Skip to content
Documentation

ArgoCD Production Environment Installation

Prerequisites

Section titled “Prerequisites”

Kubernetes Cluster

Section titled “Kubernetes Cluster”

ArgoCD (Production) will be installed on 🟥 Production Workload Kubernetes Cluster

  • 📥Ingress Service provided as Kubernetes Ingress Class (IngressClass)
  • 🛡️TLS Certificate for ArgoCD (Production) provided as Kubernetes Secret
    • ArgoCD (Production) will be exposed as HTTPS with Kubernetes Ingress.

Application Dependencies

Section titled “Application Dependencies”

To Setup Single Sign-On with Opstella (MUST be performed at the time of installation), you need

  • 📦Opstella Keycloak
    • Your dedicated Keycloak Realm. foobar-opstella ; Please change accordingly
  • 🔑OpenID Connect Credentials: Client ID, Client Secret.

Complete Prerequisites

Section titled “Complete Prerequisites”

Kubernetes Cluster

Section titled “Kubernetes Cluster”

Prepare Shell Variables

Section titled “Prepare Shell Variables”

Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

  1. Connect to 🟥 Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

    Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

    Terminal window
    source $HOME/opstella-installation/shell-values/kubernetes/prod_cluster.vars.sh
    Terminal window
    export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/prod_cluster.yaml"

  2. Create Kubernetes Secret for 🛡️ TLS Certificate for ArgoCD (Production) in Namespace devsecops-system.

    Create one using from .crt and .key file.

    Terminal window
    kubectl create secret tls $K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME \
      --cert=/path/to/cert/file --key=/path/to/key/file \
      --namespace devsecops-system

    💡 Should return secret/wildcard-...-tls created message.

Pre-Installation

Section titled “Pre-Installation”

Prepare ArgoCD (Production) Configurations

Section titled “Prepare ArgoCD (Production) Configurations”

  1. Specify OIDC Authentication Information

    Using Opstella Keycloak Information

    • OIDC Issuer Endpoint from Opstella Keycloak Information

      export OIDC_ISSUER_ENDPOINT="https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}"

  2. Create Helm Values Configurations

    Terminal window
    cat <<EOF > $HOME/opstella-installation/helm-values/argocd-prod-full-values.yaml
    ## Server
    server:
      ingress:
        # -- Enable an ingress resource for the Argo CD server
        enabled: true
        # -- Additional ingress annotations
        annotations:
          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        # -- Defines which ingress controller will implement the resource
        ingressClassName: ${K8S_INGRESSCLASS_NAME}
    

        # -- List of ingress hosts
        ## Argo Ingress.
        ## Hostnames must be provided if Ingress is enabled.
        ## Secrets must be manually created in the namespace
        hostname: ${ARGOCD_DOMAIN}
    

        # -- List of ingress paths
        paths:
          - /
        # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
        pathType: Prefix
        extraTls:
          - secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
            hosts:
              - ${ARGOCD_DOMAIN}
    

    configs:
      cm:
        url: "https://${ARGOCD_DOMAIN}"
        oidc.config: |
            name: Opstella
            issuer: ${OIDC_ISSUER_ENDPOINT}
            clientID: ${ARGOCD_OIDC_CLIENT_ID}
            clientSecret: ${ARGOCD_OIDC_CLIENT_SECRET}
            requestedIDTokenClaims:
              groups:
                essential: true
            requestedScopes:
              - openid
              - profile
              - email
      rbac:
        scopes: "[groups]"
    EOF

Installation

Section titled “Installation”

  1. Add ArgoCD Helm Repository

    Terminal window
    # Add Helm Repository
    helm repo add argo https://argoproj.github.io/argo-helm
    helm repo update

  2. Install a Helm Release with specific Helm Chart Version --version 7.4.2 (App Version: v2.12.0)

    Terminal window
    helm install argocd-prod argo/argo-cd --version 7.4.2 \
      --namespace devsecops-system \
      -f $HOME/opstella-installation/helm-values/argocd-prod-full-values.yaml

Post-Installation

Section titled “Post-Installation”

Gather Initial Admin Credentials

Section titled “Gather Initial Admin Credentials”

TODO: Add This Section

ArgoCD Testing

Section titled “ArgoCD Testing”

  1. Get Pod Status - ArgoCD

    Terminal window
    kubectl get pods -n devsecops-system

    ArgoCD should be Running

    NAME                                             READY   STATUS    RESTARTS  AGE
    ... (deducted)
    argocd-application-controller-0                  1/1     Running   0         Xd
    argocd-applicationset-controller-XXXXXX-YYYYY    1/1     Running   0         Xd
    argocd-dex-server-b6b8bb9f5-g7n8w                1/1     Running   0         Xd
    argocd-notifications-controller-XXXXXX-YYYYY     1/1     Running   0         Xd
    argocd-redis-XXXXXX-YYYYY                        1/1     Running   0         Xd
    argocd-repo-server-XXXXXX-YYYYY                  1/1     Running   0         Xd
    argocd-server-XXXXXX-YYYYY                       1/1     Running   0         Xd

  2. Visit https://${ARGOCD_DOMAIN}

    • It should be accessible.

    • TLS Certificate should be valid and coresponding to your TLS Certificate Installed

  3. Login with Users

Finished?

Use the below navigation to proceed