How to set up Authorization for Argo CD with GitHub Apps to create and configure all GitHub Apps for Argo CD. Once completed, you should have 4 GitHub Apps:
Argo CD Instance
Argo CD Deploy Non-Prod
Argo CD Deploy Prod
Argo CD Notifications
4 Deploy the Argo CD Desired State Repositories
Deploy the Argo CD configuration for the two Argo CD desired state GitHub repositories with the following workflow:
Once this finishes, review the two repos in your GitHub Organization. These should both be fully configured at this point.
5 Create AWS Identity Center Applications
In order to authenticate with Argo CD, we recommend using an AWS IAM Identity Center SAML Application. These apps can use existing Identity Center groups that we've already setup as part of the Identity layer.
Please see Argo CD Integrations: How to create an AWS Identity Center Application and follow all steps.
6 Deploy the Argo CD Instances to each EKS Cluster
Once the GitHub repositories are in place and the SAML applications have been created and configuration uploaded to SSM, we're ready to deploy Argo CD to each cluster.
Deploy eks/argocd
to each cluster with the following workflow:
7 Validation
Once all deployment steps are completed, Argo CD should be accessible at the following URLs. Please note that you must be able to authenticate with AWS Identity Center to access any given app.
Next Steps
Assuming login goes well, here's a checklist of GitHub repos needed to connect Argo CD:
-
acme/infra-acme
repo (Should already exist!)-
acme/infra-acme/.github/environments
private workflows. This directory stores private environment configurations. Primarily, that is thecloudposse/github-action-yaml-config-query
action used to get role, namespace, and cluster mapping for each environment.
-
- (2) Argo CD deploy nonprod and prod (Should already be created by
argocd-repo
component in earlier step)-
argocd-deploy-non-prod
-
argocd-deploy-prod
-
-
acme/example-app
repo should be private repo generated from the app-on-eks-with-argocd template
Note that all of these workflow runs run from within your private app repo, so any sensitive log output will not be public.
1 Environment Configuration
Update the cloudposse/github-action-interface-environment
action to point to your infrastructure repository.
- Set
implementation_repository
toacme/infra-acme
- Verify
implementation_path
,implementation_file
, andimplementation_ref
match your local configuration.
2 Verify GitHub OIDC Access Roles
The IDP permissions in IAM will be sensitive to capitalization, and yet the docker image must -not- have uppercase letters!
Make sure that your repo is allowed to assume roles for all relevant clusters and ECR repos:
- Update the
github_actions_allowed_repos
variable inecr
,eks/cluster
, or any other relevant components with GitHub OIDC access. - If your GitHub Organization has mixed capitalization cases, make sure these entries are case-sensitive
3 GitHub Environment Secrets
Add each of the following secrets to the acme/example-app
repo:
github-private-actions-pat
:${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
registry
:${{ secrets.ECR_REGISTRY }}
secret-outputs-passphrase
:${{ secrets.GHA_SECRET_OUTPUT_PASSPHRASE }}
ecr-region
:${{ secrets.ECR_REGION }}
ecr-iam-role
:${{ secrets.ECR_IAM_ROLE }}
4 Specify Ingress Group
- Update the
deploy/releases/app.yaml
- Make sure the ingress is not set to
default
. It should likely bealb-controller-ingress-group
. you can read more about this from our docs on the alb controller component - Set the domain accordingly. Each environment will need the service domain + environment.stage.tenant (ie.
use2.staging.plat.acme-svc.com
) - If your organization has mixed case, you'll need to edit the
organization
parameter to be lowercased in the GitHub workflows:feature-branch.yml
,main-branch.yaml
, andrelease.yaml
FAQ
GitHub Apps vs Personal Access Tokens
We recommend using GitHub Apps for Argo CD integration with GitHub. GitHub Apps offer several advantages over Personal Access Tokens:
-
Granular Permissions: GitHub Apps can be granted access to specific repositories rather than requiring organization-wide access.
-
Better Security: GitHub Apps use JWT authentication and short-lived tokens, reducing the risk of token exposure.
-
Improved Audit Capabilities: Actions performed by GitHub Apps are clearly identified in audit logs.
-
Rate Limiting: GitHub Apps have their own rate limits, separate from user-based limits.
-
Webhook Support: GitHub Apps can receive webhooks for events in repositories they have access to.
-
Multiple Installations: The same GitHub App can be installed on different repositories with different permissions.
For more information on setting up Argo CD with GitHub Apps, see Argo CD Integrations: How to set up Authorization for Argo CD with GitHub Apps.