Introduction:
In this blog, we will walk through the steps to install ArgoCD, a powerful GitOps continuous delivery tool, using Helm. We'll also configure access to ArgoCD via an Ingress controller, making it easy to manage Kubernetes deployments from a web interface.
GIT LINK: https://github.com/ravindrasinghh/Kubernetes-Playlist
Let's Begin π
Application Controller: Manages the state of applications in ArgoCD by continuously monitoring Git repositories and syncing changes to Kubernetes clusters.
Repo Server: Handles interactions with Git repositories, fetching application manifests and generating Kubernetes manifests in ArgoCD.
ArgoCD Server: The web interface and API service for interacting with ArgoCD, where users can view, manage, and control their application deployments.
Redis: A fast, in-memory key-value store used by ArgoCD for caching and state management.
Dex Server: An OpenID Connect (OIDC) identity provider used in ArgoCD for integrating with external authentication services (e.g., LDAP, GitHub, etc.).
Let's Beginπ
π Step-by-Step Guide
1οΈβ£ A running Kubernetes cluster: This can be a self-managed cluster or a managed service like Amazon EKS.
Refer below video to create the EKS Cluster in AWS
2οΈβ£ NGINX Ingress on AWS EKS and Deploying Sample Applications
Refer below video to setup in AWS
3οΈβ£ Clone the Repository
π§π»βπ»git clone https://github.com/ravindrasinghh/Kubernetes-Playlist.git
π¨π»βπ»cd Kubernetes-Playlist/Lesson1/
4οΈβ£ Please add the below file to install the ArgoCD
ππ» argocd.tf
resource "helm_release" "argocd" {
name = "argocd"
repository = "https://argoproj.github.io/argo-helm"
chart = "argo-cd"
namespace = "argocd"
create_namespace = true
version = "4.0.0"
values = [file("./argo.yaml")]
}
ππ» argocd.yaml
global:
domain: https://argo.codedevops.cloud
repoServer:
resources:
requests:
cpu: 100m
memory: 128Mi
server:
resources:
requests:
cpu: 100m
memory: 128Mi
config:
url: "https://argo.codedevops.cloud"
extraArgs:
- --insecure
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"
nlb.ingress.kubernetes.io/scheme: internet-facing
nlb.ingress.kubernetes.io/target-type: instance
nlb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
nlb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:ap-south-1:434605749312:certificate/50eeb484-0d88-4617-bdf6-1d339f2f3b48"
hosts:
- argo.codedevops.cloud
You can also view the logs of the ArgoCD pod to verify that ArgoCD has been installed successfully.
ππ» kubectl get pods -n argocd
ππ» Let's create a record in Route 53 to access ArgoCD via a custom domain.
- Go to the Route 53 service, select the hosted zone, and click Create Record.
- Choose Alias, then select the region and the Load Balancer ARN, and click Create.
ππ» once the Ingress is configured, you can access the ArgoCD web interface by navigating to https://argo.codedevops.cloud.
ππ» To log in:
Get the initial password for the admin user:
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 --decode
ππ» We can see that we have successfully logged in using the username 'admin' and the password mentioned above.
π Step-by-Step Guide to access via AWSΒ Cognito
1οΈβ£ Navigate to the AWS Cognito console, click on 'Create User Pool,' select 'Username,' and then click 'Next.' You can add additional parameters based on your requirements.
2οΈβ£ Set up a password policy to specify the required length and complexity for user passwords, or use the default settings.
I selected 'No MFA,' but you can enable it if needed, and then click 'Next.'
3οΈβ£ For the 'Configure Sign-Up Experience' section, click 'Next' and proceed with the default settings.
4οΈβ£ Let's use Cognito's default email address temporarily for development to handle emails for sign-up, sign-in, MFA, and account recovery workflows.
5οΈβ£ Let's integrate with our app and provide the following information:
User Pool Name: ARGOCD
Use the Cognito Hosted UI: Check the box
Use a Cognito Domain: https://argocodedevops
Set the App Client Name to argo-app-client and click on 'Generate a Client Secret.' For the Allowed Callback URLs, enter https://argo.codedevops.cloud/auth/callback, and then click 'Next.'
Review the settings, and then click 'Create.'
ππ» Navigate to users in the userpool and click on Create user.
Β· Creation of user and adding to the Group
Β· Click on the userpool which has been created
Β· Navigate to the User tab and click on the create user.
You will also receive the user details in your email.
ππ» Navigate to group in the userpool and click on Create group.
Add the user to this group, and you can assign them a specific IAM role. Let's keep it as the default.
click on create group.
Click on the group name and add the newly created user to the group.
- click on add.
Let's update the Ingress configuration to enable login to ArgoCD via AWS Cognito, and ensure that the correct values are entered for the OIDC configuration.
ππ» name: ADMIN # can be anything
ππ» issuer: https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_i2BlvxmV2 # Replace with your AWS SSO Issuer URL
ππ» clientID: 2ulo6uvu1r4o2eesgq9tifiqjq # Replace with your AWS SSO Client ID
ππ» clientSecret: 9530gfivef6aoi21e0cj93p41gt7e2gja4b7u0e1ui93pvpv5pu # Replace with your AWS SSO Client Secret
ππ» redirectUrI: https://argo.codedevops.cloud/api/dex/callback # Replace with your ArgoCD URL
ππ» requestedScopes: ["email", "openid", "phone"]
ππ» requestedIDTokenClaims: {"groups": {"essential": true}}
You can retrieve the values from AWS Cognito. Click on 'App Integration,' navigate to the 'App Client List' section, select argo-app-client, and copy all the client-related information.
Please update the Ingress configuration with AWS Cognito service details to enable login via Cognito.
global:
domain: https://argo.codedevops.cloud
configs:
params:
"server.insecure": true
cm:
create: true
rbac:
create: true
policy.default: ''
policy.csv: |
g, argocd-readonly, role:readonly
g, argocd-admin, role:admin
scopes: '[groups]'
repoServer:
resources:
requests:
cpu: 100m
memory: 128Mi
server:
config:
url: "https://argo.codedevops.cloud"
oidc.config: |
name: admin
issuer: https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_YEwPaQA4Q # Replace with your AWS SSO Issuer URL
clientID: 3f8r6j111qidd2c2ft9rmh4vu # Replace with your AWS SSO Client ID
clientSecret: 1gpls5t1pm3gjg3rfltsja6b # Replace with your AWS SSO Client Secret
redirectUrI: https://argo.codedevops.cloud/api/dex/callback
requestedScopes: ["email", "openid", "phone"]
requestedIDTokenClaims: {"groups": {"essential": true}}
extraArgs:
- --insecure
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"
nlb.ingress.kubernetes.io/scheme: internet-facing
nlb.ingress.kubernetes.io/target-type: instance
nlb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
nlb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:ap-south-1:434605749312:certificate/50eeb484-0d88-4617-bdf6-1d339f2f3b48"
hosts:
- argo.codedevops.cloud
ππ» Run terraform plan to preview the changes, and then use terraform apply to apply them.
ποΈβπ¨οΈLet's try logging in by accessing the URL(https://argo.codedevops.cloud) again and signing in through AWS Cognito.
Enter the username and passsword.
Troubleshooting
If you encounter any issues, refer to the AWS documentation or raise an issue in this repository.
π΄ββ οΈ source link: https://github.com/ravindrasinghh/Kubernetes-Playlist/tree/master
If you prefer a video tutorial to help guide you to Install and Secure ArgoCD access with Amazon Cognito.
Top comments (2)
Awesome one, i will this for sure
Glad you liked it! π Let me know how it goes when you try it out!