Argocd setup on GCP using GCS bucket as storage backend

https://cloud.google.com/blog/products/containers-kubernetes/building-a-fleet-with-argocd-and-gke

What is ARGOCD?

In the dynamic realm of Kubernetes infrastructure, efficient continuous delivery tools are essential. Argo CD, a declarative, GitOps continuous delivery tool designed for Kubernetes environments, addresses the complexities of application deployment, configuration management, and operational efficiency

Challenges in Kubernetes Deployments

Kubernetes deployments poses challenges in maintaining synchronization between desired and actual states. Manual configuration changes, traditional deployment methods, and the dynamic nature of Kubernetes environments can lead to inconsistencies and increased operational overhead.

Argo CD: A GitOps Solution

Argo CD addresses these challenges by embracing a GitOps approach, where the desired state of applications is defined in a Git repository. This not only streamlines deployment but also provides transparency and collaboration among development and operations teams.

Key Problems Argo CD Solves:

1. Declarative Application Management: Argo CD allows users to declare the desired state of applications using Git repositories, ensuring alignment with the intended configuration.
2. Automated Synchronization: Continuously monitoring Git repositories, Argo CD automatically detects and synchronizes changes, minimizing manual intervention and reducing configuration drift.
3. Rollback and Rollforward: Argo CD provides a straightforward mechanism for rolling back or forward to specific application versions, ensuring a resilient deployment process.
4. Visibility and Auditability: Argo CD’s web-based interface offers real-time visibility into deployed applications, enabling detailed history and audit logs for tracking changes and troubleshooting issues.
5. Multi-Cluster Management: Argo CD extends its reach beyond a single Kubernetes cluster, supporting the management of applications across multiple clusters.

Getting Started with Argo CD

Install Argo CD with Helm

helm repo add argo https://argoproj.github.io/argo-helm
kubectl create namespace argocd
helm -n argocd install argo-cd argo/argo-cd

Add Plugins to Support GCS Repo (gs://)

1. Create a service account with GCS permissions.

gcloud iam service-accounts create [SERVICE_ACCOUNT_NAME] --description="[DESCRIPTION]" --display-name="[DISPLAY_NAME]"

Replace [SERVICE_ACCOUNT_NAME], [DESCRIPTION], and [DISPLAY_NAME] with your desired values.

Example:

gcloud iam service-accounts create argocd-gcs-sa --description="Service account for Argo CD GCS access" --display-name="ArgoCD GCS SA"

2. Grant the service account the necessary permissions, such as roles/storage.objectViewer for GCS access. Use the following command:

gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/storage.objectViewer"

Replace [PROJECT_ID] with your project ID and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account created in the previous step.

Example:

gcloud projects add-iam-policy-binding your-project-id --member="serviceAccount:argocd-gcs-sa@your-project-id.iam.gserviceaccount.com" --role="roles/storage.objectViewer"

3. Create a key file for the service account:

gcloud iam service-accounts keys create [KEY_FILE_PATH] --iam-account=[SERVICE_ACCOUNT_EMAIL]

Replace [KEY_FILE_PATH] with the desired path and filename for the key file, and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.

Example:

gcloud iam service-accounts keys create ~/Downloads/argocd-gcs-sa-key.json --iam-account=argocd-gcs-sa@your-project-id.iam.gserviceaccount.com

This command creates a JSON key file containing the private key for the service account.

There are two ways to add the GCS plugin:

1. Use an init container

# values.yaml
repoServer:
  volumes:
    - name: gcloud
      secret:
        secretName: helm-credentials
  volumeMounts:
    - mountPath: /gcloud
      name: gcloud
  env:
    - name: HELM_PLUGINS
      value: /helm-working-dir/plugins/
    - name: GOOGLE_APPLICATION_CREDENTIALS
      value: /gcloud/key.json
  initContainers:
    - name: install-helm-plugins
      image: alpine/helm:3.8.0
      volumeMounts:
        - mountPath: /helm-working-dir
          name: helm-working-dir
        - mountPath: /gcloud
          name: gcloud
      env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /gcloud/key.json
        - name: HELM_PLUGINS
          value: /helm-working-dir/plugins
      command: ["/bin/sh", "-c"]
      args:
        - apk --no-cache add curl;
          helm plugin install https://github.com/hayorov/helm-gcs.git;
          helm repo add example gs://example-helm;

2. Use init container to install Helm GCS plugin with Workload Identity

# values.yaml
repoServer:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: argocd-repo-server@your-project-id.iam.gserviceaccount.com
  env:
    - name: HELM_PLUGINS
      value: /helm-working-dir/plugins/
  initContainers:
    - name: install-helm-plugins
      image: alpine/helm:3.8.0
      volumeMounts:
        - mountPath: /helm-working-dir
          name: helm-working-dir
      env:
        - name: HELM_PLUGINS
          value: /helm-working-dir/plugins
      command: ["/bin/sh", "-c"]
      args:
        - apk --no-cache add curl;
          helm plugin install https://github.com/hayorov/helm-gcs.git;
          helm repo add example gs://example-helm;

Create a secret using the google account credentials file which we have generated before

# secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: helm-credentials
  namespace: argocd
type: Opaque
data: 
  key.json: base64_encoded_service_account_key

Upgrade ARGOCD and apply the secret object

# Update config
helm -n argocd upgrade argo-cd argo/argo-cd -f values.yaml
kubectl -n argocd apply -f secrets.yaml

Setup Google SSO

Argo CD supports various methods for Google Single Sign-On (SSO). In this guide, we’ll utilize OpenID Connect using Dex with RBAC to integrate Google SSO and restrict access based on roles.

Configure ArgoCD-IAP-OAuth-Client Secret

Create the argocd-iap-oauth-client secret, containing the clientID and clientSecret from the new OAuth Client ID. Use it in the Dex configuration

# argocd-iap-oauth-client-secret.yaml
apiVersion: v1
data:
  client_id: {{ .Values.oauthSecret.data.clientId }}
  client_secret: {{ .Values.oauthSecret.data.clientSecret }}
kind: Secret
metadata:
  labels:
    app: {{ .Chart.Name }}
    release: {{ .Release.Name }}
    app.kubernetes.io/part-of: argocd
  name: {{ .Values.oauthSecret.name }}
  namespace: {{ .Release.Namespace }}
type: Opaque

Integrate with Dex Configuration

Use the configured secret in the Dex configuration:

# values.yaml
oauthSecret:
  name: argocd-iap-oauth-client

argo-cd:
  configs:
    params:
      server.disable.auth: false
      server.insecure: false
    rbac:
      create: true
      policy.default: ""
      policy.csv: |
        g, user@example.com, role:admin
        g, anotheruser@example.com, role:admin
      scopes: "[email]"
    cm:
      dex.config: |
        connectors:
          - type: oidc
            id: google
            name: Google
            config:
              issuer: https://accounts.google.com
              clientID: $argocd-iap-oauth-client:client_id
              clientSecret: $argocd-iap-oauth-client:client_secret

Apply the secret and update the Argo CD configuration:

kubectl apply -f argocd-iap-oauth-client-secret.yaml
helm -n argocd upgrade argo-cd argo/argo-cd -f values.yaml

Now, your Argo CD instance is configured to use Google SSO with RBAC for user access management.

Manage Argo CD in Production

1. Install Argo CD manually using Helm following the above steps.
2. Apply Argo CD application set to manage itself.
3. Add a cluster:

argocd cluster add your-cluster-name --label env=your-environment

Please replace placeholder values like user@example.com, anotheruser@example.com, <your-cluster-name>, <your-environment>, and others with your actual configurations