ArgoCD with AWS ECR, ESO and Bitbucket Pipeline

Introduction:

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It is used as a standalone tool or as a part of your CI/CD workflow to deliver needed resources to the kubernetes clusters.

Features:

• Ability to manage and deploy to multiple clusters.
• Rollback/Roll-anywhere to any application configuration committed in Git repository
• Automated configuration drift detection and visualization, hence enforcing git as single-source-of-truth
• Supports Canary Deployment, Blue/Green Deployment etc via PreSync, Sync, PostSync hooks . This integrates well with Istio’s feature.
• Access restriction to K8s and deployments only via Git makes changes auditable and also can eliminate the need for RBAC in K8s clusters for end users.
• Declarative Files and ArgoCD CLI for missing features in ArgoCD UI.
• Container Specific ArgoCD Tool makes it well integrated with K8s, Service Mesh, Container Monitoring tools (Prometheus, Grafana), ArgoRollout, Security Tools and ConfigManagement Tools like Helm, Jsonnet , Kustomize.

Installing Argo CD in EKS cluster.

kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

• Download Argo CD CLI

sudo curl --silent --location -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.4.7/argocd-linux-amd64 sudo chmod +x /usr/local/bin/argocd

• Login Using The CLI

echo "yes" | argocd login <server-url> --username <user> --password <passwd> --grpc-web

• Access The Argo CD API Server
• Get admin password. Default user is admin.

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Proposed CI/CD Working Architecture:

Pipenile Steps:

1. CI: Bitbucket Pipeline

• Build application docker image
• Push docker image to docker image ECR repo
• Update image tag in values manifest file
• Update helm Chart version in Chart manifest file
• Do helm package
• Do helm push with all the artifacts to helm ECR repo

2. CD: ARGO

• Sync with helm ECR repo
• Deploys the latest image tag and chart version to the respective EKS cluster.
• Sends slack notification

ArgoCD Structure

Repositories → Projects → Application → Clusters

1. Repositories: Manage repository connection parameters

argocd repo add REPOURL

EX: argocd repo add <account.id>.dkr.ecr.ap-southeast-1.amazonaws.com

2. Projects: It provide a logical grouping of applications

argocd proj create <proj name> -d <destination cluster> -s <repo url>

Ex: argocd proj create myproject -d https://kubernetes.default.svc,mynamespace -s https://github.com/argoproj/argocd-example-apps.git

3. Application: A group of Kubernetes resources as defined by a manifest. This is a Custom Resource Definition (CRD).

argocd app list

4. Clusters: Manage cluster credentials

argocd cluster list -o json

RBAC Configuration

The RBAC feature enables restriction of access to Argo CD resources.

RBAC Permission Structure

Breaking down the permissions definition differs slightly between applications and every other resource type in Argo CD.

• All resources except application-specific permissions:
• p, <role/user/group>, <resource>, <action>, <object>
• Applications, applicationsets, logs, and exec (which belong to an AppProject):
• p, <role/user/group>, <resource>, <action>, <appproject>/<object>

Resources and Actions

Resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, extensions

Actions: get, create, update, delete, sync, override,action/<group/kind/action-name>

External Secret Operator (ESO)

It is a Kubernetes operator that integrates external secret management systems.

The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. Argocd uses ESO to rotate ECR credentials to pull helm repositories.

Componenets:

1. ECRAuthorizationToken: CRD which generates the token.
2. ExternalSecret: CRD which updates the secret with the new token generated by ECRAuthorizationToken.
3. ServiceAccount: AWS Role attached to ECRAuthorizationToken with ECR necessary aacess.

From the ESO integration, ArgoCD is able to sync with ECR with the help on ESO to pull the latest helm repository and do the deployment on EKS cluster.