Install and expose ArgoCD
Our clusters ship without ArgoCD installed. Running your own is useful if you want to have full control over GitOps delivery into your cluster.
The guide is based on the upstream Argo CD Helm chart (argo/argo-cd).
Prerequisites
Helm needs to be provided with the correct repository:
-
Setup helm repo
helm repo add argo https://argoproj.github.io/argo-helm -
Make sure to update repo cache
helm repo update -
Make sure
kubectlis configured for the cluster you want to install into. -
To reach the ArgoCD UI over HTTPS you need an Ingress controller and cert-manager. You can either use our managed add-ons or install your own:
Install
-
Create the namespace
kubectl create namespace argocd -
Run Helm install, pinning an explicit chart version:
helm install argocd argo/argo-cd \ --namespace argocd \ --create-namespace \ --version 10.1.4A full list of available Helm values is on ArgoCD’s ArtifactHub page.
Note: If you already know you want the UI reachable via Ingress, you can supply a
values.yamlup front instead of runninghelm upgradeafterwards, see the Expose the ArgoCD UI section below.
Verify the installation
-
Check that all pods are running:
kubectl get pods -n argocd -
Retrieve the initial admin password:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d -
Log in with the ArgoCD CLI over a port-forward:
kubectl port-forward svc/argocd-server -n argocd 8080:443 argocd login localhost:8080 --username admin
Expose the ArgoCD UI
-
Interim / quick access
While you’re deciding how to expose ArgoCD, you can always reach the UI with a port-forward:
kubectl port-forward svc/argocd-server -n argocd 8080:443The UI is then available at https://localhost:8080.
-
Via Ingress (recommended)
Enable the built-in Ingress in
values.yamland let cert-manager issue the certificate:configs: params: server.insecure: true server: ingress: enabled: true ingressClassName: nginx hostname: argocd.example.tld annotations: cert-manager.io/issuer: letsencrypt-prod tls: trueNote: The ArgoCD server multiplexes gRPC and HTTP/HTTPS on the same port and terminates TLS itself by default. To terminate TLS at the Ingress instead, set
server.insecure: trueas above so the server serves plain HTTP behind the Ingress. If you’d rather keep TLS on the backend, use ssl-passthrough instead — see the upstream ArgoCD Ingress documentation for both approaches.Apply the values with:
helm upgrade --install argocd argo/argo-cd --namespace argocd --version 10.1.4 --values values.yaml -
Restrict access while the domain is undecided
If you don’t have a hostname picked yet, you can still put ArgoCD behind an Ingress and restrict it to your own IP with an annotation:
server: ingress: annotations: nginx.ingress.kubernetes.io/whitelist-source-range: "<your-ip>/32"A wildcard-DNS helper such as sslip.io can act as a temporary hostname against the Ingress’ floating IP until a real domain is chosen. See Load balancers for how the floating IP is assigned.
Connect a private Git repository
Add a repository with credentials via the CLI:
argocd repo add <repo-url> --username <user> --password <token>
For Azure DevOps, use a Personal Access Token scoped to Code: Read, or an SSH deploy key instead of username/password.
Alternatively, declare the repository as a Secret labelled for ArgoCD:
apiVersion: v1
kind: Secret
metadata:
name: private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: <repo-url>
username: <user>
password: <token>
Note: Avoid committing credentials in plaintext to git. See Managing secrets below for options to keep this manifest encrypted at rest in your repository.
Pull images from a private registry
Create an imagePullSecret in the namespace your application is deployed to:
kubectl create secret docker-registry regcred \
--namespace <app-namespace> \
--docker-server=<registry-server> \
--docker-username=<user> \
--docker-password=<password>
This works for any registry (Docker Hub, ACR, GCR, Quay, …). Reference the secret from your
workload’s ServiceAccount imagePullSecrets, or set it via your Helm chart’s values.
Managing secrets
Since ArgoCD deploys straight from git, secrets should not be committed in plaintext. Two common options, both customer-installed:
- Sealed Secrets — encrypt secrets client-side
with
kubesealso only the controller in your cluster can decrypt them, safe to commit to git. - External Secrets — sync secrets from an external secret store
(e.g. Vault, cloud provider secret managers) into Kubernetes
Secretresources.
Deploy your first application
Create a file called application.yaml:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: default
source:
repoURL: <repo-url>
targetRevision: HEAD
path: <path-to-manifests>
destination:
server: https://kubernetes.default.svc
namespace: <app-namespace>
syncPolicy:
automated:
prune: true
selfHeal: true
If you’re deploying a Helm chart instead of plain manifests, use a Helm source:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: default
source:
repoURL: <repo-url>
targetRevision: HEAD
path: <path-to-chart>
helm:
valueFiles:
- values.yaml
destination:
server: https://kubernetes.default.svc
namespace: <app-namespace>
syncPolicy:
automated:
prune: true
selfHeal: true
Then create the resource in the cluster by running:
kubectl apply -f application.yaml
Upgrade
helm upgrade --install argocd argo/argo-cd --namespace argocd --version <new-version>
Uninstall
-
Remove the release
helm uninstall argocd -n argocd -
Remove the namespace if necessary
kubectl delete namespace argocd