This repository contains resources that deploy an instance of ArgoCD on a flynnt kubernetes cluster. It is build for private Cloud and on-premise environments.
The deployment is GDPR/DSGVO-compliant. This means, no data stored in your ArgoCD instance will leave your server. As long as you use trusted infrastructure providers (for example your own datacenter) your data is safe.
It is meant to be used for reference and as a blueprint for your own deployment.
- ArgoCD manages itself. After the initial deployment its GitOps all the way.
- ArgoCD configuration uses SSO. You can choose your own provider.
- Secret Management within ArgoCD is done with ksops and age. For more information see below.
Note
Even though this sample is built to be deployed on a flynnt managed kubernetes cluster, you can easily customize this to use a different managed k8s provider. In general, almost every technology choice made here is opinionated and exchangable with different products.
Further Resources:
We use several open-source tools and stitch them together for a nice, standalone deployment experience.
- Sops and Ksops with Age for secret management
- nginx-ingress and cert-manager for Ingress and public let's encrypt certificates
- A way to point your preferred DNS record to your nodes for ingress.
- A way to store the initial age secret and share it securely with your team. As an example, a keepass database or a password manager.
- An empty kubernetes cluster and access via kubectl to it. This example uses a Flynnt Cluster. Save the
kubeconfig.yamlin the root of this repo. - If you want to make ArgoCD self-managed, it needs access to this repository. There is an example repository secret in
argocd/base/github-repo-secret.yaml.
First, we need to generate a secret that we will use to deploy sensitive information into our cluster. Also, we will tell ArgoCD about this secret so ArgoCD itself can use it to decrypt secrets in deployments.
./age-keygenThis generates a public and private keypair. Put them to keepass or a similar secure store.
Next, we will fill out some secrets and encrypt them, so we can commit them to the repository and also use them for ArgoCD.
The first secret we need to change is in argocd/base/age-key-secret.sample.yaml. This is the key that ArgoCD will use to decrypt ArgoCD deployments/secrets.
Put the generated private key from above into the file and encrypt it like so:
./sops --age <age-public-key> --encrypt --encrypted-regex '^(data|stringData)$' argocd/base/age-key-secret.sample.yaml > argocd/base/age-key-secret.enc.yamlYour DNS record should already point to your k8s nodes. Put your DNS Name in argocd/base/ingress.yaml and argocd/overlays/argocd-cm.yaml.
For OIDC, there is a sample configuration in the ArgoCD Configmap in argocd/overlays/argocd-cm.yaml. The sample uses Google as the Authentication Provider.
Customize for your own provider. Further documentation can be found in the official ArgoCD documentation, found here
In any case, you will need some kind of OIDC secret that ArgoCD uses. Create and encrypt the secret
./sops --age <age-public-key> --encrypt --encrypted-regex '^(data|stringData)$' argocd/base/oidc-secret.sample.yaml > argocd/base/oidc-secret.enc.yamlIf you don't want or need this, you can exclude the oidc-secret.enc.yaml from Kustomize in argocd/secret-generator.yaml.
Most likely your repositories are not public and thus not accessible without authentication. In argocd/base/github-repo-secret.sample.yaml you find a sample on how to make ArgoCD use authentication when accessing repositories in a Github Organization.
As above, encrypt the secret like this
./sops --age <age-public-key> --encrypt --encrypted-regex '^(data|stringData)$' argocd/base/github-repo-secret.sample.yaml > argocd/base/github-repo-secret.enc.yamlIf you don't want or need this, you can exclude the github-repo-secret.enc.yaml from Kustomize in argocd/secret-generator.yaml.
Note, that the self-management functionality won't work if ArgoCD has no access to this repository.
Check your connection to the k8s cluster and see if all nodes are fine. We expect the kubeconfig.yaml to be in the root of this repo. Download it from the flynnt dashboard if you haven't already.
export KUBECONFIG=kubeconfig.yaml
export SOPS_AGE_KEY=<put-private-secret-key-here>
kubectl create namespace argocd
./kustomize build --enable-alpha-plugins --enable-exec ./argocd | kubectl apply -f -We will now switch to a self-managed ArgoCD setup. This means, that you can change the configuration of ArgoCD and the other components by just commiting your changes to this repository and ArgoCD will automatically pick up the changes. GitOps style.
Also, we will deploy Ingress and Cert-Manager resources through ArgoCD. Check applications.yaml to see what you are deploying through ArgoCD.
export KUBECONFIG=kubeconfig.yaml
kubectl apply -f applications.yamlWe use Mozilla sops and KSOPS with age.
./age-keygenPut public and private key to keepass or a similar secure store.
./sops --age <age-public-key> --encrypt --encrypted-regex '^(data|stringData)$' argocd/base/age-key-secret.yaml > argocd/base/age-key-secret.enc.yamlexport SOPS_AGE_KEY=<put-secret-key-here>
./sops --decrypt argocd/base/argocd-cm.enc.yaml > argocd/base/argocd-cm.yamlexport SOPS_AGE_KEY=<put-secret-key-here>
./sops -i argocd/argocd-cm.enc.yaml