ArgoCD¶

ArgoCD is the GitOps continuous delivery tool used to manage applications and infrastructure deployments in the RCIIS project.

Overview¶

ArgoCD monitors Git repositories and automatically synchronizes the desired state with Kubernetes clusters, providing declarative GitOps workflows.

Configuration¶

Deployment Location¶

Configuration: apps/infra/argocd/
Environment: Staging
Chart: Official Argo Helm chart

Repository Structure¶

apps/infra/argocd/
└── staging/
    └── values.yaml

ArgoCD Applications¶

Root Application Pattern¶

App of Apps: apps/rciis/root_app.yaml

The root application manages all other applications using the "App of Apps" pattern:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: rciis-root
  namespace: argocd
spec:
  project: rciis
  source:
    repoURL: git@github.com:MagnaBC/rciis-devops.git
    targetRevision: master
    path: apps/rciis
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

ApplicationSet Strategy¶

Configuration: apps/rciis/appset.yaml

ApplicationSets manage multiple applications across environments:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: rciis-services
  namespace: argocd
spec:
  generators:
  - matrix:
      generators:
      - git:
          repoURL: git@github.com:MagnaBC/rciis-devops.git
          revision: master
          directories:
          - path: apps/rciis/*
      - list:
          elements:
          - env: testing
            wave: wave1
          - env: staging
            wave: wave2
  template:
    metadata:
      name: '{{path.basename}}-{{env}}'
      annotations:
        argocd.argoproj.io/sync-wave: '{{wave}}'
    spec:
      project: rciis
      sources:
      - repoURL: git@github.com:MagnaBC/rciis-devops.git
        targetRevision: master
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
        syncOptions:
        - CreateNamespace=true

Projects and RBAC¶

RCIIS Project¶

Configuration: apps/rciis/project.yaml

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: rciis
  namespace: argocd
spec:
  description: RCIIS Application Project
  sourceRepos:
  - 'git@github.com:MagnaBC/rciis-devops.git'
  - 'https://charts.jetstack.io'
  - 'https://kubernetes.github.io/ingress-nginx'
  - 'oci://harbor.devops.africa/rciis'
  destinations:
  - namespace: '*'
    server: https://kubernetes.default.svc
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'
  namespaceResourceWhitelist:
  - group: '*'
    kind: '*'

Secret Management¶

Repository Credentials¶

Git Repository Access: apps/infra/secrets/staging/rciis-devops-repo.yaml

apiVersion: v1
kind: Secret
metadata:
  name: rciis-devops-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
  type: git
  url: git@github.com:MagnaBC/rciis-devops.git
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    [SOPS ENCRYPTED]
    -----END OPENSSH PRIVATE KEY-----

OCI Registry Access¶

Harbor Registry: apps/infra/secrets/staging/rciis-oci-registry.yaml

apiVersion: v1
kind: Secret
metadata:
  name: rciis-oci-registry
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
  type: helm
  name: harbor-registry
  url: oci://harbor.devops.africa
  username: robot$argocd+pull
  password: [SOPS ENCRYPTED]
  enableOCI: "true"

Multi-Source Applications¶

Pattern Implementation¶

Many applications use multiple sources for values and charts:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: nucleus-staging
spec:
  sources:
  # Values from GitOps repo
  - repoURL: git@github.com:MagnaBC/rciis-devops.git
    targetRevision: master
    path: apps/rciis/nucleus/staging
    ref: values
  # Chart from Harbor registry
  - repoURL: oci://harbor.devops.africa/rciis
    targetRevision: 0.1.306
    chart: rciis
    helm:
      valueFiles:
      - $values/values.yaml

Sync Strategies¶

Rolling Deployment¶

Wave-based Synchronization: 1. Wave 1: Infrastructure and databases 2. Wave 2: Core services and APIs 3. Wave 3: Frontend and integration services

Environment Ordering¶

Testing Environment: First deployment target
Staging Environment: Second deployment target
Production Environment: Final deployment target (disabled)

Sync Policies¶

Automated Sync:

syncPolicy:
  automated:
    prune: true        # Remove resources not in Git
    selfHeal: true     # Automatically fix drift
  syncOptions:
  - CreateNamespace=true  # Auto-create namespaces
  - PrunePropagationPolicy=foreground
  - PruneLast=true

Manual Sync:

syncPolicy: {}  # Manual sync only

Health Checks¶

Custom Health Checks¶

ArgoCD includes custom health checks for various resources:

# Custom health check for StatefulSets
resource.customizations.health.apps_StatefulSet: |
  hs = {}
  if obj.status ~= nil then
    if obj.status.readyReplicas == obj.spec.replicas then
      hs.status = "Healthy"
      hs.message = "All replicas ready"
    else
      hs.status = "Progressing"
      hs.message = "Waiting for replicas"
    end
  end
  return hs

Monitoring and Observability¶

ArgoCD UI¶

Access: Available through ingress controller

Features: - Application status and health - Deployment history and rollback - Resource tree visualization - Sync status and logs

Notifications¶

Slack Integration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-notifications-cm
data:
  service.slack: |
    token: $slack-token
  template.app-deployed: |
    message: |
      Application {{.app.metadata.name}} deployed to {{.app.spec.destination.namespace}}
  trigger.on-deployed: |
    - when: app.status.operationState.phase in ['Succeeded']
      send: [app-deployed]

Application Events¶

Event Monitoring:

# Watch application events
kubectl get events -n argocd --watch

# Check application status
argocd app list

# Get application details
argocd app get <app-name>

Troubleshooting¶

Common Issues¶

Sync Failures: 1. Check repository access 2. Validate Kubernetes permissions 3. Review resource conflicts 4. Check webhook configurations

Out of Sync Status: 1. Compare desired vs actual state 2. Check for manual changes 3. Review prune policies 4. Validate resource health

Diagnostic Commands¶

# Check ArgoCD server status
kubectl get pods -n argocd

# View application logs
kubectl logs -n argocd deployment/argocd-server

# Check repository connection
argocd repo list

# Validate application
argocd app validate <app-name>

# Force sync
argocd app sync <app-name> --force

Security Considerations¶

RBAC Configuration¶

Role-Based Access Control: - Project-level permissions - Namespace restrictions - Resource-level controls - Git repository access

Secret Encryption¶

SOPS Integration: - Repository credentials encrypted - Registry passwords encrypted - Webhook tokens encrypted - Notification tokens encrypted

Network Security¶

TLS Configuration: - HTTPS-only access - Certificate validation - Secure webhook endpoints - Encrypted Git connections

Best Practices¶

Application Design¶

Single Responsibility: One application per service
Environment Separation: Separate apps per environment
Proper Naming: Consistent naming conventions
Resource Limits: Define resource constraints

GitOps Workflow¶

Pull Requests: All changes via PR
Code Review: Mandatory review process
Testing: Automated validation
Rollback Strategy: Quick rollback capability

Monitoring¶

Health Monitoring: Regular health checks
Performance Metrics: Track sync performance
Alert Configuration: Proactive notifications
Audit Logging: Track all changes