此内容没有您所选择的语言版本。

Chapter 1. Setting up an Argo CD instance


By default, Red Hat OpenShift GitOps installs an instance of Argo CD in the openshift-gitops namespace with additional permissions for managing certain cluster-scoped resources. This default Argo CD instance is also called as the default cluster-scoped instance.

To prevent the default Argo CD instance from starting in the openshift-gitops namespace, you can use the openshift-gitops-operator subscription and configure the DISABLE_DEFAULT_ARGOCD_INSTANCE environment variable in it by setting the string value to "true".

Note

For GitOps version 1.13 and later:

  • Route TLS termination is set as default to the reencrypt mode for both the default and user-defined Argo CD instances. TLS connections to the Argo CD instances now receive the default ingress certificate that is set in OpenShift Container Platform, instead of the self-signed Argo CD certificate. You can modify the route TLS termination policy by configuring the .spec.server.route.tls field of the Argo CD CR.
  • Restricted pod security admission (PSA) labels are applied to the openshift-gitops namespace to ensure compliance with OpenShift Container Platform standards. If you are running additional workloads in this namespace, such as monitoring or logging, ensure that they comply with the restricted PSA requirements. If compliance is not feasible, consider using a user-defined, cluster-scoped Argo CD instance, where PSA labels are not applied or controlled by the GitOps Operator.

To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance. By default, any new user-defined instance has permissions to manage resources only in the namespace where it is deployed.

Warning
  • A Kubernetes user with access to the Argo CD namespace is an Argo CD administrator and can bypass any role-based access control (RBAC) restrictions configured in Argo CD. Never grant non-administrator users any read or write access to the Argo CD namespace.
  • If non-administrator users create applications, do not allow them to be bound to the default AppProject custom resource (CR) because it has no restrictions. Otherwise, the Kubernetes permissions of the Argo CD instances and the default AppProject CR allow deployment of everything everywhere. To prevent this situation, lock down the default AppProject CR so that no one can use it accidentally, even if someone misconfigures the Argo CD RBAC.

You can create a user-defined Argo CD instance in any namespace, other than the openshift-gitops namespace.

Important

If you want to create a user-defined Argo CD instance within the openshift-gitops namespace, set the DISABLE_DEFAULT_ARGOCD_INSTANCE flag value in the openshift-gitops-operator subscription to "true" and do not name the instance as openshift-gitops.

1.1. Installing a user-defined Argo CD instance

To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. In the Administrator perspective of the web console, click Operators Installed Operators.
  3. Create or select the project where you want to install the user-defined Argo CD instance from the Project list.
  4. Select Red Hat OpenShift GitOps from the installed Operators list and click the Argo CD tab.
  5. Click Create ArgoCD to configure the parameters:

    1. Enter the Name of the instance. By default, the Name is set to example.
    2. Create an external OS Route to access Argo CD server. Click Server Route and check Enabled.

      Tip

      You can alternatively configure YAML to create an external OS Route as shown in the following example:

      Example Argo CD with external OS route created

      apiVersion: argoproj.io/v1beta1
      kind: ArgoCD
      metadata:
        name: example
        namespace: openshift-gitops
      spec:
        server:
          route:
            enabled: true

    3. Optional: Modify the route TLS termination policy by configuring the .spec.server.route.tls field of the Argo CD CR.

      Note

      When configuring custom TLS certificates for Argo CD Server route, avoid using the .spec.server.route.tls.key and .spec.server.route.tls.certificate fields. Use the .spec.server.route.tls.externalCertificate field instead. For more information about configuring a route for custom TLS certificate, see examples in Custom TLS certificates for Routes.

  6. Click Create.
  7. Go to Networking Routes <instance_name>-server in the project where the user-defined Argo CD instance is installed.
  8. On the Details tab, click the Argo CD web UI link under Route details Location. The Argo CD web UI opens in a separate browser window.
  9. Optional: To log in with your OpenShift Container Platform credentials, ensure you are a user of the cluster-admins group and then select the LOG IN VIA OPENSHIFT option in the Argo CD user interface.

    Note

    To be a user of the cluster-admins group, use the oc adm groups new cluster-admins <user> command, where <user> is the default cluster role that you can bind to users and groups cluster-wide or locally.

  10. Obtain the password for the user-defined Argo CD instance:

    1. Use the navigation panel to go to the Workloads Secrets page.
    2. Use the Project list and select the namespace where the user-defined Argo CD instance is created.
    3. Select the <argo_CD_instance_name>-cluster instance to display the password.
    4. On the Details tab, copy the password under Data admin.password.
  11. Use admin as the Username and the copied password as the Password to log in to the Argo CD UI in the new window.

1.2. Configuring common cluster roles by specifying user-defined cluster roles for namespace-scoped instances

As a cluster administrator, when you give an Argo CD access to a namespace by using the argocd.argoproj.io/managed-by label, the Argo CD assumes namespace-admin privileges. The Red Hat OpenShift GitOps Operator then automatically creates role bindings for all managed namespaces of the following GitOps control plane components:

  • Argo CD Application Controller
  • Argo CD server
  • Argo CD ApplicationSet Controller

When you provide namespaces to non-administrator users, for example, development teams, they can use the namespace-admin privileges to modify objects such as network policies. Installing an Argo CD instance in these namespaces gives the development teams admin privileges and indirectly elevates their assigned privileges. These roles are highly privileged and can delete all resources. As a preventive action, you can define a specific set of reduced permissions to meet your security requirements by configuring common cluster roles for all managed namespaces in the role bindings that the Operator creates for the Argo CD Application Controller and Argo CD server components.

To configure common cluster roles for all managed namespaces, you can specify user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE and SERVER_CLUSTER_ROLE environment variables in the Operator’s Subscription object YAML file. As a result, instead of creating the default admin role, the Operator uses the existing user-defined cluster roles and creates role bindings for all managed namespaces.

Prerequisites

  • You have logged in to the OpenShift Container Platform cluster as an administrator.
  • You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.

Procedure

  1. In the Administrator perspective, navigate to Administration CustomResourceDefinitions.
  2. Find the Subscription CRD and click to open it.
  3. Select the Instances tab and click the openshift-gitops-operator subscription.
  4. Select the YAML tab and make your customization:

    • Specify the user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE and SERVER_CLUSTER_ROLE environment variables:

      Example Subscription

      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: openshift-gitops-operator
        namespace: openshift-gitops-operator
      spec:
        config:
          env:
          - name: CONTROLLER_CLUSTER_ROLE
            value: gitops-controller-role 1
          - name: SERVER_CLUSTER_ROLE
            value: gitops-server-role 2

      1
      The name of the environment variable for the Argo CD Application Controller component.
      2
      The name of the environment variable for the Argo CD server component.
Tip

Alternatively, you can inject the preceding environment variables directly into the Operator’s Deployment object YAML file.

1.3. Enabling replicas for Argo CD server and repo server

Argo CD-server and Argo CD-repo-server workloads are stateless. To better distribute your workloads among pods, you can increase the number of Argo CD-server and Argo CD-repo-server replicas. However, if a horizontal autoscaler is enabled on the Argo CD-server, it overrides the number of replicas you set.

Procedure

  • Set the replicas parameters for the repo and server spec to the number of replicas you want to run:

    Example Argo CD custom resource

    apiVersion: argoproj.io/v1beta1
    kind: ArgoCD
    metadata:
      name: example-argocd
      labels:
        example: repo
    spec:
      repo:
        replicas: <number_of_replicas>
      server:
        replicas: <number_of_replicas>
        route:
          enabled: true
          path: /
          tls:
            insecureEdgeTerminationPolicy: Redirect
            termination: passthrough
          wildcardPolicy: None

1.4. Deploying resources to a different namespace

To allow Argo CD to manage resources in other namespaces apart from where it is installed, configure the target namespace with a argocd.argoproj.io/managed-by label.

Procedure

  • Configure the namespace:

    $ oc label namespace <namespace> \
    argocd.argoproj.io/managed-by=<namespace> 1
    1
    The namespace where Argo CD is installed.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.