ArgoCD Advanced Use Cases

by Bala

Detailed guide for advanced ArgoCD scenarios including private repositories, custom health checks, and more

ArgoCD Advanced Use Cases

This guide covers advanced ArgoCD scenarios and configurations for enterprise deployments.

Video Tutorial

Learn more about advanced ArgoCD use cases in this comprehensive video tutorial:

View Source Code

Private Repository Setup

1. SSH Key Authentication

apiVersion: v1
kind: Secret
metadata:
  name: private-repo-ssh
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  url: git@github.com:org/repo.git
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    your_private_key_here
    -----END OPENSSH PRIVATE KEY-----
  type: git

2. HTTPS Authentication

apiVersion: v1
kind: Secret
metadata:
  name: private-repo-https
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  url: https://github.com/org/repo.git
  username: git-user
  password: personal-access-token
  type: git

3. Repository Certificate

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  repositories: |
    - url: https://private.git.server.com/org/repo
      tlsClientCertData: |
        -----BEGIN CERTIFICATE-----
        your_cert_data
        -----END CERTIFICATE-----
      tlsClientCertKey: |
        -----BEGIN PRIVATE KEY-----
        your_key_data
        -----END PRIVATE KEY-----

Custom Health Checks

1. Resource Health Check

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.customizations.health.kafka.strimzi.io_Kafka: |
    hs = {}
    if obj.status ~= nil then
      if obj.status.conditions ~= nil then
        for i, condition in ipairs(obj.status.conditions) do
          if condition.type == "Ready" and condition.status == "True" then
            hs.status = "Healthy"
            hs.message = condition.message
            return hs
          end
        end
      end
    end
    hs.status = "Progressing"
    hs.message = "Waiting for kafka cluster"
    return hs

2. Custom Sync Status

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.customizations: |
    admissionregistration.k8s.io/MutatingWebhookConfiguration:
      ignoreDifferences: |
        jsonPointers:
        - /webhooks/0/clientConfig/caBundle
    certmanager.k8s.io/Certificate:
      health.lua: |
        hs = {}
        if obj.status ~= nil then
          if obj.status.conditions ~= nil then
            for i, condition in ipairs(obj.status.conditions) do
              if condition.type == "Ready" and condition.status == "True" then
                hs.status = "Healthy"
                return hs
              end
            end
          end
        end
        hs.status = "Progressing"
        return hs

Advanced Application Configurations

1. Multi-Environment Setup

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: multi-env-app
  namespace: argocd
spec:
  generators:
  - list:
      elements:
      - cluster: dev
        url: https://kubernetes.default.svc
        values:
          env: dev
          replicas: 1
      - cluster: staging
        url: https://staging-cluster:6443
        values:
          env: staging
          replicas: 2
      - cluster: prod
        url: https://prod-cluster:6443
        values:
          env: prod
          replicas: 3
  template:
    metadata:
      name: '{{values.env}}-app'
    spec:
      project: default
      source:
        repoURL: https://github.com/org/app.git
        targetRevision: HEAD
        path: kubernetes/{{values.env}}
        helm:
          values: |
            environment: {{values.env}}
            replicaCount: {{values.replicas}}
      destination:
        server: '{{url}}'
        namespace: '{{values.env}}'

2. Canary Deployments

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: canary-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/org/app.git
    targetRevision: HEAD
    path: kubernetes
    plugin:
      name: argocd-rollouts
  destination:
    server: https://kubernetes.default.svc
    namespace: default
---
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: canary-rollout
spec:
  replicas: 5
  strategy:
    canary:
      steps:
      - setWeight: 20
      - pause: {duration: 1h}
      - setWeight: 40
      - pause: {duration: 1h}
      - setWeight: 60
      - pause: {duration: 1h}
      - setWeight: 80
      - pause: {duration: 1h}

Custom Plugin Integration

1. Plugin Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  configManagementPlugins: |
    - name: kustomized-helm
      init:
        command: ["/bin/sh", "-c"]
        args: ["helm dependency build"]
      generate:
        command: ["/bin/sh", "-c"]
        args: ["helm template . | kustomize build"]

2. Plugin Usage

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: plugin-app
spec:
  project: default
  source:
    repoURL: https://github.com/org/app.git
    targetRevision: HEAD
    path: kubernetes
    plugin:
      name: kustomized-helm

Advanced Sync Options

1. Selective Sync

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: selective-sync
spec:
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - Validate=false
    - CreateNamespace=true
    - PrunePropagationPolicy=foreground
    - PruneLast=true
    - RespectIgnoreDifferences=true

2. Sync Waves

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: wave-sync
spec:
  source:
    repoURL: https://github.com/org/app.git
    targetRevision: HEAD
    path: kubernetes
    directory:
      recurse: true
      jsonnet:
        extVars:
        - name: wave
          value: "1"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: wave-config
  annotations:
    argocd.argoproj.io/sync-wave: "1"

Resource Hooks

1. Pre-Sync Hook

apiVersion: batch/v1
kind: Job
metadata:
  name: pre-sync-job
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
  template:
    spec:
      containers:
      - name: pre-sync
        image: alpine:latest
        command: ["sh", "-c", "echo 'Preparing for sync'"]
      restartPolicy: Never

2. Post-Sync Hook

apiVersion: batch/v1
kind: Job
metadata:
  name: post-sync-job
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
  template:
    spec:
      containers:
      - name: post-sync
        image: alpine:latest
        command: ["sh", "-c", "echo 'Sync completed'"]
      restartPolicy: Never

Advanced Security Configurations

1. OIDC Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  oidc.config: |
    name: Okta
    issuer: https://dev-123456.okta.com
    clientID: your-client-id
    clientSecret: $oidc.okta.clientSecret
    requestedScopes: ["openid", "profile", "email", "groups"]
    requestedIDTokenClaims:
      groups:
        essential: true

2. Fine-grained RBAC

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, projects, get, *, allow
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    g, org:team-admin, role:org-admin
    g, org:team-dev, role:developer

Conclusion

These advanced use cases demonstrate ArgoCD’s flexibility in handling complex enterprise scenarios. Regular testing and documentation of custom configurations is essential.

Additional Resources