Setup Argo CD
This setup guide will walk you through the process of setting up ArgoCD in your environment.
Steps | Example |
---|---|
1. Vendor ArgoCD components | atmos workflow vendor -f argocd |
2. Create ArgoCD repos | ClickOps |
3. Create GitHub PATs | ArgoCD Integrations: How to set up Authorization for ArgoCD with GitHub PATs |
4. Deploy ArgoCD repo configuration | atmos workflow deploy/argocd-repos -f argocd |
5. Create IAM Identity Center Apps | ArgoCD Integrations: How to create an AWS Identity Center Application |
6. Deploy ArgoCD | atmos workflow deploy/argocd -f argocd |
7. Create example-app | ClickOps |
Requirements
In order to deploy ArgoCD, EKS must be fully deployed and functional. In particular, the user deploying the cluster must have a working VPN connection to the targeted account. See the EKS documentation for details.
All deployment steps below assume that the environment has been successfully set up with the following steps.
- Sign into AWS via Leapp
- Connect to the VPN
- Open Geodesic
Steps
2 Vendor Components
First vendor all related components for the ArgoCD layer:
- Commands
- Atmos Workflow
vendor
workflow in the examples/snippets/stacks/workflows/argocd.yaml
file:- No commands found
atmos workflow vendor -f argocd
3 Establish a Bot User
We deploy a number of GitHub Personal Access Tokens (PATs) as part of the EKS with ArgoCD application. By default each PAT is given the least-access required for the given job.
Each one of these PATs will be associated with a given user. We recommend creating or using an existing "bot" user. For example, at Cloud Posse we have the "cloudpossebot" GitHub user. This user has its own email address and GitHub account, is accessible from our internal 1Password vault for all privileged users, and has all access keys and tokens stored with it in 1Password.
This bot user will need permission to manage a few repositories in your Organization. If you wish to simplify deployment, you can grant this user permission to create repositories. See (Create Permission for the Bot User)[#Create Permission for the Bot User].
Use this bot user for all access tokens in the remainder of this guide.
4 Create ArgoCD GitHub Repositories
-
Create the two required ArgoCD GitHub repos:
-
Then grant the bot user
Admin
access to these two repositories.
5 Create all ArgoCD PATs
We will need several PATs for the following steps. Now that the ArgoCD repos are created, you can create all required PATs.
Please see ArgoCD Integrations: How to set up Authorization for ArgoCD with GitHub PATs and follow all steps.
6 Deploy ArgoCD GitHub Repositories Configuration
Deploy the ArgoCD configuration for the two GitHub repos with the following workflow:
- Commands
- Atmos Workflow
deploy/argocd-repos
workflow in the examples/snippets/stacks/workflows/argocd.yaml
file:- No commands found
atmos workflow deploy/argocd-repos -f argocd
Once this finishes, review the two repos in your GitHub Organization. These should both be fully configured at this point.
Now that the ArgoCD deployment repos are configured, we need to create GitHub PATs for ArgoCD.
7 Create AWS Identity Center Applications
In order to authenticate with ArgoCD, we recommend using an AWS IAM Identity Center SAML Application. These apps can use existing Identity Center groups that we've already setup as part of the Identity layer.
Please see ArgoCD Integrations: How to create an AWS Identity Center Application and follow all steps.
8 Deploy ArgoCD to each EKS Cluster
Once the GitHub repositories are in place and the SAML applications have been created and configuration uploaded to SSM, we're ready to deploy ArgoCD to each cluster.
Deploy eks/argocd
to each cluster with the following workflow:
- Commands
- Atmos Workflow
deploy/argocd
workflow in the examples/snippets/stacks/workflows/argocd.yaml
file:- No commands found
atmos workflow deploy/argocd -f argocd
9 Validation
Once all deployment steps are completed, ArgoCD should be accessible at the following URLs. Please note that you must be able to authenticate with AWS Identity Center to access any given app.
Next Steps
Assuming login goes well, here's a checklist of GitHub repos needed to connect ArgoCD:
-
acme/infra-acme
repo (Should already exist!)-
acme/infra-acme/.github/environments
private workflows. This directory stores private environment configurations. Primarily, that is thecloudposse/github-action-yaml-config-query
action used to get role, namespace, and cluster mapping for each environment.
-
- (2) ArgoCD deploy nonprod and prod (Should already be created by
argocd-repo
component in earlier step)-
argocd-deploy-non-prod
-
argocd-deploy-prod
-
-
acme/example-app
repo should be private repo generated from the app-on-eks-with-argocd template
Note that all of these workflow runs run from within your private app repo, so any sensitive log output will not be public.
1 Environment Configuration
Update the cloudposse/github-action-interface-environment
action to point to your infrastructure repository.
- Set
implementation_repository
toacme/infra-acme
- Verify
implementation_path
,implementation_file
, andimplementation_ref
match your local configuration.
2 Verify GitHub OIDC Access Roles
The IDP permissions in IAM will be sensitive to capitalization, and yet the docker image must -not- have uppercase letters!
Make sure that your repo is allowed to assume roles for all relevant clusters and ECR repos:
- Update the
github_actions_allowed_repos
variable inecr
,eks/cluster
, or any other relevant components with GitHub OIDC access. - If your GitHub Organization has mixed capitalization cases, make sure these entries are case-sensitive
3 GitHub Environment Secrets
Add each of the following secrets to the acme/example-app
repo:
github-private-actions-pat
:${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
registry
:${{ secrets.ECR_REGISTRY }}
secret-outputs-passphrase
:${{ secrets.GHA_SECRET_OUTPUT_PASSPHRASE }}
ecr-region
:${{ secrets.ECR_REGION }}
ecr-iam-role
:${{ secrets.ECR_IAM_ROLE }}
4 Specify Ingress Group
- Update the
deploy/releases/app.yaml
- Make sure the ingress is not set to
default
. It should likely bealb-controller-ingress-group
. you can read more about this from our docs on the alb controller component - Set the domain accordingly. Each environment will need the service domain + environment.stage.tenant (ie.
use2.staging.plat.acme-svc.com
) - If your organization has mixed case, you'll need to edit the
organization
parameter to be lowercased in the GitHub workflows:feature-branch.yml
,main-branch.yaml
, andrelease.yaml