apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example
namespace: openshift-gitops
spec:
server:
route:
enabled: true
By default, Red Hat OpenShift GitOps installs an instance of Argo CD in the openshift-gitops
namespace with additional permissions for managing certain cluster-scoped resources. This default Argo CD instance is also called as the default cluster-scoped instance.
For GitOps version 1.13 and later, the route TLS termination is set as default to the You can modify the route TLS termination policy by configuring the |
To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance. By default, any new user-defined instance has permissions to manage resources only in the namespace where it is deployed.
To manage cluster configurations or deploy applications, you can install and deploy a new user-defined Argo CD instance.
You have access to the cluster with cluster-admin
privileges.
You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
Log in to the OpenShift Container Platform web console.
In the Administrator perspective of the web console, click Operators → Installed Operators.
Create or select the project where you want to install the user-defined Argo CD instance from the Project list.
Select Red Hat OpenShift GitOps from the installed Operators list and click the Argo CD tab.
Click Create ArgoCD to configure the parameters:
Enter the Name of the instance. By default, the Name is set to example
.
Create an external OS route to access Argo CD server. Click Server → route and check Enabled.
You can alternatively configure YAML to create an external OS route as shown in the following example: Example Argo CD with external OS route created
|
Optional: Modify the route TLS termination policy by configuring the .spec.server.route.tls
field of the Argo CD CR.
Click Create.
Go to Networking → routes → <instance_name>-server in the project where the user-defined Argo CD instance is installed.
On the Details tab, click the Argo CD web UI link under route details → Location. The Argo CD web UI opens in a separate browser window.
Optional: To log in with your OpenShift Container Platform credentials, ensure you are a user of the cluster-admins
group and then select the LOG IN VIA OPENSHIFT
option in the Argo CD user interface.
To be a user of the |
Obtain the password for the user-defined Argo CD instance:
Use the navigation panel to go to the Workloads → Secrets page.
Use the Project list and select the namespace where the user-defined Argo CD instance is created.
Select the <argo_CD_instance_name>-cluster instance to display the password.
On the Details tab, copy the password under Data → admin.password.
Use admin
as the Username and the copied password as the Password to log in to the Argo CD UI in the new window.
As a cluster administrator, when you give an Argo CD access to a namespace by using the argocd.argoproj.io/managed-by
label, the Argo CD assumes namespace-admin
privileges. The Red Hat OpenShift GitOps Operator then automatically creates role bindings for all managed namespaces of the following GitOps control plane components:
Argo CD Application Controller
Argo CD server
Argo CD ApplicationSet Controller
When you provide namespaces to non-administrator users, for example, development teams, they can use the namespace-admin
privileges to modify objects such as network policies. Installing an Argo CD instance in these namespaces gives the development teams admin
privileges and indirectly elevates their assigned privileges. These roles are highly privileged and can delete all resources. As a preventive action, you can define a specific set of reduced permissions to meet your security requirements by configuring common cluster roles for all managed namespaces in the role bindings that the Operator creates for the Argo CD Application Controller and Argo CD server components.
To configure common cluster roles for all managed namespaces, you can specify user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE
and SERVER_CLUSTER_ROLE
environment variables in the Operator’s Subscription
object YAML file. As a result, instead of creating the default admin
role, the Operator uses the existing user-defined cluster roles and creates role bindings for all managed namespaces.
You have logged in to the OpenShift Container Platform cluster as an administrator.
You have installed the Red Hat OpenShift GitOps Operator on your OpenShift Container Platform cluster.
In the Administrator perspective, navigate to Administration → CustomResourceDefinitions.
Find the Subscription CRD and click to open it.
Select the Instances tab and click the openshift-gitops-operator subscription.
Select the YAML tab and make your customization:
Specify the user-defined cluster roles for the CONTROLLER_CLUSTER_ROLE
and SERVER_CLUSTER_ROLE
environment variables:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-gitops-operator
namespace: openshift-gitops-operator
spec:
config:
env:
- name: CONTROLLER_CLUSTER_ROLE
value: gitops-controller-role (1)
- name: SERVER_CLUSTER_ROLE
value: gitops-server-role (2)
1 | The name of the environment variable for the Argo CD Application Controller component. |
2 | The name of the environment variable for the Argo CD server component. |
Alternatively, you can inject the preceding environment variables directly into the Operator’s |
Argo CD-server and Argo CD-repo-server workloads are stateless. To better distribute your workloads among pods, you can increase the number of Argo CD-server and Argo CD-repo-server replicas. However, if a horizontal autoscaler is enabled on the Argo CD-server, it overrides the number of replicas you set.
Set the replicas
parameters for the repo
and server
spec to the number of replicas you want to run:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
labels:
example: repo
spec:
repo:
replicas: <number_of_replicas>
server:
replicas: <number_of_replicas>
route:
enabled: true
path: /
tls:
insecureEdgeTerminationPolicy: Redirect
termination: passthrough
wildcardPolicy: None
To allow Argo CD to manage resources in other namespaces apart from where it is installed, configure the target namespace with a argocd.argoproj.io/managed-by
label.
Configure the target namespace by running the following command:
$ oc label namespace <target_namespace> \
argocd.argoproj.io/managed-by=<argocd_namespace>
where:
<target_namespace>
Specifies the name of the namespace you want Argo CD to manage.
<argocd_namespace>
Specifies the name of the namespace where Argo CD is installed.
In a multi-tenant cluster, users might have to deal with multiple instances of Argo CD. For example, after installing an Argo CD instance in your namespace, you might find a different Argo CD instance attached to the Argo CD console link, instead of your own Argo CD instance, in the Console Application Launcher.
You can customize the Argo CD console link by setting the DISABLE_DEFAULT_ARGOCD_CONSOLELINK
environment variable:
When you set DISABLE_DEFAULT_ARGOCD_CONSOLELINK
to true
, the Argo CD console link is permanently deleted.
When you set DISABLE_DEFAULT_ARGOCD_CONSOLELINK
to false
or use the default value, the Argo CD console link is temporarily deleted and visible again when the Argo CD route is reconciled.
You have logged in to the OpenShift Container Platform cluster as an administrator.
You have installed the Red Hat OpenShift GitOps Operator.
In the Administrator perspective, navigate to Administration → CustomResourceDefinitions.
Find the Subscription CRD and click to open it.
Select the Instances tab and click the openshift-gitops-operator subscription.
Select the YAML tab and make your customization:
To enable or disable the Argo CD console link, edit the value of DISABLE_DEFAULT_ARGOCD_CONSOLELINK
as needed:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-gitops-operator
spec:
config:
env:
- name: DISABLE_DEFAULT_ARGOCD_CONSOLELINK
value: 'true'