Hello everyone, I’m Zhang Jintao.
In my previous article, “GitOps Application Practices Series – Overview part 1,” I introduced GitOps concepts, how they work, and Pull – and push-based models. In this article, we focus on ArgoCD, a tool used to implement GitOps.
Argo CD overview
On 7 April 2020, THE CNCF Technical Oversight Committee (TOC) voted to enter the CNCF Incubator through the Argo project.
Argo was actually founded in 2017 by Applatix (a company whose main products and services are now deeply integrated with AWS, as well as some cloud-based services), before being acquired by Intuit in early 2018. BlackRock later contributed Argo Events to the Argo project. Both companies are actively involved in the development and nurturing of programs and communities.
Argo and its subprojects provide a simple way to manage workflows, events, and applications. All Argo tools are implemented through CRD. They can use or integrate with other CNCF projects such as gRPC, Prometheus, NATS, Helm, and CloudEvents.
Argo Ecology currently consists of four sub-projects, including:
-
Argo Workflows — The first Argo project, a native Kubernetes workflow engine that supports DAG and step-based Workflows;
-
Argo Events — An event-based dependency manager on Kubernetes that triggers Argo workflows and other actions in Kubernetes.
-
Argo CD — An open source project from the Argo community and Intuit that supports declarative deployment of Kubernetes resources based on GitOps.
-
Argo Rollouts — Supports declarative progressive delivery strategies such as Canary, blue-green, and more.
Argo CD is designed to provide a declarative continuous delivery (CD) tool. Argo CD supports a variety of configuration management tools, including Ksonnet/Jsonnet, Kustomize and Helm. The Argo CD extends the benefits of declarative and Git-based configuration management to speed application deployment and lifecycle management without compromising security and compliance.
Application scenario of Argo CD
-
The configuration of the application and its deployment environment is declarative and version-controlled;
-
Application deployment and lifecycle management is simple, automated, and auditable (enterprise friendly);
-
Application deployment is fast, reliable, and idempotent;
-
Need to detect and correct any deviation from version control configuration;
-
Rollback is simple;
Key features of Argo CD
-
You can use a variety of configuration management tools (such as Ksonnet/Jsonnet, Helm, and Kustomize) to align your application with what is defined in Git;
-
Automatically deploy the application to the specified target environment;
-
Continuously monitor deployed applications;
-
Web – and CLI-based operations, and application visualization;
-
Deploy or roll back any state of the submitted application in a Git repository (another great benefit of using Git for version management);
-
PreSync, Sync, PostSync hooks to support complex application deployment strategies (for example: Blue/Green, Canary upgrades)
-
SSO integration (OIDC, LDAP, SAML 2.0, GitLab, Microsoft, LinkedIn), these are the features that enterprises need;
-
Webhook integration (GitHub, BitBucket, GitLab).
-
Can be used independently or as part of existing pipelines, such as Argo Workflow, Jenkins, and GitLab CI.
Argo CD architecture
As a whole, Argo CD has three main components: API Server, Repository Server and Application Controller.
API Server
Argo CD’s API Server is a gRPC/REST Server that exposes apis for Web UI, CLI, and other scenarios.
It mainly carries out the following contents:
-
Application management and status reporting;
-
Invoke application actions (for example: synchronization, rollback, user-defined actions);
-
Repository and cluster Credential management (store K8s secrets);
-
Authentication and authorization are delegated to an external authentication component;
-
RBAC (Role-based Access Control);
-
Git webhook listener/forwarder
Repository Server
Repository Server is an internal service that holds the local cache of an application’s Git Repository and generates and returns its Manifests for Kubernetes. It accepts the following inputs:
-
Warehouse Address (URL)
-
Revision (commit, tag, branch)
-
Application path
-
Specific Settings for templates: helm values.yaml, etc
Application Controller
The Application Controller is a Kubernetes Controller that continuously listens to the running Application and compares the current real-time state with the desired target state (as specified in the REPO). It detects the OutOfSync application state and selectively takes corrective action. It is responsible for calling any user-defined hooks for life cycle events (PreSync, Sync, PostSync).
Key features of Argo CD
Since the release of v1.0.0 on March 17, 2019, Argo CD has fully entered the v2.x era, the latest version is V2.1.5.
2.0 introduced Pods View, rewrote log visualization, added notification banners, a lot of background and customization, and worked on Argo CD Core (a lightweight Argo CD distribution that only packs Core GitOps functionality, Rely on Kubernetes API/RBAC for UI and CLI support).
-
Pods View: Especially useful for applications with hundreds of Pods. Instead of visualizing all of the application’s Kubernetes resources, it just shows Kubernetes pods and closely related resources.
-
New log visualization: Support for paging, filtering, the ability to disable/enable log streams, and even dark mode for terminal enthusiasts. The Argo CD CLI also supports log streams.
-
UI Notification Banner feature: Specify notification messages and the optional URL argocd-cm using the UI. bannerContent and UI. bannerURL properties in ConfigMap.
-
Background operations: deletion/pruning of resources, synchronization of changed resources only, Prune Last, and health check of Sealed secrets, Kubernetes-external secrets, and Strimzi CRD were introduced.
The deployment of Argo CD
Argo CDS can be installed in four modes: Multi-tenant, Core, Custom, and Helm.
Multi-tenant
Multi-tenant is the most used deployment mode for Argo CDS. Users can access the Argo CD through the API Server using the Web UI or the Argocd CLI.
The argocd CLI must run the argocd login
command first.
argocd login SERVER [flags] # Login to Argo CD using a username and password argocd login cd.argoproj.io # Login to Argo CD using SSO argocd login cd.argoproj.io --sso # Configure direct access using Kubernetes API server argocd login cd.argoproj.io --coreCopy the codeTwo deployment methods are provided by default in the project’s GitHub Manifests:
The high availability
This type of installation is often used for demonstrations and testing. (Not recommended for production)
-
Yaml – Standard Argo CD installation with cluster administrator privileges. You can use the Argo CD to deploy an application in the same cluster it is running in, or you can use the credentials you entered to deploy to an external cluster.
-
Namespace-install. yaml – Only namespace level permissions are required (no cluster administrator permissions are required). However, with this installation, the Argo CD cannot deploy applications in the same cluster in which it is running, and will rely only on the external cluster credentials entered.
Note: Argo CD CRD is not included in namespace-install.yaml and must be installed separately. CRD Instructions are to be found in the SSE catalogue. Install them using the following command:
kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable
Copy the codeHigh availability
Highly available installation is strongly recommended for production environments.
Bundles contain the same components, but have been adjusted for high availability and resiliency.
- Yaml ha/install.yaml – Same as install.yaml mentioned above, but with multiple copies of related components configured;
- Yaml – same as namespace-install.yaml mentioned above, but with multiple copies of related components configured;
core
A Core installation is best suited to cluster administrators who use Argo CDS independently and do not require multi-tenant functionality.
This installation includes fewer components and is easier to set up. The bundle does not include API Server or UI and only installs a lightweight (non-HA) version of each component.
Users need Kubernetes access to manage Argo CDS. The argocd CLI must be configured using the following command:
kubectl config set-context --current --namespace=argocd
argocd login --core
Copy the codeThe Web UI is also available and can be started using the following command.
argocd admin dashboard
Copy the codeThe manifests correspond to core-install.yaml in the warehouse.
Custom Installation
Argo CD Manifests are also available for custom installation. It is recommended to include sse as a remote resource and apply additional customizations using the Kustomize patch.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argocd
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
Copy the codeHelm
Argo CDS can be installed using Helm. Helm Chart is currently maintained by the community at github.com/argoproj/ar… The example is not added here.
Secret management of Argo CD
Argo CD does not explicitly restrict how Secret is managed. Here are some of the ways GitOps manages Secret that can be applied to other scenarios:
-
The Hashicorp Vault is recommended, which is a more general solution with a wide range of applications. (www.vaultproject.io/)
-
Bitnami Sealed Secrets encrypts Secret into a SealedSecret that can be stored securely, even in a public library; SealedSecret can only be decrypted by the controller running in the target cluster, and no one else (even the original author) can get the original Secret from SealedSecret. (github.com/bitnami-lab…
-
Banzai Cloud Bank-Vaults provides Vault with a variety of tools to make Hashicorp Vault easier to use and operate. It is a wrapper around the official Vault client with automatic token updates and a golang-based client dynamic database credential provider with built-in Kubernetes support. It has a CLI tool to automatically initialize, unseal, and configure Vault. It also provides a Kubernetes operator for configuration and a Mutating Webhook for injecting secrets. (github.com/banzaicloud…
-
Helm Secrets integration with Argo CD is available from Helm – Secrets V3.9.0;
-
Argocd-vault-plugin retrieves secrets from various secrets management tools (HashiCorp Vault, IBM Cloud Secrets Manager, AWS Secrets Manager, etc.) and injects them into Kubernetes resources (github.com/IBM/argocd-…
-
Kustomize Secret Generator plugins Kubernetes ConfigMaps and Secrets are key:value (KV) mappings. Kustomize has three different ways to generate secrets from local files, see the link for details. (github.com/kubernetes-…
-
Aws -secret-operator A Kubernetes operator that can automatically create and update Kubernetes Secrets based on the content stored in AWS Secrets Manager. Aws -secret-operator Custom resource maps AWS Secrets to Kubernetes. (github.com/mumoshu/aws…
-
Secrets-store-csi-driver is a tool for mounting key information into a Pod using the CSI interface. Supports multiple key storage modes, such as Vault, GCP, AWS, Azure, etc.
Resource health Assessment
The Argo CD provides built-in health assessments for several standard Kubernetes resources, which are then presented as a whole in overall application health.
The following types of Kubernetes resources are checked:
-
Deployment, ReplicaSet, StatefulSet, DaemonSet
-
Service
-
Ingress
-
PersistentVolumeClaim
-
Argocd App
You can also add a customized health check. The Argo CD supports the following configuration methods:
1) Define a custom health check in the ConfigMap argocd-cm
Can the resource in argocd – cm. Customizations. Health. < group_kind > field defined in the custom health check.
2) Bundled into the Argo CD. Custom health check scripts are located at github.com/argoproj/ar… Directory.
This is the core content of Argo CD. In the next article, we will practice Argo CD. Welcome to continue to pay attention and feedback!
Please feel free to subscribe to my official account [MoeLove]
