Skip to main content

Argo CD


Installation

wget https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 \
&& sudo mv argocd-linux-amd64 /usr/local/bin/argocd \
&& sudo chmod +x /usr/local/bin/argocd
helm repo add argo https://argoproj.github.io/argo-helm \
&& helm repo update argo
mkdir -p workflow/argo/cd/{base,helm}
helm search repo argo/argo-cd -l | head -n 10
helm show values argo/argo-cd \
    --version 4.8.3 \
    > workflow/argo/cd/helm/values.yaml
workflow/argo/cd/values.yaml
server:
  extraArgs:
    - --insecure # https://github.com/argoproj/argo-cd/issues/2953
kubectl create namespace workflow
helm upgrade argo-cd argo/argo-cd \
    --install \
    --version 4.8.3 \
    -n workflow \
    --values workflow/argo/cd/helm/values.yaml

Service

Port forward

kubectl port-forward -n workflow service/argo-cd-argocd-server 8005:80

http://localhost:8005

VirtualService

workflow/argo/cd/base/virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argo-cd
  namespace: workflow
spec:
  hosts:
    - <host>
  gateways:
    - <gateway>
  http:
    - match:
        - uri:
            prefix: "/"
      route:
        - destination:
            host: argo-cd-argocd-server.workflow.svc.cluster.local
            port:
              number: 80

argocd command

login

argocd context

ID

kubectl -n workflow get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo

admin의 초기 암호를 알 수 있습니다.

argocd login <server>
argocd account update-password [--account <user>]

암호 업데이트 후 argocd-initial-admin-secret은 삭제해 줍니다.

warning

적절한 RBAC가 적용된 유저를 생성한 경우 admin을 비활성화 하는 것이 좋습니다. workflow/argo/cd/helm/values.yaml.server.config(argocd-cm ConfigMap의 .data)에 admin.enabled: "false"를 추가하면 됩니다.

Kubectl

kubectl config set-context --current --namespace workflow
argocd login --core
warning

--core를 사용하면 암호 업데이트 시 실패하는데, 아직 원인을 찾지 못했습니다.

User

ConfigMap

workflow/argo/cd/helm/values.yaml
server:
  # ConfigMap.data, name: argocd-cm
  config:
    # add an additional local user with apiKey and login capabilities
    #   apiKey - allows generating API keys
    #   login - allows to login using UI
    accounts.<user>: apiKey, login
    # disables user. User is enabled by default
    admin.enabled: "false"
    accounts.<user>.enabled: "true"
argocd account list

Dex

Example connectors

redirectURI은 argocd-cm의 <.data.url>/api/dex/callback으로 자동 설정 되기 때문에 따로 설정하지 않아도 됩니다.

workflow/argo/cd/helm/values.yaml
server:
  # ConfigMap.data, name: argocd-cm
  config:
    url: <uri>

Github

  • (User or Organization)Settings - Developer settings - OAuth Apps - New Oauth App
  • Homepage URL:
  • Authorization callback URL: https://<host>/api/dex/callback

argocd-secret .datadex.github.clientSecret: <base64 encoded>를 추가 합니다.

workflow/argo/cd/helm/values.yaml
server:
  # ConfigMap.data, name: argocd-cm
  config:
    dex.config: |
      connectors:
        - type: github
          id: github
          name: GitHub
          config:
            clientID: <clientID>
            clientSecret: $dex.github.clientSecret
            # 소문자와 `-`만 사용된 필드로 변환된 값을 사용할 수 있음
            # ex) R&D -> r-d
            teamNameField: both
            orgs:
              - name: <orgName>
                # team: # 없으면 모든 팀을 포함
                #   - <teamName>
info

다른 Secret을 쓰고 싶으면 아래와 같이 추가하고, config에 $github-client-secret:dex.gtihub.clientSecret를 사용하면 됩니다.

apiVersion: v1
kind: Secret
metadata:
  name: github-client-secret
  namespace: workflow
  labels:
    app.kubernetes.io/part-of: argocd # 이 label이 있어야 설정이 적용됩니다.
type: Opaque
stringData:
  dex.github.clientSecret: <secret>

OIDC

workflow/argo/cd/helm/values.yaml
dex:
  enabled: false

server:
  # ConfigMap.data, name: argocd-cm
  config:
    url: <uri>

Keycloak


  • Client
    • argo client 추가
      • Settings
        • Enabled: on
        • Client Protocol: openid-connect
        • Access Type: confidential
        • Valid Redirect URIs
          • <url>/auth/callback
      • Credentials
        • Client Authenticator: Client ID and Secret
        • Secret: <argo-client-secret>
  • Client Scopes
    • groups client scope 추가
      • Settings
        • Protocol: openid-connect
        • Include in Token Scope: on
      • Mappers
        • groups mapper 추가
          • Mapper Type: Group Membership
          • Token Claim Name: groups
          • Full group path: off
  • Client
    • argo client
      • Client Scopes
        • Default Client scopes
          • groups 추가
  • Groups
    • argo-admin 추가
    • argo-dev 추가
  • Users
    • 유저 추가
      • Email: <email>
      • Groups: <group>

argocd-secret .dataoidc.keycloak.clientSecret: <base64 encoded>를 추가 합니다.

workflow/argo/cd/helm/values.yaml
server:
  # ConfigMap.data, name: argocd-cm
  config:
    oidc.config: |
      name: Keycloak
      issuer: <keycloak-url>/auth/realms/<realm>
      clientID: argo
      clientSecret: $oidc.keycloak.clientSecret # or `$<secret-name>:oidc.keycloak.clientSecret`
      requestedScopes: ["openid", "profile", "email", "groups"]

RBAC

workflow/argo/cd/helm/values.yaml
server:
  # ConfigMap.data, name: argocd-rbac-cm
  rbacConfig:
    # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
    policy.csv: |
      g, <role/user/group>, role:<role>

    # role:readonly, role:admin
    # https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
    policy.default: "role:readonly"

    # "sub" 외에 추가로 인식할 수 있는 값을 추가합니다. 기본 값은 "[groups]"입니다.
    scopes: "[groups, preferred_username, email]"

    # glob or regex
    policy.matchMode: "glob"

Reference


Last updated on