Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Declarative cluster configuration

Red Hat OpenShift GitOps 1.16

Configuring an OpenShift cluster with cluster configurations by using OpenShift GitOps and creating and synchronizing applications in the default and code mode by using the GitOps CLI

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for configuring Argo CD to recursively sync the content of a Git directory with an application that contains custom configurations for your cluster. It also discusses about how to create and synchronize applications in the default and code mode by using the GitOps CLI.

With Red Hat OpenShift GitOps, you can configure Argo CD to recursively sync the content of a Git directory with an application that contains custom configurations for your cluster.

1.1. Prerequisites
Copy link

  • You have logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
Warning

Do not elevate the permissions of Argo CD instances to be cluster-scoped unless you have a distinct use case that requires it. Only users with cluster-admin privileges should manage the instances you elevate. Anyone with access to the namespace of a cluster-scoped instance can elevate their privileges on the cluster to become a cluster administrator themselves.

To manage cluster-scoped resources, update the existing Subscription object for the Red Hat OpenShift GitOps Operator and add the namespace of the Argo CD instance to the ARGOCD_CLUSTER_CONFIG_NAMESPACES environment variable in the spec section.

Procedure

  1. In the Administrator perspective of the web console, navigate to OperatorsInstalled OperatorsRed Hat OpenShift GitOpsSubscription.
  2. Click the Actions list and then click Edit Subscription.

  3. On the openshift-gitops-operator Subscription details page, under the YAML tab, edit the Subscription YAML file by adding the namespace of the Argo CD instance to the ARGOCD_CLUSTER_CONFIG_NAMESPACES environment variable in the spec section: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-gitops-operator
  namespace: openshift-gitops-operator
# ...
spec:
  config:
    env:
    - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
      value: openshift-gitops, <list of namespaces of cluster-scoped Argo CD instances>
# ...
    Copy to Clipboard Toggle word wrap
  4. Click Save and Reload.

  5. To verify that the Argo CD instance is configured with a cluster role to manage cluster-scoped resources, perform the following steps:

    1. Navigate to User ManagementRoles and from the Filter list select Cluster-wide Roles.

    2. Search for the argocd-application-controller by using the Search by name field.

      The Roles page displays the created cluster role.

      Tip

      Alternatively, in the OpenShift CLI, run the following command: 

      oc auth can-i create oauth -n openshift-gitops --as system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller
      Copy to Clipboard Toggle word wrap

      The output yes verifies that the Argo instance is configured with a cluster role to manage cluster-scoped resources. Else, check your configurations and take necessary steps as required.

1.3. Default permissions of an Argo CD instance
Copy link

By default Argo CD instance has the following permissions:

  • Argo CD instance has the admin privileges to manage resources only in the namespace where it is deployed. For instance, an Argo CD instance deployed in the foo namespace has the admin privileges to manage resources only for that namespace.

  • Argo CD has the following cluster-scoped permissions because Argo CD requires cluster-wide read privileges on resources to function appropriately: 

    - verbs:
    - get
    - list
    - watch
   apiGroups:
    - '*'
   resources:
    - '*'
 - verbs:
    - get
    - list
   nonResourceURLs:
    - '*'
    Copy to Clipboard Toggle word wrap
Note

  • You can edit the cluster roles used by the argocd-server and argocd-application-controller components where Argo CD is running such that the write privileges are limited to only the namespaces and resources that you wish Argo CD to manage. 

    $ oc edit clusterrole argocd-server
$ oc edit clusterrole argocd-application-controller
    Copy to Clipboard Toggle word wrap

The default Argo CD instance and the accompanying controllers, installed by the Red Hat OpenShift GitOps Operator, can now run on the infrastructure nodes of the cluster by setting a simple configuration toggle.

Procedure

  1. Label the existing nodes: 

    $ oc label node <node-name> node-role.kubernetes.io/infra=""
    Copy to Clipboard Toggle word wrap

  2. Optional: If required, you can also apply taints and isolate the workloads on infrastructure nodes and prevent other workloads from scheduling on these nodes: 

    $ oc adm taint nodes -l node-role.kubernetes.io/infra \
infra=reserved:NoSchedule infra=reserved:NoExecute
    Copy to Clipboard Toggle word wrap

  3. Add the runOnInfra toggle in the GitOpsService custom resource: 

    apiVersion: pipelines.openshift.io/v1alpha1
kind: GitopsService
metadata:
  name: cluster
spec:
  runOnInfra: true
    Copy to Clipboard Toggle word wrap

  4. Optional: If taints have been added to the nodes, then add tolerations to the GitOpsService custom resource.

    Example

    apiVersion: pipelines.openshift.io/v1alpha1
kind: GitopsService
metadata:
  name: cluster
  spec:
    runOnInfra: true
    tolerations:
    - effect: NoSchedule
      key: infra
      value: reserved
    - effect: NoExecute
      key: infra
      value: reserved
    Copy to Clipboard Toggle word wrap

  5. Verify that the workloads in the openshift-gitops namespace are now scheduled on the infrastructure nodes by viewing PodsPod details for any pod in the console UI.
Note

Any nodeSelectors and tolerations manually added to the default Argo CD custom resource are overwritten by the toggle and tolerations in the GitOpsService custom resource.

Argo CD provides a dashboard which allows you to create applications.

This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the cluster directory to the cluster-configs application. The directory defines the OpenShift Container Platform web console cluster configurations that add a link to the Red Hat Developer Blog - Kubernetes under the red hat applications menu icon menu in the web console, and defines a namespace spring-petclinic on the cluster.

Prerequisites

  • You have logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to Argo CD instance.

Procedure

  1. In the Argo CD dashboard, click NEW APP to add a new Argo CD application.

  2. For this workflow, create a cluster-configs application with the following configurations:

    Application Name
    cluster-configs
    Project
    default
    Sync Policy
    Manual
    Repository URL
    https://github.com/redhat-developer/openshift-gitops-getting-started
    Revision
    HEAD
    Path
    cluster
    Destination
    https://kubernetes.default.svc
    Namespace
    spring-petclinic
    Directory Recurse
    checked
  3. Click CREATE to create your application.
  4. Open the Administrator perspective of the web console and expand AdministrationNamespaces.
  5. Search for and select the namespace, then enter argocd.argoproj.io/managed-by=openshift-gitops in the Label field so that the Argo CD instance in the openshift-gitops namespace can manage your namespace.

1.6. Creating an application by using the oc tool
Copy link

You can create Argo CD applications in your terminal by using the oc tool.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to an Argo CD instance.

Procedure

  1. Download the sample application: 

    $ git clone git@github.com:redhat-developer/openshift-gitops-getting-started.git
    Copy to Clipboard Toggle word wrap

  2. Create the application: 

    $ oc create -f openshift-gitops-getting-started/argo/app.yaml
    Copy to Clipboard Toggle word wrap

  3. Run the oc get command to review the created application: 

    $ oc get application -n openshift-gitops
    Copy to Clipboard Toggle word wrap

  4. Add a label to the namespace your application is deployed in so that the Argo CD instance in the openshift-gitops namespace can manage it: 

    $ oc label namespace spring-petclinic argocd.argoproj.io/managed-by=openshift-gitops
    Copy to Clipboard Toggle word wrap

You can create applications in the default mode by using the GitOps argocd CLI.

This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the cluster directory to the cluster-configs application. The directory defines the OpenShift Container Platform cluster configurations and the spring-petclinic namespace on the cluster.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.
  • You have logged in to Argo CD instance.

Procedure

  1. Get the admin account password for the Argo CD server: 

    $ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster -n openshift-gitops -o jsonpath='{.data.admin\.password}' | base64 -d)
    Copy to Clipboard Toggle word wrap

  2. Get the Argo CD server URL: 

    $ SERVER_URL=$(oc get routes openshift-gitops-server -n openshift-gitops -o jsonpath='{.status.ingress[0].host}')
    Copy to Clipboard Toggle word wrap

  3. Log in to the Argo CD server by using the admin account password and enclosing it in single quotes:

    Important

    Enclosing the password in single quotes ensures that special characters, such as $, are not misinterpreted by the shell. Always use single quotes to enclose the literal value of the password. 

    $ argocd login --username admin --password ${ADMIN_PASSWD} ${SERVER_URL}
    Copy to Clipboard Toggle word wrap

    Example

    $ argocd login --username admin --password '<password>' openshift-gitops.openshift-gitops.apps-crc.testing
    Copy to Clipboard Toggle word wrap

  4. Verify that you are able to run argocd commands in the default mode by listing all applications: 

    $ argocd app list
    Copy to Clipboard Toggle word wrap

    If the configuration is correct, then existing applications will be listed with the following header:

    Sample output

    NAME CLUSTER NAMESPACE  PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO PATH TARGET
    Copy to Clipboard Toggle word wrap

  5. Create an application in the default mode: 

    $ argocd app create app-cluster-configs \
    --repo https://github.com/redhat-developer/openshift-gitops-getting-started.git \
    --path cluster \
    --revision main \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace spring-petclinic \
    --directory-recurse \
    --sync-policy none \
    --sync-option Prune=true \
    --sync-option CreateNamespace=true
    Copy to Clipboard Toggle word wrap

  6. Label the spring-petclinic destination namespace to be managed by the openshif-gitops Argo CD instance: 

    $ oc label ns spring-petclinic "argocd.argoproj.io/managed-by=openshift-gitops"
    Copy to Clipboard Toggle word wrap

  7. List the available applications to confirm that the application is created successfully: 

    $ argocd app list
    Copy to Clipboard Toggle word wrap

    Even though the cluster-configs Argo CD application has the Healthy status, it is not automatically synced due to its none sync policy, causing it to remain in the OutOfSync status.

You can create applications in core mode by using the GitOps argocd CLI.

This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the cluster directory to the cluster-configs application. The directory defines the OpenShift Container Platform cluster configurations and the spring-petclinic namespace on the cluster.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.

Procedure

  1. Log in to the OpenShift Container Platform cluster by using the oc CLI tool: 

    $ oc login -u <username> -p <password> <server_url>
    Copy to Clipboard Toggle word wrap

    Example

    $ oc login -u kubeadmin -p '<password>' https://api.crc.testing:6443
    Copy to Clipboard Toggle word wrap

  2. Check whether the context is set correctly in the kubeconfig file: 

    $ oc config current-context
    Copy to Clipboard Toggle word wrap

  3. Set the default namespace of the current context to openshift-gitops: 

    $ oc config set-context --current --namespace openshift-gitops
    Copy to Clipboard Toggle word wrap

  4. Set the following environment variable to override the Argo CD component names: 

    $ export ARGOCD_REPO_SERVER_NAME=openshift-gitops-repo-server
    Copy to Clipboard Toggle word wrap

  5. Verify that you are able to run argocd commands in core mode by listing all applications: 

    $ argocd app list --core
    Copy to Clipboard Toggle word wrap

    If the configuration is correct, then existing applications will be listed with the following header:

    Sample output

    NAME CLUSTER NAMESPACE  PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO PATH TARGET
    Copy to Clipboard Toggle word wrap

  6. Create an application in core mode: 

    $ argocd app create app-cluster-configs --core \
    --repo https://github.com/redhat-developer/openshift-gitops-getting-started.git \
    --path cluster \
    --revision main \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace spring-petclinic \
    --directory-recurse \
    --sync-policy none \
    --sync-option Prune=true \
    --sync-option CreateNamespace=true
    Copy to Clipboard Toggle word wrap

  7. Label the spring-petclinic destination namespace to be managed by the openshif-gitops Argo CD instance: 

    $ oc label ns spring-petclinic "argocd.argoproj.io/managed-by=openshift-gitops"
    Copy to Clipboard Toggle word wrap

  8. List the available applications to confirm that the application is created successfully: 

    $ argocd app list --core
    Copy to Clipboard Toggle word wrap

    Even though the cluster-configs Argo CD application has the Healthy status, it is not automatically synced due to its none sync policy, causing it to remain in the OutOfSync status.

You can synchronize your application with your Git repository by modifying the synchronization policy for Argo CD. The policy modification automatically applies the changes in your cluster configurations from your Git repository to the cluster.

Procedure

  1. In the Argo CD dashboard, notice that the cluster-configs Argo CD application has the statuses Missing and OutOfSync. Because the application was configured with a manual sync policy, Argo CD does not sync it automatically.
  2. Click SYNC on the cluster-configs tile, review the changes, and then click SYNCHRONIZE. Argo CD will detect any changes in the Git repository automatically. If the configurations are changed, Argo CD will change the status of the cluster-configs to OutOfSync. You can modify the synchronization policy for Argo CD to automatically apply changes from your Git repository to the cluster.
  3. Notice that the cluster-configs Argo CD application now has the statuses Healthy and Synced. Click the cluster-configs tile to check the details of the synchronized resources and their status on the cluster.
  4. Navigate to the OpenShift Container Platform web console and click red hat applications menu icon to verify that a link to the Red Hat Developer Blog - Kubernetes is now present there.

  5. Navigate to the Project page and search for the spring-petclinic namespace to verify that it has been added to the cluster.

    Your cluster configurations have been successfully synchronized to the cluster.

You can synchronize applications in the default mode by using the GitOps argocd CLI.

This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the cluster directory to the cluster-configs application. The directory defines the OpenShift Container Platform cluster configurations and the spring-petclinic namespace on the cluster.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to Argo CD instance.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.

Procedure

  1. Get the admin account password for the Argo CD server: 

    $ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster -n openshift-gitops -o jsonpath='{.data.admin\.password}' | base64 -d)
    Copy to Clipboard Toggle word wrap

  2. Get the Argo CD server URL: 

    $ SERVER_URL=$(oc get routes openshift-gitops-server -n openshift-gitops -o jsonpath='{.status.ingress[0].host}')
    Copy to Clipboard Toggle word wrap

  3. Log in to the Argo CD server by using the admin account password and enclosing it in single quotes:

    Important

    Enclosing the password in single quotes ensures that special characters, such as $, are not misinterpreted by the shell. Always use single quotes to enclose the literal value of the password. 

    $ argocd login --username admin --password ${ADMIN_PASSWD} ${SERVER_URL}
    Copy to Clipboard Toggle word wrap

    Example

    $ argocd login --username admin --password '<password>' openshift-gitops.openshift-gitops.apps-crc.testing
    Copy to Clipboard Toggle word wrap

  4. Because the application is configured with the none sync policy, you must manually trigger the sync operation: 

    $ argocd app sync openshift-gitops/app-cluster-configs
    Copy to Clipboard Toggle word wrap

  5. List the application to confirm that the application has the Healthy and Synced statuses: 

    $ argocd app list
    Copy to Clipboard Toggle word wrap

You can synchronize applications in core mode by using the GitOps argocd CLI.

This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the cluster directory to the cluster-configs application. The directory defines the OpenShift Container Platform cluster configurations and the spring-petclinic namespace on the cluster.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.

Procedure

  1. Log in to the OpenShift Container Platform cluster by using the oc CLI tool: 

    $ oc login -u <username> -p <password> <server_url>
    Copy to Clipboard Toggle word wrap

    Example

    $ oc login -u kubeadmin -p '<password>' https://api.crc.testing:6443
    Copy to Clipboard Toggle word wrap

  2. Check whether the context is set correctly in the kubeconfig file: 

    $ oc config current-context
    Copy to Clipboard Toggle word wrap

  3. Set the default namespace of the current context to openshift-gitops: 

    $ oc config set-context --current --namespace openshift-gitops
    Copy to Clipboard Toggle word wrap

  4. Set the following environment variable to override the Argo CD component names: 

    $ export ARGOCD_REPO_SERVER_NAME=openshift-gitops-repo-server
    Copy to Clipboard Toggle word wrap

  5. Because the application is configured with the none sync policy, you must manually trigger the sync operation: 

    $ argocd app sync --core openshift-gitops/app-cluster-configs
    Copy to Clipboard Toggle word wrap

  6. List the application to confirm that the application has the Healthy and Synced statuses: 

    $ argocd app list --core
    Copy to Clipboard Toggle word wrap

By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as cluster Operators, optional OLM Operators and user management.

Note
  • Argo CD does not have cluster-admin permissions.
  • You can extend the permissions bound to any Argo CD instances managed by the GitOps Operator. However, you must not modify the permission resources, such as roles or cluster roles created by the GitOps Operator, because the Operator might reconcile them back to their initial state. Instead, create dedicated role and cluster role objects and bind them to the appropriate service account that the application controller uses.

Permissions for the Argo CD instance:

Expand
ResourcesDescriptions

Resource Groups

Configure the user or administrator

operators.coreos.com

Optional Operators managed by OLM

user.openshift.io , rbac.authorization.k8s.io

Groups, Users and their permissions

config.openshift.io

Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies

storage.k8s.io

Storage

console.openshift.io

Console customization

1.13. Adding permissions for cluster configuration
Copy link

You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account.

Prerequisites

  • You have access to an OpenShift Container Platform cluster with cluster-admin privileges and are logged in to the web console.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

  1. In the web console, select User ManagementRolesCreate Role. Use the following ClusterRole YAML template to add rules to specify the additional permissions. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secrets-cluster-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["*"]
    Copy to Clipboard Toggle word wrap
  2. Click Create to add the cluster role.
  3. To create the cluster role binding, select User ManagementRole BindingsCreate Binding.
  4. Select All Projects from the Project list.
  5. Click Create binding.
  6. Select Binding type as Cluster-wide role binding (ClusterRoleBinding).
  7. Enter a unique value for the RoleBinding name.
  8. Select the newly created cluster role or an existing cluster role from the drop-down list.

  9. Select the Subject as ServiceAccount and the provide the Subject namespace and name.

    1. Subject namespace: openshift-gitops

    2. Subject name: openshift-gitops-argocd-application-controller

      Note

      The value of Subject name depends on the GitOps control plane components for which you create the cluster roles and cluster role bindings.

  10. Click Create. The YAML file for the ClusterRoleBinding object is as follows: 

    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-role-binding
subjects:
  - kind: ServiceAccount
    name: openshift-gitops-argocd-application-controller
    namespace: openshift-gitops
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: secrets-cluster-role
    Copy to Clipboard Toggle word wrap

Red Hat OpenShift GitOps with cluster configurations manages specific cluster-scoped resources and takes care of installing cluster Operators or any namespace-scoped OLM Operators.

Consider a case where as a cluster administrator, you have to install an OLM Operator such as Tekton. You use the OpenShift Container Platform web console to manually install a Tekton Operator or the OpenShift CLI to manually install a Tekton subscription and Tekton Operator group on your cluster.

Red Hat OpenShift GitOps places your Kubernetes resources in your Git repository. As a cluster administrator, use Red Hat OpenShift GitOps to manage and automate the installation of other OLM Operators without any manual procedures. For example, after you place the Tekton subscription in your Git repository by using Red Hat OpenShift GitOps, the Red Hat OpenShift GitOps automatically takes this Tekton subscription from your Git repository and installs the Tekton Operator on your cluster.

1.14.1. Installing cluster-scoped Operators
Copy link

Operator Lifecycle Manager (OLM) uses a default global-operators Operator group in the openshift-operators namespace for cluster-scoped Operators. Hence you do not have to manage the OperatorGroup resource in your Gitops repository. However, for namespace-scoped Operators, you must manage the OperatorGroup resource in that namespace.

To install cluster-scoped Operators, create and place the Subscription resource of the required Operator in your Git repository.

Example: Grafana Operator subscription

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: grafana
spec:
  channel: v4
  installPlanApproval: Automatic
  name: grafana-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
Copy to Clipboard Toggle word wrap

1.14.2. Installing namepace-scoped Operators
Copy link

To install namespace-scoped Operators, create and place the Subscription and OperatorGroup resources of the required Operator in your Git repository.

Example: Ansible Automation Platform Resource Operator

# ...
apiVersion: v1
kind: Namespace
metadata:
  labels:
    openshift.io/cluster-monitoring: "true"
  name: ansible-automation-platform
# ...
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ansible-automation-platform-operator
  namespace: ansible-automation-platform
spec:
  targetNamespaces:
    - ansible-automation-platform
# ...
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ansible-automation-platform
  namespace: ansible-automation-platform
spec:
  channel: patch-me
  installPlanApproval: Automatic
  name: ansible-automation-platform-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
# ...
Copy to Clipboard Toggle word wrap

Important

When deploying multiple Operators using Red Hat OpenShift GitOps, you must create only a single Operator group in the corresponding namespace. If more than one Operator group exists in a single namespace, any CSV created in that namespace transition to a failure state with the TooManyOperatorGroups reason. After the number of Operator groups in their corresponding namespaces reaches one, all the previous failure state CSVs transition to pending state. You must manually approve the pending install plan to complete the Operator installation.

The respectRBAC feature in Argo CD controls how Argo CD watches resources on a cluster. By default, Argo CD attempts to watch all Kubernetes resources (CRDs) on a cluster at the cluster scope. With the respectRBAC feature, you can restrict the ArgoCD controller from discovering or syncing specific resources using only controller RBAC, without manually configuring resource exclusions.

To enable this feature, set the .spec.controller.respectRBAC key in the Argo CD resource. After you set this key, the controller automatically stops watching resources it cannot list or access. For example, this prevents a situation where the Argo CD cluster role restricts Argo CD from watching OpenShift Routes, which would otherwise result in an error during synchronization, stating that it cannot watch the resource.

You can enable the respectRBAC feature by creating an Argo CD instance through the command-line interface (CLI) or the web console.

Prerequisites

Ensure that you created and updated a namespace in the Subscription resource, so Subscription can host a cluster-scoped Argo CD instance. For more information, see "Using an Argo CD instance to manage cluster-scoped resources".

1.15.1. Configuring respectRBAC using the CLI
Copy link

You can configure the respectRBAC feature by using the CLI.

Procedure

  1. Create a YAML object file, for example, argo-cd-resource.yaml, to configure the respectRBAC feature:

    Example ArgoCD YAML to create respectRBAC

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example-argocd
    1 
    
spec:
  controller:
    respectRBAC: strict
    2
    Copy to Clipboard Toggle word wrap

    1
    Specify the name of the Argo CD instance.
    2
    You can specify the value of the .spec.controller.respectRBAC key in the ArgoCD resource as normal or strict. Consider setting a value as normal to balance accuracy and speed as resource listing is a lightweight operation. Set the value as strict if Argo CD reports errors indicating that it cannot access resources when you set the value as normal. Setting strict increases the number of API calls to the server and it is more accurate compared to normal as Argo CD performs additional validations of RBAC resources to determine permissions.

  2. Apply the changes to the YAML file by running the following command. 

    $ oc apply -f argocd-resource.yaml -n argo-cd-instance
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the YAML file that includes the ArgoCD resource and the namespace that hosts ArgoCD.

  3. Verify that the status of the .status.phase field is Available by running the following command: 

    $ oc get argocd <argocd_instance_name> -n <argocd_namespace> -o jsonpath='{.status.phase}'
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <argocd_instance_name> with the name of your Argo CD instance for example, example-argocd.

  4. Verify that the resource.respectRBAC parameter in the ConfigMap resource is updated successfully:

    1. To retrieve the contents of the argocd-cm config map, run the following command: 

      $ oc get cm argocd-cm -n <argocd_namespace> -o yaml
      Copy to Clipboard Toggle word wrap
    2. Verify that the argocd-cm ConfigMap contains the resource.respectRBAC parameter and ensure its value is set to either strict or normal.

You can configure respectRBAC in the web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. In the Administrator perspective of the web console, click OperatorsInstalled Operators.
  3. Create or select the project where you want to install the user-defined Argo CD instance from the Project list.
  4. Select Red Hat OpenShift GitOps from the installed Operators list and click the Argo CD tab.

  5. Configure the respectRBAC parameter in the Argo CD tab. 

    spec:
  controller:
    respectRBAC: strict
    Copy to Clipboard Toggle word wrap

  6. Click Create.

    After successful installation, verify that the Argo CD instance is listed under the Argo CD tab and the Status is Available.

  7. After the Argo CD instance is created, verify that the resource.respectRBAC parameter in the ConfigMap resource is updated successfully by completing the following steps.

    1. In the Administrator perspective, go to WorkloadConfigMaps.
    2. In the Project option, select the Argo CD namespace.
    3. Select the argocd-cm config map.
    4. Select the YAML tab to view the resource.respectRBAC parameter.

For the default cluster-scoped instance, the Red Hat OpenShift GitOps Operator grants additional permissions for managing certain cluster-scoped resources. Consequently, as a cluster administrator, when you deploy an Argo CD as a cluster-scoped instance, the Operator creates additional cluster roles and cluster role bindings for the GitOps control plane components. These cluster roles and cluster role bindings provide the additional permissions that Argo CD requires to operate at the cluster level.

If you do not want the cluster-scoped instance to have all of the Operator-given permissions and choose to add or remove permissions to cluster-wide resources, you must first disable the creation of the default cluster roles for the cluster-scoped instance. Then, you can customize permissions for the following cluster-scoped instances:

  • Default ArgoCD instance (default cluster-scoped instance)
  • User-defined cluster-scoped Argo CD instance

This guide provides instructions with examples to help you create a user-defined cluster-scoped Argo CD instance, deploy an Argo CD application in your defined namespace that contains custom configurations for your cluster, disable the creation of the default cluster roles for the cluster-scoped instance, and customize permissions for user-defined cluster-scoped instances by creating new cluster roles and cluster role bindings for the GitOps control plane components.

Note

As a developer, if you are creating an Argo CD application and deploying cluster-wide resources, ensure that your cluster administrator grants the necessary permissions to them.

Otherwise, after the Argo CD reconciliation, you will see an authentication error message in the application’s Status field similar to the following example:

Example authentication error message

persistentvolumes is forbidden: User "system:serviceaccount:gitops-demo:argocd-argocd-application-controller" cannot create resource "persistentvolumes" in API group "" at the cluster scope.
Copy to Clipboard Toggle word wrap

2.1. Prerequisites
Copy link

  • You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.
  • You have installed a cluster-scoped Argo CD instance in your defined namespace. For example, spring-petclinic namespace.

  • You have validated that the user-defined cluster-scoped instance is configured with the cluster roles and cluster role bindings for the following components:

    • Argo CD Application Controller
    • Argo CD server
    • Argo CD ApplicationSet Controller (provided the ApplicationSet Controller is created)

  • You have deployed a cluster-configs Argo CD application with the customclusterrole path in the spring-petclinic namespace and created the test-gitops-ns namespace and test-gitops-pv persistent volume resources.

    Note

    The cluster-configs Argo CD application must be managed by a user-defined cluster-scoped instance with the following parameters set:

    • The selfHeal field value set to true
    • The syncPolicy field value set to automated
    • The Label field set to the app.kubernetes.io/part-of=argocd value
    • The Label field set to the argocd.argoproj.io/managed-by=<user_defined_namespace> value so that the Argo CD instance in your defined namespace can manage your namespace
    • The Label field set to the app.kubernetes.io/name=<user_defined_argocd_instance> value

To add or remove permissions to cluster-wide resources, as needed, you must disable the creation of the default cluster roles for the cluster-scoped instance by editing the YAML file of the Argo CD custom resource (CR).

Procedure

  1. In the Argo CD CR, set the value of the .spec.defaultClusterScopedRoleDisabled field to true:

    Example Argo CD CR

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
    1 
    
  namespace: spring-petclinic
    2 
    
# ...
spec:
  defaultClusterScopedRoleDisabled: true
    3 
    
# ...
    Copy to Clipboard Toggle word wrap

    1
    The name of the cluster-scoped instance.
    2
    The namespace where you want to run the cluster-scoped instance.
    3
    The flag value that disables the creation of the default cluster roles for the cluster-scoped instance. If you want the Operator to recreate the default cluster roles and cluster role bindings for the cluster-scoped instance, set the field value to false.

    Sample output

    argocd.argoproj.io/example configured
    Copy to Clipboard Toggle word wrap

  2. Verify that the Red Hat OpenShift GitOps Operator has deleted the default cluster roles and cluster role bindings for the GitOps control plane components by running the following commands: 

    $ oc get ClusterRoles/<argocd_name>-<argocd_namespace>-<control_plane_component>
    Copy to Clipboard Toggle word wrap 
    $ oc get ClusterRoleBindings/<argocd_name>-<argocd_namespace>-<control_plane_component>
    Copy to Clipboard Toggle word wrap

    Sample output

    No resources found
    Copy to Clipboard Toggle word wrap

    The default cluster roles and cluster role bindings for the cluster-scoped instance are not created. As a cluster administrator, you can now create and customize permissions for cluster-scoped instances by creating new cluster roles and cluster role bindings for the GitOps control plane components.

As a cluster administrator, to customize permissions for cluster-scoped instances, you must create new cluster roles and cluster role bindings for the GitOps control plane components.

For example purposes, the following instructions focus only on user-defined cluster-scoped instances.

Procedure

  1. Open the Administrator perspective of the web console and go to User ManagementRolesCreate Role.

  2. Use the following ClusterRole YAML template to add rules to specify the additional permissions.

    Example cluster role YAML template

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-spring-petclinic-argocd-application-controller
    1 
    
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - '*'
    resources:
      - '*'
  - verbs:
      - '*'
    apiGroups:
      - ''
    resources:
    2 
    
      - namespaces
      - persistentvolumes
    Copy to Clipboard Toggle word wrap

    1
    The name of the cluster role according to the <argocd_name>-<argocd_namespace>-<control_plane_component> naming convention.
    2
    The resources to which you want to grant permissions at the cluster level.
  3. Click Create to add the cluster role.

  4. Find the service account used by the control plane component you are customizing permissions for, by performing the following steps:

    1. Go to WorkloadsPods.
    2. From the Project list, select the project where the user-defined cluster-scoped instance is installed.
    3. Click the pod of the control plane component and go to the YAML tab.
    4. Find the spec.ServiceAccount field and note the service account.
  5. Go to User ManagementRoleBindingsCreate binding.
  6. Click Create binding.
  7. Select Binding type as Cluster-wide role binding (ClusterRoleBinding).
  8. Enter a unique value for RoleBinding name by following the <argocd_name>-<argocd_namespace>-<control_plane_component> naming convention.
  9. Select the newly created cluster role from the drop-down list for Role name.

  10. Select the Subject as ServiceAccount and the provide the Subject namespace and name.

    1. Subject namespace: spring-petclinic

    2. Subject name: example-argocd-application-controller

      Note

      For Subject name, ensure that the value you configure is the same as the value of the spec.ServiceAccount field of the control plane component you are customizing permissions for.

  11. Click Create.

    You have created the required permissions for the control plane component’s service account and namespace. The YAML file for the ClusterRoleBinding object looks similar to the following example:

    Example YAML file for a cluster role binding

    kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-spring-petclinic-argocd-application-controller
subjects:
  - kind: ServiceAccount
    name: example-argocd-application-controller
    namespace: spring-petclinic
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: example-spring-petclinic-argocd-application-controller
    Copy to Clipboard Toggle word wrap

The default cluster role for the Argo CD Application Controller has a specific set of hard-coded permissions. The Red Hat OpenShift GitOps Operator manages this cluster role, so you cannot modify it. As a cluster administrator, you can customize the permissions by using any one of the following methods:

3.1. Aggregated cluster roles
Copy link

By using aggregated cluster roles, you do not have to define permissions by creating new cluster roles from scratch. Instead, you can combine several cluster roles into a single one.

With Red Hat OpenShift GitOps 1.14 and later, as a cluster administrator, you can use aggregated cluster roles and enable users to easily add user-defined permissions for Argo CD Application Controller.

Important
  • The aggregated cluster roles functionality is optional and disabled by default. You can create aggregated cluster roles only for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.
  • Deleting the aggregatedClusterRoles field from the Argo CD custom resource (CR) does not delete the user-defined cluster role. You must manually delete the user-defined cluster role using the CLI or UI.

3.2. Prerequisites
Copy link

  • You understand aggregated cluster roles.
  • You have installed Red Hat OpenShift GitOps on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.
  • You have installed a cluster-scoped Argo CD instance in your defined namespace.

  • You have validated that the user-defined cluster-scoped instance is configured with the cluster roles and cluster role bindings for the following components:

    • Argo CD Application Controller
    • Argo CD server
    • Argo CD ApplicationSet Controller, if ApplicationSet Controller is created
  • You have disabled the creation of the default cluster roles for the cluster-scoped instance.

3.3. Creating aggregated cluster roles
Copy link

The process of creating aggregated cluster roles consists of the following procedures:

  1. Enabling the creation of aggregated cluster roles
  2. Creating user-defined cluster roles and configuring user-defined permissions for Application Controller

You can enable the creation of aggregated cluster roles by setting the value of the .spec.aggregatedClusterRoles field to true in the Argo CD custom resource (CR). When you enable the creation of aggregated cluster roles, the Red Hat OpenShift GitOps Operator takes the following actions:

  • Creates an <argocd_name>-<argocd_namespace>-argocd-application-controller aggregated cluster role with a predefined aggregationRule field by default.
  • Creates a corresponding cluster role binding and manages it.
  • Creates and manages view and admin cluster roles for Application Controller to add user-defined permissions into the aggregated cluster role.

To configure user-defined permissions into the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role and aggregated cluster role, you must create one or more user-defined cluster roles with the argocd/aggregate-to-admin: 'true' label and then configure the user-defined permissions for Application Controller.

Note
  • The aggregated cluster role inherits permissions from the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin and <argocd_name>-<argocd_namespace>-argocd-application-controller-view cluster roles.
  • The <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role inherits permissions from the user-defined cluster role.

To enable the creation of aggregated cluster roles for the Argo CD Application Controller component of a cluster-scoped Argo CD instance, you must configure the corresponding field by editing the YAML file of the Argo CD custom resource (CR).

Procedure

  1. In the Argo CD CR, set the value of the .spec.aggregatedClusterRoles field to true:

    Example Argo CD CR

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
    1 
    
  namespace: spring-petclinic
    2 
    
# ...
spec:
  aggregatedClusterRoles: true
    3 
    
# ...
    Copy to Clipboard Toggle word wrap

    1
    The name of the cluster-scoped instance.
    2
    The namespace where you want to run the cluster-scoped instance.
    3
    The value set to true enables the creation of aggregated cluster roles. If you do not want to enable the creation of aggregated cluster roles, either do not include this line or set the value to false.

    Example output

    argocd.argoproj.io/example configured
    Copy to Clipboard Toggle word wrap

  2. Verify that the Status field of the cluster-scoped Argo CD instance shows as Phase: Available by running the following command: 

    $ oc describe argocd.argoproj.io/example -n spring-petclinic
    Copy to Clipboard Toggle word wrap

    Example output

    Name:         example
Namespace:    spring-petclinic
Labels:       <none>
Annotations:  <none>
API Version:  argoproj.io/v1beta1
Kind:         ArgoCD
Metadata:
  Creation Timestamp:  2024-08-14T08:20:53Z
  Finalizers:
    argoproj.io/finalizer
  Generation:        3
  Resource Version:  60437
  UID:               57940e54-d60b-4c1a-bc4a-85c81c63ab69
Spec:
  Aggregated Cluster Roles:  true
...
Status:
  Application Controller:      Running
  Application Set Controller:  Unknown
  Phase:                       Available
    1 
    
  Redis:                       Running
  Repo:                        Running
  Server:                      Running
  Sso:                         Unknown
Events:                        <none>
    Copy to Clipboard Toggle word wrap

    1
    The Available status indicates that the cluster-scoped Argo CD instance is healthy and available.
    Note

    The Red Hat OpenShift GitOps Operator creates the following default cluster roles and manages them:

    • <argocd_name>-<argocd_namespace>-argocd-application-controller aggregated cluster role
    • <argocd_name>-<argocd_namespace>-argocd-application-controller-view
    • <argocd_name>-<argocd_namespace>-argocd-application-controller-admin

  3. Verify that the Operator has created the default cluster roles and cluster role bindings for the Argo CD Application Controller and Argo CD server components by running the following commands: 

    $ oc get ClusterRoles -l app.kubernetes.io/part-of=argocd
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                           CREATED AT
example-spring-petclinic-argocd-application-controller         2024-08-14T08:20:58Z
example-spring-petclinic-argocd-application-controller-admin   2024-08-14T09:08:38Z
example-spring-petclinic-argocd-application-controller-view    2024-08-14T09:08:38Z
example-spring-petclinic-argocd-server                         2024-08-14T08:20:59Z
    Copy to Clipboard Toggle word wrap 

    $ oc get ClusterRoleBindings -l app.kubernetes.io/part-of=argocd
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                     ROLE                                                                 AGE
example-spring-petclinic-argocd-application-controller   ClusterRole/example-spring-petclinic-argocd-application-controller   54m
example-spring-petclinic-argocd-server                   ClusterRole/example-spring-petclinic-argocd-server                   54m
    Copy to Clipboard Toggle word wrap

    The cluster role bindings for the view and admin cluster roles are not created. This is because the view and admin cluster roles only add permissions to the aggregated cluster role and do not directly configure permissions to the Argo CD Application Controller.

    Tip

    Alternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User ManagementRoles and User ManagementRoleBindings, respectively. You can search for the cluster roles and cluster role bindings that have the app.kubernetes.io/part-of:argocd label.

  4. Verify that the aggregated cluster role is created by checking the permissions of outputs of the roles created by running the following command: 

    $ oc get ClusterRole/<cluster_role_name> -o yaml
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <cluster_role_name> with the name of the role created.

    Example output of the aggregated cluster role

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: example
    argocds.argoproj.io/namespace: spring-petclinic
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}}
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-08-14T08:20:58Z"
  labels:
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
  name: example-spring-petclinic-argocd-application-controller
    1 
    
  resourceVersion: "78640"
  uid: aeeb2ef5-b531-4fe3-a61a-b5ad8dd8ca6e
aggregationRule:
    2 
    
  clusterRoleSelectors:
  - matchLabels:
      app.kubernetes.io/managed-by: spring-petclinic
      argocd/aggregate-to-controller: "true"
rules: []
    3
    Copy to Clipboard Toggle word wrap

    1
    The name of the aggregated cluster role.
    2
    The predefined list of labels indicates that the aggregated cluster role can inherit permissions from the other user-defined cluster roles.
    3
    No predefined permissions are set. However, when the Operator immediately creates a <argocd_name>-<argocd_namespace>-argocd-application-controller-view cluster role, the corresponding predefined view permissions are added into the aggregated cluster role.

    Example output of the view cluster role

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: example
    argocds.argoproj.io/namespace: spring-petclinic
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}}
  creationTimestamp: "2024-08-14T09:59:14Z"
  labels:
    1 
    
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
    argocd/aggregate-to-controller: "true"
  name: example-spring-petclinic-argocd-application-controller-view
    2 
    
  resourceVersion: "78639"
  uid: 068b8867-7a0c-4af3-a17a-0560a00eba41
rules:
    3 
    
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - '*'
  verbs:
  - get
  - list
    Copy to Clipboard Toggle word wrap

    1
    The labels match the predefined list of an existing aggregated cluster role.
    2
    The name of the view cluster role.
    3
    The predefined view permissions. These permissions are added into the existing aggregated cluster role.

    Example output of the admin cluster role

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: example
    argocds.argoproj.io/namespace: spring-petclinic
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}}
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-08-14T09:59:15Z"
  labels:
    1 
    
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
    argocd/aggregate-to-controller: "true"
  name: example-spring-petclinic-argocd-application-controller-admin
    2 
    
  resourceVersion: "78642"
  uid: e2d35b6f-0832-4993-8b24-915a725454f9
aggregationRule:
    3 
    
  clusterRoleSelectors:
  - matchLabels:
      app.kubernetes.io/managed-by: spring-petclinic
      argocd/aggregate-to-admin: "true"
rules: null
    4
    Copy to Clipboard Toggle word wrap

    1
    The labels match the predefined list of an existing aggregated cluster role.
    2
    The name of the admin cluster role.
    3
    The predefined list of labels indicates that the existing <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role can inherit permissions from the other user-defined cluster roles.
    4
    Specifies that no permissions are defined yet in one or more user-defined cluster roles.
    Tip

    Alternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User ManagementRoles, use the Filter option, select Cluster-wide Roles, and search for the aggregated cluster role, view, and admin cluster roles. You must open the cluster role to check the details and configurations.

    As a cluster administrator, you can now create one or more user-defined cluster roles and configure user-defined permissions for Argo CD Application Controller.

As a cluster administrator, to add user-defined permissions to your aggregated cluster role, you must create one or more user-defined cluster roles and then configure the user-defined permissions for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.

Prerequisites

  • You have enabled the creation of aggregated cluster roles for the Argo CD Application Controller component of a cluster-scoped Argo CD instance.

  • You have the following default cluster roles that are created and managed by the Red Hat OpenShift GitOps Operator:

    • <argocd_name>-<argocd_namespace>-argocd-application-controller aggregated cluster role with a predefined aggregationRule field
    • <argocd_name>-<argocd_namespace>-argocd-application-controller-view with predefined view permissions
    • <argocd_name>-<argocd_namespace>-argocd-application-controller-admin with no predefined permissions

Procedure

  1. Create a new cluster role with the required labels and permissions by using the following command: 

    $ oc apply -n <namespace> -f <cluster_role_name>.yaml
    Copy to Clipboard Toggle word wrap

    where:

    <namespace>
    Specifies the name of your defined namespace.
    <cluster_role_name>

    Specifies the name of your defined cluster role YAML file.

    Example user-defined cluster role YAML

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: user-application-controller
    1 
    
  labels:
    2 
    
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
    argocd/aggregate-to-admin: 'true'
rules:
    3 
    
  - verbs:
      - '*'
    apiGroups:
      - ''
    resources:
      - namespaces
      - persistentvolumeclaims
      - persistentvolumes
      - configmaps
  - verbs:
      - '*'
    apiGroups:
      - compliance.openshift.io
    resources:
      - scansettingbindings
    Copy to Clipboard Toggle word wrap

    1
    The name of the user-defined cluster role.
    2
    The labels match the predefined list of an existing <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role.
    3
    The user-defined permissions that are to be added into the aggregated cluster role through the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role.
    Tip

    Alternatively, you can use the web console to create a user-defined cluster role from the Administrator perspective. You can go to User ManagementRolesCreate Role, use the preceding YAML template to add permissions, and click Create.

    Example output

    clusterrole.rbac.authorization.k8s.io/user-application-controller created
    Copy to Clipboard Toggle word wrap

    A user-defined cluster role is created.

  2. Verify that the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role inherits permissions from the user-defined cluster role by running the following command: 

    $ oc get ClusterRole/<argocd_name>-<argocd_namespace>-argocd-application-controller-admin -o yaml
    Copy to Clipboard Toggle word wrap

    where:

    <argocd_name>
    Specifies the name of your user-defined cluster-scoped Argo CD instance.
    <argocd_namespace>

    Specifies the namespace where Argo CD is installed.

    Example output

    aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      app.kubernetes.io/managed-by: spring-petclinic
      argocd/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: example
    argocds.argoproj.io/namespace: spring-petclinic
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}}
  creationTimestamp: "2024-08-14T09:59:15Z"
  labels:
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
    argocd/aggregate-to-controller: "true"
  name: example-spring-petclinic-argocd-application-controller-admin
  resourceVersion: "79202"
  uid: e2d35b6f-0832-4993-8b24-915a725454f9
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  - persistentvolumeclaims
  - persistentvolumes
  - configmaps
  verbs:
  - '*'
- apiGroups:
  - compliance.openshift.io
  resources:
  - scansettingbindings
  verbs:
  - '*'
    Copy to Clipboard Toggle word wrap

    Tip

    Alternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User ManagementRoles, use the Filter option, select Cluster-wide Roles, and search for the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin cluster role. You must open the cluster role to check the details and configurations.

  3. Verify that the <argocd_name>-<argocd_namespace>-argocd-application-controller aggregated cluster role inherits permissions from the <argocd_name>-<argocd_namespace>-argocd-application-controller-admin and <argocd_name>-<argocd_namespace>-argocd-application-controller-view cluster roles by running the following command: 

    $ oc get ClusterRole/<argocd_name>-<argocd_namespace>-argocd-application-controller -o yaml
    Copy to Clipboard Toggle word wrap

    where:

    <argocd_name>
    Specifies the name of your user-defined cluster-scoped Argo CD instance.
    <argocd_namespace>

    Specifies the namespace where Argo CD is installed.

    Example output of the aggregated cluster role

    aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      app.kubernetes.io/managed-by: spring-petclinic
      argocd/aggregate-to-controller: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: example
    argocds.argoproj.io/namespace: spring-petclinic
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"argoproj.io/v1beta1","kind":"ArgoCD","metadata":{"annotations":{},"name":"example","namespace":"spring-petclinic"},"spec":{"aggregatedClusterRoles":true}}
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-08-14T08:20:58Z"
  labels:
    app.kubernetes.io/managed-by: spring-petclinic
    app.kubernetes.io/name: example
    app.kubernetes.io/part-of: argocd
  name: example-spring-petclinic-argocd-application-controller
  resourceVersion: "79203"
  uid: aeeb2ef5-b531-4fe3-a61a-b5ad8dd8ca6e
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  - persistentvolumeclaims
  - persistentvolumes
  - configmaps
  verbs:
  - '*'
- apiGroups:
  - compliance.openshift.io
  resources:
  - scansettingbindings
  verbs:
  - '*'
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - '*'
  verbs:
  - get
  - list
    Copy to Clipboard Toggle word wrap

    Tip

    Alternatively, you can use the OpenShift Container Platform web console to verify from the Administrator perspective. You can go to User ManagementRoles, use the Filter option, select Cluster-wide Roles, and search for the aggregated cluster role. You must open the cluster role to check the details and configurations.

You can shard clusters across multiple Argo CD Application Controller replicas if the controller is managing too many clusters and uses too much memory.

4.1. Enabling the round-robin sharding algorithm
Copy link

Important

The round-robin sharding algorithm is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

By default, the Argo CD Application Controller uses the non-uniform legacy hash-based sharding algorithm to assign clusters to shards. This can result in uneven cluster distribution. You can enable the round-robin sharding algorithm to achieve more equal cluster distribution across all shards.

Using the round-robin sharding algorithm in Red Hat OpenShift GitOps provides the following benefits:

  • Ensure more balanced workload distribution
  • Prevent shards from being overloaded or underutilized
  • Optimize the efficiency of computing resources
  • Reduce the risk of bottlenecks
  • Improve overall performance and reliability of the Argo CD system

The introduction of alternative sharding algorithms allows for further customization based on specific use cases. You can select the algorithm that best aligns with your deployment needs, which results in greater flexibility and adaptability in diverse operational scenarios.

Tip

To leverage the benefits of alternative sharding algorithms in GitOps, it is crucial to enable sharding during deployment.

You can enable the round-robin sharding algorithm by using the OpenShift Container Platform web console.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have access to the OpenShift Container Platform web console.
  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. In the Administrator perspective of the web console, go to OperatorsInstalled Operators.
  2. Click Red Hat OpenShift GitOps from the installed operators and go to the Argo CD tab.
  3. Click the Argo CD instance where you want to enable the round-robin sharding algorithm, for example, openshift-gitops.

  4. Click the YAML tab and edit the YAML file as shown in the following example:

    Example Argo CD instance with round-robin sharding algorithm enabled

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  controller:
    sharding:
      enabled: true
    1 
    
      replicas: 3
    2 
    
    env:
    3 
    
      - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
        value: round-robin
    logLevel: debug
    4
    Copy to Clipboard Toggle word wrap

    1
    Set the sharding.enabled parameter to true to enable sharding.
    2
    Set the number of replicas to the wanted value, for example, 3.
    3
    Set the sharding algorithm to round-robin.
    4
    Set the log level to debug so that you can verify to which shard each cluster is attached.

  5. Click Save.

    A success notification alert, openshift-gitops has been updated to version <version>, appears.

    Note

    If you edit the default openshift-gitops instance, the Managed resource dialog box is displayed. Click Save again to confirm the changes.

  6. Verify that the sharding is enabled with round-robin as the sharding algorithm by performing the following steps:

    1. Go to WorkloadsStatefulSets.
    2. Select the namespace where you installed the Argo CD instance from the Project drop-down list.
    3. Click <instance_name>-application-controller, for example, openshift-gitops-application-controller, and go to the Pods tab.
    4. Observe the number of created application controller pods. It should correspond with the number of set replicas.

    5. Click on the controller pod you want to examine and go to the Logs tab to view the pod logs.

      Example controller pod logs snippet

      time="2023-12-13T09:05:34Z" level=info msg="ArgoCD Application Controller is starting" built="2023-12-01T19:21:49Z" commit=a3vd5c3df52943a6fff6c0rg181fth3248976299 namespace=openshift-gitops version=v2.9.2+c5ea5c4
time="2023-12-13T09:05:34Z" level=info msg="Processing clusters from shard 1"
time="2023-12-13T09:05:34Z" level=info msg="Using filter function:  round-robin"
      1 
      
time="2023-12-13T09:05:34Z" level=info msg="Using filter function:  round-robin"
time="2023-12-13T09:05:34Z" level=info msg="appResyncPeriod=3m0s, appHardResyncPeriod=0s"
      Copy to Clipboard Toggle word wrap

      1
      Look for the "Using filter function: round-robin" message.

    6. In the log Search field, search for processed by shard to verify that the cluster distribution across shards is even, as shown in the following example.

      Important

      Ensure that you set the log level to debug to observe these logs.

      Example controller pod logs snippet

      time="2023-12-13T09:05:34Z" level=debug msg="ClustersList has 3 items"
time="2023-12-13T09:05:34Z" level=debug msg="Adding cluster with id= and name=in-cluster to cluster's map"
time="2023-12-13T09:05:34Z" level=debug msg="Adding cluster with id=068d8b26-6rhi-4w23-jrf6-wjjfyw833n23 and name=in-cluster2 to cluster's map"
time="2023-12-13T09:05:34Z" level=debug msg="Adding cluster with id=836d8b53-96k4-f68r-8wq0-sh72j22kl90w and name=in-cluster3 to cluster's map"
time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id= will be processed by shard 0"
      1 
      
time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id=068d8b26-6rhi-4w23-jrf6-wjjfyw833n23 will be processed by shard 1"
      2 
      
time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id=836d8b53-96k4-f68r-8wq0-sh72j22kl90w will be processed by shard 2"
      3
      Copy to Clipboard Toggle word wrap

      1 2 3
      In this example, 3 clusters are attached consecutively to shard 0, shard 1, and shard 2.
      Note

      If the number of clusters "C" is a multiple of the number of shard replicas "R", then each shard must have the same number of assigned clusters "N", which is equal to "C" divided by "R". The previous example shows 3 clusters and 3 replicas; therefore, each shard has 1 cluster assigned.

You can enable the round-robin sharding algorithm by using the command-line interface.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Enable sharding and set the number of replicas to the wanted value by running the following command: 

    $ oc patch argocd <argocd_instance> -n <namespace> --patch='{"spec":{"controller":{"sharding":{"enabled":true,"replicas":<value>}}}}' --type=merge
    Copy to Clipboard Toggle word wrap

    Example output

    argocd.argoproj.io/<argocd_instance> patched
    Copy to Clipboard Toggle word wrap

  2. Configure the sharding algorithm to round-robin by running the following command: 

    $ oc patch argocd <argocd_instance> -n <namespace> --patch='{"spec":{"controller":{"env":[{"name":"ARGOCD_CONTROLLER_SHARDING_ALGORITHM","value":"round-robin"}]}}}' --type=merge
    Copy to Clipboard Toggle word wrap

    Example output

    argocd.argoproj.io/<argocd_instance> patched
    Copy to Clipboard Toggle word wrap

  3. Verify that the number of Argo CD Application Controller pods corresponds with the number of set replicas by running the following command: 

    $ oc get pods -l app.kubernetes.io/name=<argocd_instance>-application-controller -n <namespace>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                        READY   STATUS    RESTARTS   AGE
<argocd_instance>-application-controller-0   1/1     Running   0          11s
<argocd_instance>-application-controller-1   1/1     Running   0          32s
<argocd_instance>-application-controller-2   1/1     Running   0          22s
    Copy to Clipboard Toggle word wrap

  4. Verify that the sharding is enabled with round-robin as the sharding algorithm by running the following command: 

    $ oc logs <argocd_application_controller_pod> -n <namespace>
    Copy to Clipboard Toggle word wrap

    Example output snippet

    time="2023-12-13T09:05:34Z" level=info msg="ArgoCD Application Controller is starting" built="2023-12-01T19:21:49Z" commit=a3vd5c3df52943a6fff6c0rg181fth3248976299 namespace=<namespace> version=v2.9.2+c5ea5c4
time="2023-12-13T09:05:34Z" level=info msg="Processing clusters from shard 1"
time="2023-12-13T09:05:34Z" level=info msg="Using filter function:  round-robin"
    1 
    
time="2023-12-13T09:05:34Z" level=info msg="Using filter function:  round-robin"
time="2023-12-13T09:05:34Z" level=info msg="appResyncPeriod=3m0s, appHardResyncPeriod=0s"
    Copy to Clipboard Toggle word wrap

    1
    Look for the "Using filter function: round-robin" message.

  5. Verify that the cluster distribution across shards is even by performing the following steps:

    1. Set the log level to debug by running the following command: 

      $ oc patch argocd <argocd_instance> -n <namespace> --patch='{"spec":{"controller":{"logLevel":"debug"}}}' --type=merge
      Copy to Clipboard Toggle word wrap

      Example output

      argocd.argoproj.io/<argocd_instance> patched
      Copy to Clipboard Toggle word wrap

    2. View the logs and search for processed by shard to observe to which shard each cluster is attached by running the following command: 

      $ oc logs <argocd_application_controller_pod> -n <namespace> | grep "processed by shard"
      Copy to Clipboard Toggle word wrap

      Example output snippet

      time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id= will be processed by shard 0"
      1 
      
time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id=068d8b26-6rhi-4w23-jrf6-wjjfyw833n23 will be processed by shard 1"
      2 
      
time="2023-12-13T09:05:34Z" level=debug msg="Cluster with id=836d8b53-96k4-f68r-8wq0-sh72j22kl90w will be processed by shard 2"
      3
      Copy to Clipboard Toggle word wrap

      1 2 3
      In this example, 3 clusters are attached consecutively to shard 0, shard 1, and shard 2.
      Note

      If the number of clusters "C" is a multiple of the number of shard replicas "R", then each shard must have the same number of assigned clusters "N", which is equal to "C" divided by "R". The previous example shows 3 clusters and 3 replicas; therefore, each shard has 1 cluster assigned.

Important

Dynamic scaling of shards is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

By default, the Argo CD Application Controller assigns clusters to shards indefinitely. If you are using the round-robin sharding algorithm, this static assignment can result in uneven distribution of shards, particularly when replicas are added or removed. You can enable dynamic scaling of shards to automatically adjust the number of shards based on the number of clusters managed by the Argo CD Application Controller at a given time. This ensures that shards are well-balanced and optimizes the use of compute resources.

Note

After you enable dynamic scaling, you cannot manually modify the shard count. The system automatically adjusts the number of shards based on the number of clusters managed by the Argo CD Application Controller at a given time.

You can enable dynamic scaling of shards by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

  1. In the Administator perspective of the OpenShift Container Platform web console, go to OperatorsInstalled Operators.
  2. From the the list of Installed Operators, select the Red Hat OpenShift GitOps Operator, and then click the ArgoCD tab.
  3. Select the Argo CD instance name for which you want to enable dynamic scaling of shards, for example, openshift-gitops.

  4. Click the YAML tab, and then edit and configure the spec.controller.sharding properties as follows:

    Example Argo CD YAML file with dynamic scaling enabled

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
spec:
  controller:
    sharding:
      dynamicScalingEnabled: true
    1 
    
      minShards: 1
    2 
    
      maxShards: 3
    3 
    
      clustersPerShard: 1
    4
    Copy to Clipboard Toggle word wrap

    1
    Set dynamicScalingEnabled to true to enable dynamic scaling.
    2
    Set minShards to the minimum number of shards that you want to have. The value must be set to 1 or greater.
    3
    Set maxShards to the maximum number of shards that you want to have. The value must be greater than the value of minShards.
    4
    Set clustersPerShard to the number of clusters that you want to have per shard. The value must be set to 1 or greater.

  5. Click Save.

    A success notification alert, openshift-gitops has been updated to version <version>, appears.

    Note

    If you edit the default openshift-gitops instance, the Managed resource dialog box is displayed. Click Save again to confirm the changes.

Verification

Verify that sharding is enabled by checking the number of pods in the namespace:

  1. Go to WorkloadsStatefulSets.
  2. Select the namespace where the Argo CD instance is deployed from the Project drop-down list, for example, openshift-gitops.
  3. Click the name of the StatefulSet object that has the name of the Argo CD instance, for example openshift-gitops-apllication-controller.
  4. Click the Pods tab, and then verify that the number of pods is equal to or greater than the value of minShards that you have set in the Argo CD YAML file.

You can enable dynamic scaling of shards by using the OpenShift CLI (oc).

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Log in to the cluster by using the oc tool as a user with cluster-admin privileges.

  2. Enable dynamic scaling by running the following command: 

    $ oc patch argocd <argocd_instance> -n <namespace> --type=merge --patch='{"spec":{"controller":{"sharding":{"dynamicScalingEnabled":true,"minShards":<value>,"maxShards":<value>,"clustersPerShard":<value>}}}}'
    Copy to Clipboard Toggle word wrap

    Example command

    $ oc patch argocd openshift-gitops -n openshift-gitops --type=merge --patch='{"spec":{"controller":{"sharding":{"dynamicScalingEnabled":true,"minShards":1,"maxShards":3,"clustersPerShard":1}}}}'
    1
    Copy to Clipboard Toggle word wrap

    1
    The example command enables dynamic scaling for the openshift-gitops Argo CD instance in the openshift-gitops namespace, and sets the minimum number of shards to 1, the maximum number of shards to 3, and the number of clusters per shard to 1. The values of minShard and clustersPerShard must be set to 1 or greater. The value of maxShard must be equal to or greater than the value of minShard.

    Example output

    argocd.argoproj.io/openshift-gitops patched
    Copy to Clipboard Toggle word wrap

Verification

  1. Check the spec.controller.sharding properties of the Argo CD instance: 

    $ oc get argocd <argocd_instance> -n <namespace> -o jsonpath='{.spec.controller.sharding}'
    Copy to Clipboard Toggle word wrap

    Example command

    $ oc get argocd openshift-gitops -n openshift-gitops -o jsonpath='{.spec.controller.sharding}'
    Copy to Clipboard Toggle word wrap

    Example output when dynamic scaling of shards is enabled

    {"dynamicScalingEnabled":true,"minShards":1,"maxShards":3,"clustersPerShard":1}
    Copy to Clipboard Toggle word wrap

  2. Optional: Verify that dynamic scaling is enabled by checking the configured spec.controller.sharding properties in the configuration YAML file of the Argo CD instance in the OpenShift Container Platform web console.

  3. Check the number of Argo CD Application Controller pods: 

    $ oc get pods -n <namespace> -l app.kubernetes.io/name=<argocd_instance>-application-controller
    Copy to Clipboard Toggle word wrap

    Example command

    $ oc get pods -n openshift-gitops -l app.kubernetes.io/name=openshift-gitops-application-controller
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                           READY   STATUS    RESTARTS   AGE
openshift-gitops-application-controller-0      1/1     Running   0          2m
    1
    Copy to Clipboard Toggle word wrap

    1
    The number of Argo CD Application Controller pods must be greater than or equal to the value of minShard.

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat