Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Argo CD applications

Red Hat OpenShift GitOps 1.20

Creating and deploying applications on the OpenShift cluster by using the Argo CD dashboard, oc tool, or GitOps CLI

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for creating and deploying your applications to the OpenShift cluster by using the Argo CD dashboard, oc tool, or GitOps CLI. It also discusses how to verify the self-healing behavior in Argo CD and how to enable and manage the application resources in non-control plane namespaces.

With Argo CD, you can deploy your applications to the OpenShift Container Platform cluster either by using the Argo CD dashboard or by using the oc tool.

Argo CD provides a dashboard which allows you to create applications.

Prerequisites

  • You have logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to Argo CD instance.

Procedure

  1. In the Argo CD dashboard, click NEW APP to add a new Argo CD application.

  2. For this workflow, create a spring-petclinic application with the following configurations:

    Application Name
    spring-petclinic
    Project
    default
    Sync Policy
    Automatic
    Repository URL
    https://github.com/redhat-developer/openshift-gitops-getting-started
    Revision
    HEAD
    Path
    app
    Destination
    https://kubernetes.default.svc
    Namespace
    spring-petclinic
  3. Click CREATE to create your application.
  4. Open the Administrator perspective of the web console and expand AdministrationNamespaces.
  5. Search for and select the namespace, then enter argocd.argoproj.io/managed-by=openshift-gitops in the Label field so that the Argo CD instance in the openshift-gitops namespace can manage your namespace.

1.2. Creating an application by using the oc tool
Copy link

You can create Argo CD applications in your terminal by using the oc tool.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to an Argo CD instance.

Procedure

  1. Download the sample application: 

    $ git clone git@github.com:redhat-developer/openshift-gitops-getting-started.git

  2. Create the application: 

    $ oc create -f openshift-gitops-getting-started/argo/app.yaml

  3. Run the oc get command to review the created application: 

    $ oc get application -n openshift-gitops

  4. Add a label to the namespace your application is deployed in so that the Argo CD instance in the openshift-gitops namespace can manage it: 

    $ oc label namespace spring-petclinic argocd.argoproj.io/managed-by=openshift-gitops

1.3. Verifying Argo CD self-healing behavior
Copy link

Argo CD constantly monitors the state of deployed applications, detects differences between the specified manifests in Git and live changes in the cluster, and then automatically corrects them. This behavior is referred to as self-healing.

You can test and observe the self-healing behavior in Argo CD.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have logged in to an Argo CD instance.
  • The sample app-spring-petclinic application is deployed and configured.

Procedure

  1. In the Argo CD dashboard, verify that your application has the Synced status.
  2. Click the app-spring-petclinic tile in the Argo CD dashboard to view the application resources that are deployed to the cluster.
  3. In the OpenShift Container Platform web console, navigate to the Developer perspective.

  4. Modify the Spring PetClinic deployment and commit the changes to the app/ directory of the Git repository. Argo CD will automatically deploy the changes to the cluster.

    1. Fork the OpenShift GitOps getting started repository.
    2. In the deployment.yaml file, change the failureThreshold value to 5.

    3. In the deployment cluster, run the following command to verify the changed value of the failureThreshold field: 

      $ oc edit deployment spring-petclinic -n spring-petclinic

  5. Test the self-healing behavior by modifying the deployment on the cluster and scaling it up to two pods while watching the application in the OpenShift Container Platform web console.

    1. Run the following command to modify the deployment: 

      $ oc scale deployment spring-petclinic --replicas 2  -n spring-petclinic
    2. In the OpenShift Container Platform web console, notice that the deployment scales up to two pods and immediately scales down again to one pod. Argo CD detected a difference from the Git repository and auto-healed the application on the OpenShift Container Platform cluster.
  6. In the Argo CD dashboard, click the app-spring-petclinic tile → APP DETAILSEVENTS. The EVENTS tab displays the following events: Argo CD detecting out of sync deployment resources on the cluster and then resyncing the Git repository to correct it.

With Argo CD, you can create your applications on an OpenShift Container Platform cluster by using the GitOps argocd CLI.

You can create applications in the default mode by using the GitOps argocd CLI.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.
  • You have logged in to Argo CD instance.

Procedure

  1. Get the admin account password for the Argo CD server: 

    $ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster -n openshift-gitops -o jsonpath='{.data.admin\.password}' | base64 -d)

  2. Get the Argo CD server URL: 

    $ SERVER_URL=$(oc get routes openshift-gitops-server -n openshift-gitops -o jsonpath='{.status.ingress[0].host}')

  3. Log in to the Argo CD server by using the admin account password and enclosing it in single quotes:

    Important

    Enclosing the password in single quotes ensures that special characters, such as $, are not misinterpreted by the shell. Always use single quotes to enclose the literal value of the password. 

    $ argocd login --username admin --password ${ADMIN_PASSWD} ${SERVER_URL}

    Example: 

    $ argocd login --username admin --password '<password>' openshift-gitops.openshift-gitops.apps-crc.testing

  4. Verify that you are able to run argocd commands in the default mode by listing all applications: 

    $ argocd app list

    If the configuration is correct, then existing applications will be listed with the following header:

    Sample output: 

    NAME CLUSTER NAMESPACE  PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO PATH TARGET

  5. Create an application in the default mode: 

    $ argocd app create app-spring-petclinic \
    --repo https://github.com/redhat-developer/openshift-gitops-getting-started.git \
    --path app \
    --revision main \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace spring-petclinic \
    --directory-recurse \
    --sync-policy automated \
    --self-heal \
    --sync-option Prune=true \
    --sync-option CreateNamespace=true

  6. Label the spring-petclinic destination namespace to be managed by the openshif-gitops Argo CD instance: 

    $ oc label ns spring-petclinic "argocd.argoproj.io/managed-by=openshift-gitops"

  7. List the available applications to confirm that the application is created successfully and repeat the command until the application has the Healthy and Synced statuses: 

    $ argocd app list

You can create applications in core mode by using the GitOps argocd CLI.

Prerequisites

  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
  • You have installed the OpenShift CLI (oc).
  • You have installed the Red Hat OpenShift GitOps argocd CLI.

Procedure

  1. Log in to the OpenShift Container Platform cluster by using the oc CLI tool: 

    $ oc login -u <username> -p <password> <server_url>

    Example: 

    $ oc login -u kubeadmin -p '<password>' https://api.crc.testing:6443

  2. Check whether the context is set correctly in the kubeconfig file: 

    $ oc config current-context

  3. Set the default namespace of the current context to openshift-gitops: 

    $ oc config set-context --current --namespace openshift-gitops

  4. Set the following environment variable to override the Argo CD component names: 

    $ export ARGOCD_REPO_SERVER_NAME=openshift-gitops-repo-server

  5. Verify that you are able to run argocd commands in core mode by listing all applications: 

    $ argocd app list --core

    If the configuration is correct, then existing applications will be listed with the following header:

    Sample output: 

    NAME CLUSTER NAMESPACE  PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO PATH TARGET

  6. Create an application in core mode: 

    $ argocd app create app-spring-petclinic --core \
    --repo https://github.com/redhat-developer/openshift-gitops-getting-started.git \
    --path app \
    --revision main \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace spring-petclinic \
    --directory-recurse \
    --sync-policy automated \
    --self-heal \
    --sync-option Prune=true \
    --sync-option CreateNamespace=true

  7. Label the spring-petclinic destination namespace to be managed by the openshif-gitops Argo CD instance: 

    $ oc label ns spring-petclinic "argocd.argoproj.io/managed-by=openshift-gitops"

  8. List the available applications to confirm that the application is created successfully and repeat the command until the application has the Healthy and Synced statuses: 

    $ argocd app list --core

As a cluster administrator, you can create and manage the Application resources in non-control plane namespaces declaratively other than the openshift-gitops control plane namespace. This functionality is called the Applications in any namespace feature in the Argo CD open source project.

Note

As a developer, if you are creating Argo CD applications in non-control plane namespaces other than the openshift-gitops control plane namespace, ensure that your cluster administrator grants the necessary permissions to them.

Otherwise, after the Argo CD reconciliation, you will see an error message similar to the following example:

Example error message: 

error while validating and normalizing app: error getting application's project: application 'app' in namespace 'dev' is not allowed to use project 'default'

To use this functionality, you must explicitly enable and configure the target namespaces in the following objects:

  • The ArgoCD custom resource (CR) of your user-defined cluster-scoped Argo CD instance
  • The AppProject custom resource (CR)
  • The Application CR

The process of creating and managing the Application resources in non-control plane namespaces consists of the following procedures:

  1. Configuring the ArgoCD CR of your user-defined cluster-scoped Argo CD instance with the target namespaces.
  2. Creating and configuring a user-defined AppProject instance in the openshift-gitops control plane namespace and specify the target namespaces in the .spec.sourceNamespaces field of the user-defined AppProject instance.
  3. Configuring the metadata.namespace and .spec.project fields of the Application CR to reference the target namespaces and user-defined AppProject instance.

This functionality is useful in multitenancy environments when you want to manage deployments of Argo CD applications for your isolated teams.

Important

To prevent privilege escalations for your application teams, you must meet the following requirements:

  • Do not configure non-control plane namespaces in the .spec.sourceNamespaces field of any privileged AppProject instance, for example, the default instance of your AppProject CR installed in either the openshift-gitops control plane namespace or your defined namespace.
  • Do not grant access to the openshift-gitops control plane namespace within the AppProject CRD.
  • Always create and configure user-defined AppProject instances in the openshift-gitops control plane namespace, and then configure non-control plane namespaces in the .spec.sourceNamespaces field within the corresponding user-defined AppProject instance.

3.1. Prerequisites
Copy link

  • You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.
  • You have a user-defined cluster-scoped Argo CD instance in your defined namespace, for example, spring-petclinic namespace.

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. You must first explicitly configure the target namespaces in the ArgoCD custom resource (CR) of your user-defined cluster-scoped Argo CD instance per your requirements.

Prerequisites

  • You are logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.
  • You have a user-defined cluster-scoped Argo CD instance in your defined namespace, for example, spring-petclinic namespace.

Procedure

  1. In the Administrator perspective of the web console, click OperatorsInstalled Operators.
  2. From the Project list, select the project where the user-defined cluster-scoped Argo CD instance is installed.
  3. Select Red Hat OpenShift GitOps from the installed Operators list and go to the Argo CD tab.
  4. Click your user-defined cluster-scoped Argo CD instance.

  5. Configure the ArgoCD CR of your user-defined cluster-scoped Argo CD instance with the target namespaces:

    1. Click the YAML tab and edit the YAML file of the ArgoCD CR.

    2. In the ArgoCD CR, set the value of the sourceNamespaces parameter to include the non-control plane namespaces:

      Example ArgoCD CR: 

      apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
  namespace: spring-petclinic
spec:
  sourceNamespaces:
    - dev
    - app-team-*

      where:

      metadata.name
      Specifies the name of the user-defined cluster-scoped Argo CD instance.
      metadata.namespace
      Specifies the namespace where the user-defined cluster-scoped Argo CD instance is created.
      spec.sourceNamespaces
      Specifies the namespaces where users can create and manage Application resources handled by the Argo CD instance. You can use wildcard patterns (*), to allow the Argo CD instance to manage Application resources in matching namespaces like app-team-1 or app-team-2.

    3. Click Save and Reload.

      Note

      When a target namespace is specified under the sourceNamespaces field, the Operator adds the argocd.argoproj.io/managed-by-cluster-argocd label to the specified namespace.

      Example dev target namespace: 

      apiVersion: v1
kind: Namespace
metadata:
  name: dev
  labels:
    argocd.argoproj.io/managed-by-cluster-argocd: spring-petclinic
    kubernetes.io/metadata.name: dev

      where:

      metadata.name
      Specifies the namespace of the user-defined cluster-scoped Argo CD instance.
      spec.sourceRepos or spec.destinations (Application)
      the target namespace for the Argo CD server to create and manage Application resources.

  6. Verify that Operator adds the argocd.argoproj.io/managed-by-cluster-argocd label to the specified namespace:

    1. Go to AdministrationNamespaces and click Create Namespace.

    2. In the Create Namespace dialog box, provide the Name and click Create.

      For example, to create dev target namespace, enter dev in the Name field. You can repeat the previous steps to create the app-team-1 and app-team-2 target namespaces.

      The Namespaces page displays the created target namespaces.

    3. Click the target namespace and go to the YAML tab to verify the argocd.argoproj.io/managed-by-cluster-argocd label added by the Operator.

Verification

  1. Verify that your user-defined cluster-scoped Argo CD instance is configured with a cluster role to manage cluster-scoped resources:

    1. Go to User ManagementRoles and from the Filter list, select Cluster-wide Roles.

    2. Search for the created cluster roles by using the Search by name field. For example, example-spring-petclinic-argocd-application-controller and example-spring-petclinic-argocd-server.

      The Roles page displays the created cluster roles.

    3. Verify that the following role-based access control (RBAC) resources are created by the GitOps Operator:

      Expand
      NameKindPurpose

      <argocd_name>-<argocd_namespace>-argocd-application-controller

      ClusterRole and ClusterRoleBinding

      For the Argo CD Application Controller to watch and list Application resources at cluster-level

      <argocd_name>-<argocd_namespace>-argocd-server

      ClusterRole and ClusterRoleBinding

      For the Argo CD Server to watch and list Application resources at cluster-level

      <argocd_name>-<target_namespace>

      Role and RoleBinding

      For the Argo CD server to manage Application resources in target namespace through the UI, API, or CLI

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. After you configure your user-defined cluster-scoped Argo CD instance with target namespaces, you must create and configure a user-defined AppProject instance in the openshift-gitops control plane namespace. In addition, you must explicitly configure the target namespaces in the .spec.sourceNamespaces field of the user-defined AppProject instance.

Note

Applications in the GitOps control plane namespace (openshift-gitops) are allowed to set their .spec.project field to reference any AppProject instance, regardless of the restrictions placed by the .spec.sourceNamespaces field in the AppProject custom resource (CR).

Prerequisites

  • You are logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.

Procedure

  1. Create and configure a user-defined AppProject instance in the openshift-gitops control plane namespace to specify the target namespaces in the .spec.sourceNamespaces field:

    1. From the Project list, select the openshift-gitops project.
    2. In the Administrator perspective of the web console, click OperatorsInstalled OperatorsRed Hat OpenShift GitOps and go to the AppProject tab.

    3. Click Create AppProject and enter the following configuration in the YAML view:

      Example user-defined AppProject instance: 

kind: AppProject
apiVersion: argoproj.io/v1alpha1
metadata:
  name: project-one
  namespace: openshift-gitops
spec:
  sourceNamespaces:
  - dev
  - app-team-*
  destinations:
    - name: '*'
      namespace: '*'
      server: '*'
   sourceRepos:
    - '*'

+

where:

kind (AppProject)
Specifies the name of the user-defined AppProject instance.
kind (AppProject)
Specifies the control plane namespace where you want to run the user-defined AppProject instance.
spec (Application)
Specifies the list of non-control plane namespaces for creating and managing Application resources.
spec (Application)
Specifies the name of the target namespace for the Argo CD server to create and manage Application resources.
spec.sourceRepos or spec.destinations (wildcard [*])
Specifies a wildcard ([*]), that contains the name of the target namespaces matching the pattern app-team-*, such as app-team-1 and app-team-2, for the Argo CD server to create and manage Application resources.
kind (AppProject)
Specifies the references to the clusters and namespaces into which applications within the user-defined AppProject instance can deploy.
kind (AppProject)
Specifies the references to the repositories from which applications within the user-defined AppProject instance can pull manifests.

  1. Click Create.

    The AppProjects page displays the created user-defined AppProject instance.

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. After you configure the target namespaces in the .spec.sourceNamespaces field of the user-defined AppProject instance, you must explicitly create and configure the Application custom resource (CR) with the parameters for the metadata.namespace and .spec.project fields to reference the target namespace and user-defined AppProject instance.

Prerequisites

  • You are logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.

Procedure

  1. Create and configure the Application CR with the parameters for the metadata.namespace and .spec.project fields to reference the target namespace and user-defined AppProject instance:

    1. From the Project list, select the target namespace.
    2. In the Administrator perspective of the web console, click OperatorsInstalled OperatorsRed Hat OpenShift GitOps and go to the Application tab.

    3. Click Create Application and enter the following configuration in the YAML view:

      Example user-defined AppProject instance: 

      kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
  name: cluster-configs
  namespace: dev
spec:
  project: project-one
  # ...

      +

      where:

      metadata.name
      Specifies the name of the application.
      spec.project (Application)
      the name of the target namespace for the Argo CD server to create and manage Application resources.
      spec.project (AppProject)
      the name of the user-defined AppProject instance.
  1. Click Create.

+ The Applications page displays the created application.

+ The cluster-configs Argo CD application now has the statuses Healthy and Synced.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top