Documentation > Containers > ArgoCD

ArgoCD

Installation and howto

Check the following repo https://github.com/edesibe/argocd for more info.

SSO with auth0

We need to install ingress-nginx and cert-manager.

Install cert-manager

helm install cert-manager --create-namespace --namespace cert-manager --version v1.12.1 jetstack/cert-manager -f cert-manager-values.yaml

cluster-issuer-letsencrypt-prod.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: "${YOUR_EMAIL}"
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsZones:
          - "${YOUR_DOMAIN}"
      http01:
        ingress:
          class: nginx

install cluster-issuer

k apply -f cluster-issuer-letsencrypt-prod.yaml

cert-manager-values.yaml

installCRDs: true

install ingress-nginx

helm install ingress-nginx --create-namespace --namespace ingress-nginx ingress-nginx/ingress-nginx -f ingress-nginx-values.yaml

ingress-nginx-values.yaml

controller:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
      service.beta.kubernetes.io/aws-load-balancer-type: nlb

add argocd-ingress.yaml via k apply -f argocd-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  creationTimestamp: null
  name: argocd-server
  namespace: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    cert-manager.io/acme-challenge-type: http01
spec:
  ingressClassName: nginx
  rules:
  - host: ${YOUR_ARGOCD_URL}
    http:
      paths:
      - backend:
          service:
            name: argocd-server
            port:
              number: 80
        path: /
        pathType: Prefix
  tls: 
  - secretName: argocd-server-tls
    hosts:
    - ${YOUR_ARGOCD_URL}
status:
  loadBalancer: {}

ArgoCD server update

Disable TLS on argocd-server by updating argocd-server configmap via adding server.insecure: "true" to the argocd-cmd-params-cm.

k -n argocd get cm argocd-cmd-params-cm -o yaml | yq '.data'
server.insecure: "true"

Auth0

Just follow the howto on https://napo.io/posts/argo-cd-with-auth0-sso-login/.

ArgoCD cm

Add auth0 configuration to the argocd-cm config as:

k -n argocd get cm argocd-cm -o yaml | yq '.data'
application.instanceLabelKey: argocd.argoproj.io/instance
oidc.config: |
  name: Auth0
  issuer: https://${DOMAIN}.eu.auth0.com/     # fetch it from previous step
  clientID: ${YOUR_clientID}                  # fetch it from previous step
  clientSecret: ${YOUR_clientSecret}          # fetch it from previous step
  requestedIDTokenClaims:
    groups:
      essential: true
  requestedScopes:
  - openid
  - profile
  - email
  # not strictly necessary - but good practice:
  - 'https://${YOUR_ARGOCD_URL}/claims/groups'
url: ${YOUR_ARGOCD_URL}

Roles and permissions

We need to update cm argocd-rbac-cm and set the following:

policy.csv: |
  g, argo-admins, role:admin
  g, argo-devs, role:dev
  p, role:dev, applications, get, */*, allow
  p, role:dev, repositories, get, */*, allow
  p, role:dev, projects, get, */*, allow
  p, role:dev, logs, get, */*, allow  
policy.default: role:''
scopes: '[https://${YOUR_ARGOCD_URL}/claims/groups,email,roles]'

Action Points

https://seraf.dev/argocd-tutorial-with-terraform-af77ddea2e6e