Dzero Labs
Published in

Dzero Labs

Installing Ambassador, ArgoCD, and Tekton on Kubernetes

Subway tunnel. Photo credit: Dzero Labs


  1. Explain the reasoning behind the tools selection
  2. Provide a high-level overview of the reference architecture used for my setup
  3. Provide detailed instructions and supporting code for installing Ambassador with TLS (using Cert-Manager), ArgoCD, and Tekton on Kubernetes.
  • You already have a Kubernetes cluster set up
  • kubectl is installed on your system

Tools Selection



  • Facilitates Canary Deployments, Blue/Green Deployments, and rollbacks
  • Lets you deploy to multiple Kubernetes clusters
  • Lets your see all of your deployments in one place
  • Lets you know about application health (i.e. did your app deploy successfully to the cluster?)
  • Gives you a cool network diagram of your application deployments (see below)
ArgoCD sample app deployment


  • Tekton is Kubernetes-native. You simply define your Tekton pipelines as Kubernetes resources.
  • If you’re already working in Kubernetes, rather than use yet ANOTHER tool, just stay in the Kubernetes family. As they say, When in Rome…
  • (I cringe a little to say this, but here goes) If you ever decide to move your Kubernetes home to another cloud provider, or universe forbid, go the multi-cloud route, Tekton is pretty easy to port over, and you won’t need to fuss around with too many cloud provider settings.
  • Tekton is a GitOps tool, which means that Git repo pushes and pull requests can trigger your pipeline via Webhook. AWESOME!
  • Tekton Pipelines are ephemeral — if you accidentally nuke your pipeline, you can recreate it easily!
  • Tekton gives you Kubernetes on Kubernetes love by orchestrating tasks all inside your Kubernetes cluster. Because it runs these tasks as Kubernetes Job resources, once the job is done, the pod is no longer running. Again…Ephemeral!

Reference Architecture

Reference Artitecture
  • Trigger the Tekton dev build & deploy pipeline via Webhook to Tekton. The Webhook is triggered by a merge to the integration branch (e.g. develop branch).
  • Build & publish a container image to our Docker registry via Kaniko Tekton task.
  • Deploy a containerized application to our Kubernetes dev cluster via argocd app sync Tekton task.
  • Trigger a QA and/or UAT deploy manually
  • Trigger the prod deploy via Webhook to ArgoCD. The Webhook is triggered by a merge to the master branch on the golden repo.
  • Deploy a containerized application to our Kubernetes non-dev cluster via argocd app sync.
  • And why not? After all, Tekton pipelines are nothing more than Kubernetes manifests, at the end of the day


Ambassador Setup

  • To expose the ArgoCD dashboard and API server
  • To expose Tekton Trigger EventListener services, so that I could trigger a Tekton pipeline via a Webhook
kubectl apply -f && kubectl wait --for condition=established --timeout=90s crd -lproduct=aes && kubectl apply -f && kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes
AMBASSADOR_IP=$(kubectl get -n ambassador service ambassador -o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}")
Ambassador homepage on your cluster
kubectl apply -f repo add jetstack && helm repo updatekubectl create ns cert-managerhelm install cert-manager --namespace cert-manager jetstack/cert-manager
az aks install-cli
# Public IP address of your ingress controller
IP=$(kubectl get -n ambassador service ambassador -o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}")
echo $IP
# Name to associate with public IP address
# Get the resource-id of the public ip -> some delay here!!
PUBLICIPID=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[id]" --output tsv)
# Update public ip address with DNS name
az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME
# Display the FQDN
FQDN=$(az network public-ip show --ids $PUBLICIPID --query "[dnsSettings.fqdn]" --output tsv)
echo $FQDN
Ambassador homepage on your cluster
  1. <> should be replaced with your email address
  2. <my_fqdn_replace_me> should be replaced with the FQDN value from Step 3
kubectl apply -f ambassador-tls-cert-issuer.yml
kubectl get pods -n cert-manager
Output of kubectl get-pods -n cert-manager
kubectl logs cert-manager-<XYZ123> -n cert-manager
kubectl describe certificates ambassador-certs -n ambassador
Result of kubectl describe certificates ambassador-certs -n ambassador
kubectl get secrets -n ambassador
ambassador-certs created
kubectl apply -f ambassador-tls-ambassador-service.yml

ArgoCD v1.7.6 Installation

kubectl create namespace argocdkubectl apply -n argocd -f
  • Create an Ambassador host definition
  • Modify the ArgoCD deployment (specifically lines 45–47)
  • Define a Ambassador mapping so that you can hit the service externally
kubectl apply -f argocd-ambassador.yml
  • https://$FQDN/argo-cd (Admin dashboard)
  • https://$FQDN/argo-cd/swagger-ui (API reference)
  • https://$FQDN/argo-cd/api/webook (Webhook URL)
ArgoCD Admin Dashboard
brew install argocd
kubectl get pods -n argocd -l -o name | cut -d'/' -f 2
Sample Bcrypt Password Generator output
kubectl -n argocd patch secret argocd-secret \
-p '{"stringData": {
"admin.password": "$2a$10$rCcULJ2BXfPutS25bBcu2OTgC2BU.3oTO67bckf6YqCpUZZxpXGAu",
"admin.passwordMtime": "'$(date +%FT%T%Z)'"
argocd login $FQDN --grpc-web-root-path /argo-cd
argocd account update-password

Tekton v0.16.0 and Tekton Triggers v0.8.1 Installation

kubectl apply -f apply -f
kubectl create configmap config-artifact-pvc \
--from-literal=size=10Gi \
--from-literal=storageClassName=manual \
-o yaml -n tekton-pipelines \
--dry-run=true | kubectl replace -f -

Aaaaaand…we’re done! For now…



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adri Villela

I push the boundaries of software delivery by learning from smart people who challenge the status quo | Former corporate 🤖 | On-Call Me Maybe Podcast co-host