ArgoCD with AWS ECR, ESO and Bitbucket Pipeline
Introduction:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It is used as a standalone tool or as a part of your CI/CD workflow to deliver needed resources to the kubernetes clusters.
Features:
- Ability to manage and deploy to multiple clusters.
- Rollback/Roll-anywhere to any application configuration committed in Git repository
- Automated configuration drift detection and visualization, hence enforcing git as single-source-of-truth
- Supports Canary Deployment, Blue/Green Deployment etc via PreSync, Sync, PostSync hooks . This integrates well with Istio’s feature.
- Access restriction to K8s and deployments only via Git makes changes auditable and also can eliminate the need for RBAC in K8s clusters for end users.
- Declarative Files and ArgoCD CLI for missing features in ArgoCD UI.
- Container Specific ArgoCD Tool makes it well integrated with K8s, Service Mesh, Container Monitoring tools (Prometheus, Grafana), ArgoRollout, Security Tools and ConfigManagement Tools like Helm, Jsonnet , Kustomize.
Installing Argo CD in EKS cluster.
kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
- Download Argo CD CLI
sudo curl --silent --location -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.4.7/argocd-linux-amd64 sudo chmod +x /usr/local/bin/argocd
- Login Using The CLI
echo "yes" | argocd login <server-url> --username <user> --password <passwd> --grpc-web
- Access The Argo CD API Server
- Get admin password. Default user is admin.
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
Proposed CI/CD Working Architecture:
Pipenile Steps:
- CI: Bitbucket Pipeline
- Build application docker image
- Push docker image to docker image ECR repo
- Update image tag in values manifest file
- Update helm Chart version in Chart manifest file
- Do helm package
- Do helm push with all the artifacts to helm ECR repo
2. CD: ARGO
- Sync with helm ECR repo
- Deploys the latest image tag and chart version to the respective EKS cluster.
- Sends slack notification
ArgoCD Structure
Repositories → Projects → Application → Clusters
- Repositories: Manage repository connection parameters
argocd repo add REPOURL
EX: argocd repo add <account.id>.dkr.ecr.ap-southeast-1.amazonaws.com
2. Projects: It provide a logical grouping of applications
argocd proj create <proj name> -d <destination cluster> -s <repo url>
Ex: argocd proj create myproject -d https://kubernetes.default.svc,mynamespace -s https://github.com/argoproj/argocd-example-apps.git
3. Application: A group of Kubernetes resources as defined by a manifest. This is a Custom Resource Definition (CRD).
argocd app list
4. Clusters: Manage cluster credentials
argocd cluster list -o json
RBAC Configuration
The RBAC feature enables restriction of access to Argo CD resources.
RBAC Permission Structure
Breaking down the permissions definition differs slightly between applications and every other resource type in Argo CD.
- All resources except application-specific permissions:
p, <role/user/group>, <resource>, <action>, <object>
- Applications, applicationsets, logs, and exec (which belong to an
AppProject
): p, <role/user/group>, <resource>, <action>, <appproject>/<object>
Resources and Actions
Resources: clusters
, projects
, applications
, applicationsets
, repositories
, certificates
, accounts
, gpgkeys
, logs
, exec
, extensions
Actions: get
, create
, update
, delete
, sync
, override
,action/<group/kind/action-name>
External Secret Operator (ESO)
It is a Kubernetes operator that integrates external secret management systems.
The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. Argocd uses ESO to rotate ECR credentials to pull helm repositories.
Componenets:
- ECRAuthorizationToken: CRD which generates the token.
- ExternalSecret: CRD which updates the secret with the new token generated by ECRAuthorizationToken.
- ServiceAccount: AWS Role attached to ECRAuthorizationToken with ECR necessary aacess.
From the ESO integration, ArgoCD is able to sync with ECR with the help on ESO to pull the latest helm repository and do the deployment on EKS cluster.