Post

Setting up and Configuring ArgoCD with Rancher

Posted Updated
By Michael Giordano 6 min read

Introduction

It has been a while since I’ve really delved deeper into Kubernetes, and something I’ve wanted to test for a while now is ArgoCD. I’m trying to find one or more use cases for it - I’m sure I’ll find something.

I wanted to put this together as a culmination of research and trial-and-error while trying to get ArgoCD to function and also connect to my Kubernetes cluster so I could actually interact with it and setup applications and deployments.

What’s ArgoCD?

ArgoCD is a GitOps tool that helps you manage and deploy Kubernetes applications, using Git to define an application state and automate that deployment. ArgoCD believes that all things should be declarative, ensuring what you’re intending to deploy is deployed.

Installing ArgoCD

The installation of ArgoCD is pretty straightforward when deploying it within a Kubernetes cluster - which makes sense.

First, download the lastest installation manifest from the official GitHub repository:

1

$ wget https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml -O install.yaml

Next, create a dedicated namespace for your ArgoCD stuff to live in:

1

$ sudo kubectl create namespace argocd

Finally, install ArgoCD:

1

$ sudo kubectl apply -n argocd -f install.yaml

Once the installation is complete, you will need to obtain the temporary, initial admin password - keep this handy, you’ll change it later:

1

$ sudo kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Then, based on the README from this GitHub repository, specifically Step 2, set ArgoCD to “insecure” mode - sue me; but you can still access over HTTP or HTTPS later.

1

$ sudo kubectl apply -n argocd -f argocd-cmd-params-cm.yaml

Then, restart the argocd-server deployment:

1

$ sudo kubectl -n argocd rollout restart deployment argocd-server

Next, we’ll get an ingress setup so we can access the ArgoCD WebUI and start poking around.

Creating an Ingress to Access ArgoCD WebUI

I’m not an expert in this area, I could probably use MetalLB, but this is what I did to get an ingress controller set up so I could access the ArgoCD WebUI. If you’re a professional at this, you’ll probably have a better approach here.

Within Rancher, perform the following steps:

  • Go to “Service Discovery” and select “Ingresses”
  • Click “Create”
  • Ensure the namespace for the Ingress is set to argocd
  • Provide a name, such as argocd-ingress
  • Set the “Request Host” to an internal name, such as argocd.domain.local
  • Set the Path Prefix to /
  • Set the “Target Service” as argocd-server and the “Port” to 80
  • Within the “Default Backend” tab, set the “Target Service” to argocd-server and the “Port” to 80
  • Click “Create”

From here, I would set a local host file entry on my machine to point argocd.domain.local to the IP address of the Cluster Node that the argocd-server deployment is running on.

This method is completely unconventional and I’m sorry for not providing a more permanent solution for creating this Ingress.

Connecting a Rancher Cluster to ArgoCD

By default, after installing ArgoCD, it doesn’t know how to reach your intended Kubernetes cluster - especially if you’re in my situation where ArgoCD is installed within a Kubernetes cluster that you’re also trying to deploy other applications to via ArgoCD.

To fix this, we’ll need to provide ArgoCD with some information (credentials, cluster APIs, etc.) so it can reach the intended Kubernetes cluster and actually deploy and manage resources within it.

Create a Service Account in Rancher for Target Cluster

First, you will need to create a “service account” within Rancher. This will allow ArgoCD to act on it’s behalf; authenticating to the cluster, deploying resources, and so on.

Within Rancher, perform the following steps to create a dedicated service account:

  • Click “Users & Authentication” from the left-side menu
  • Click “Create” in the top-right corner
  • Provide a Username; such as service-argocd
  • Provide a secure password for the account
  • Click “Create” in the bottom-left corner

Next, provide the service account permissions to your cluster. Select the target cluster within Rancher and then within the “Cluster” drop-down section, select “Cluster and Project Members”

  • Click “Add”
  • Search for the servie account you just created and select it
  • Select “Owner” within the “Cluster Permissions” section
  • Click “Create” in the bottom-left corner

Finally, you will need to generate an API key (bearer token) for the service account you just created. To do this, you will need to log into Rancher as the service account.

  • Log into Rancher as the service account
  • Click the account avatar in the top-right
  • Click “Account & API Keys”
  • Click “Create API Key”
  • Provide a description such as “API Key for ArgoCD
  • Click the “Scope” drop-down and select the target cluster
  • Click “Create”

Note the “Bearer Token” field - copy that bearer token and keep it handy as you’ll need it in a later section.

Obtain your Cluster ID and Certificate Authority (CA) Data

In order for ArgoCD to interact with the cluster via it’s API, you’ll need to identify your target clusters Cluster ID and obtain the Certificate Authority (CA) Base64 PEM data.

Within Rancher, go to your target cluster. From the top-level menu, click “Download KubeConfig” and then open the file.

Within this file, you’ll find everything you need for the next section:

  • server contains the full URL to your clusters API, by Cluster ID as well
  • certificate-authority-data contains the CA Base64 PEM data
  • name for added bonus, in case you forgot, the name of your target cluster

Create Secret for ArgoCD to Connect to Cluster

Below is an example secret manifest to provide to the ArgoCD namespace so it can properly connect to your target cluster.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: v1
kind: Secret
metadata:
  namespace: argocd
  name: my-awesome-cluster
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: <CLUSTER_NAME_FROM_KUBECONFIG>
  server: <SERVER_URL_FROM_KUBECONFIG>
  config: |
    {
      "bearerToken": "<BEARER_TOKEN_FROM_SERVICE_ACCOUNT>",
      "tlsClientConfig": {
        "insecure": false,
        "caData": "<CA_DATA_FROM_KUBECONFIG>"
      }
    }

The bearerToken came from when you generated the API key for the ArgoCD service account you created earlier

Once you’re ready, apply:

1

$ sudo kubectl apply -n argocd -f cluster-secret.yaml

Optional: Use ‘argocd’ CLI to Validate Cluster is Connected

You can use the argocd CLI tool to connect to your ArgoCD instance and verify that the intended cluster is connected to ArgoCD successfully.

1
2
3

$ argocd login <URL_TO_ARGOCD>:<PORT> --username <USER> --password <PASS>

$ argocd cluster list

The output from the argocd cluster list command should now show you the cluster you’ve just added!

Alternatively, and probably much easier, within the ArgoCD WebUI, you can go to the “Settings” section and then “Clusters” to view your clusters there and confirm the “Connection Status” is successful.

Retrospective

I’m not sure what I’ll use ArgoCD for just yet, but it will allow me to continue to cosplay as a DevOps Engineer. This blog is already built using Docker images via a GitLab Runner VM I have set up, but each time I update the Docker image, I need to nudge the current pod to pull the new image. Maybe ArgoCD can take care of that for me?

Also, the word “ArgoCD” appeared 31 times in this post, I think.

References

Here are links to a few tutorials and references that help me put this all together.

  • https://github.com/jwsy/argocd-rd?tab=readme-ov-file
  • https://github.com/argoproj/argo-cd
Homelab, Kubernetes
homelab kubernetes k3s argocd
This post is licensed under CC BY 4.0 by the author.