Installing Argo CD
Argo CD
Getting started
-
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the
yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the--folder-name
or--folder-id
parameter. -
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Install kubect
and configure it to work with the new cluster.
Installation using Yandex Cloud Marketplace
- Navigate to the folder dashboard
and select Managed Service for Kubernetes. - Click the name of the cluster you need and select the
Marketplace tab. - Under Application available for installation, select Argo CD and click Go to install.
- Configure the application:
- Namespace: Create a new namespace, e.g.,
argo-cd-space
. If you leave the default namespace, Argo CD may work incorrectly. - Application name: Specify the application name.
- Namespace: Create a new namespace, e.g.,
- Click Install.
- Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.8.0 or higher. -
To install a Helm chart
with Argo CD, run the following command:helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/argo/chart/argo-cd \ --version 7.3.11-2 \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ argo-cd ./argo-cd/
Note
If you are using a Helm version below 3.8.0, append the
export HELM_EXPERIMENTAL_OCI=1 && \
string to the command to enable Open Container Initiative (OCI) support in the Helm client.If you set
namespace
to the default namespace, Argo CD may work incorrectly. We recommend you to specify a value different from all existing namespaces (e.g.,argo-cd-space
).
Access to the application
You can open Argo CD via localhost, using a dedicated IP address through Yandex Network Load Balancer, or by URL through an L7 Yandex Application Load Balancer. The first method is easier to configure and does not require additional costs for load balancers. However, the application is only available through localhost
as long as port redirection is active and load balancers provide continuous access to Argo CD.
Before you set up access to Argo CD, get the administrator password (admin
):
kubectl --namespace <namespace> get secret argocd-initial-admin-secret \
--output jsonpath="{.data.password}" | base64 -d
You will need the password for authorization in Argo CD.
Opening the application via localhost
-
Configure Argo CD port redirection to your local computer:
kubectl port-forward service/<app_name>-argocd-server \ --namespace <namespace> 8080:443
In the command, specify the application name you had set during installation.
-
Follow the
https://localhost:8080
link and log in with administrator credentials.
Opening the application through a dedicated IP address via Network Load Balancer
-
Save the following specification for creating a
LoadBalancer
type service to a file namedload-balancer.yaml
. This will create you a Network Load Balancer:apiVersion: v1 kind: Service metadata: name: argocd-load-balancer namespace: <namespace> spec: type: LoadBalancer ports: - port: 443 name: load-balancer-port-ssl targetPort: 8080 # Selector Kubernetes label used in the Deployment object named <application_name>-argocd-server. selector: app.kubernetes.io/name: argocd-server
In the specification, specify the namespace you installed Argo CD in.
The specification giving no IP address, the load balancer will get a dynamic public IP address. You can add a field named
spec.loadBalancerIP
and specify a pre-reserved static IP address in it.For details on the specification, see this service reference.
-
Apply the specification and create a network load balancer:
kubectl apply -f load-balancer.yaml --namespace <namespace>
-
Get the IP address of the network load balancer you created:
Management console-
In the management console
, select the folder the Managed Service for Kubernetes cluster is deployed in. -
Select Network Load Balancer.
The Load balancers section shows a network load balancer with the
k8s
prefix in its name and the unique Kubernetes cluster ID in its description. -
Copy the IP address field value for the load balancer of interest.
-
-
Follow the
https://<load_balancer_IP_address>
link and log in with administrator credentials.
Opening the application by URL through Application Load Balancer
-
If you already have a certificate for the domain zone, add its details to Yandex Certificate Manager. If not, issue a new Let's Encrypt® certificate and add it to Certificate Manager.
-
Get the certificate ID:
yc certificate-manager certificate list
Result:
+----------------------+-----------+----------------+---------------------+----------+--------+ | ID | NAME | DOMAINS | NOT AFTER | TYPE | STATUS | +----------------------+-----------+----------------+---------------------+----------+--------+ | fpq8diorouhp******** | cert-test | test.ru | 2022-01-06 17:19:37 | IMPORTED | ISSUED | +----------------------+-----------+----------------+---------------------+----------+--------+
-
Configure the security groups required for an L7 Application Load Balancer.
-
Install the Application Load Balancer ingress controller.
-
While you need a
NodePort
service to work with an L7 Application Load Balancer, Argo CD runs a server with aClusterIP
service. Change the service type:-
Open the file with the
Service
object description:kubectl -n <namespace> edit svc <app_name>-argocd-server
-
Replace the
type
value withNodePort
:spec: ... type: NodePort ...
-
-
The L7 Application Load Balancer removes TLS encryption from inbound traffic. To avoid infinite redirection, disable HTTP to HTTPS redirection for Argo CD:
-
Open the
argocd-cmd-params-cm
configuration file:kubectl -n <namespace> edit configmap argocd-cmd-params-cm
-
Replace the
server.insecure
value withtrue
:data: ... server.insecure: "true" ...
-
-
Create a file named
ingress.yaml
and specify the settings for your L7 Application Load Balancer in it:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argocd-ingress namespace: argo-cd-space annotations: ingress.alb.yc.io/subnets: <load_balancer_subnet_ID> ingress.alb.yc.io/security-groups: <load_balancer_security_group_ID> ingress.alb.yc.io/external-ipv4-address: auto ingress.alb.yc.io/group-name: my-ingress-group spec: tls: - hosts: - <domain_name> secretName: yc-certmgr-cert-id-<TLS_certificate_ID> rules: - host: <domain_name> http: paths: - path: / pathType: Prefix backend: service: name: argo-cd-argocd-server port: number: 80
To learn more about these settings, see Configuring an L7 Yandex Application Load Balancer using an ingress controller.
-
In the
ingress.yaml
file directory, run this command:kubectl apply -f ingress.yaml
This will create an
Ingress
resource. ALB Ingress Controller will use its configuration to automatically deploy your L7 Application Load Balancer. -
Make sure you created the L7 load balancer. To do this, run the following command:
kubectl get ingress argocd-ingress
View the command output. If you created the L7 load balancer, its IP address should appear in the
ADDRESS
field:NAME CLASS HOSTS ADDRESS PORTS AGE argocd-ingress <none> <domain_name> 51.250.**.*** 80, 443 15h
-
Add an A record to your domain's zone. In the Data field, specify the public IP address of your L7 Application Load Balancer.
-
Open the
https://<domain_name>
link in your browser and log in with administrator credentials.