ArgoCD Setup Guide for Google Cloud Platform

by Bala

Complete guide for setting up ArgoCD on Google Kubernetes Engine (GKE)

ArgoCD Setup Guide for Google Cloud Platform

This guide provides detailed instructions for setting up ArgoCD on Google Kubernetes Engine (GKE), including GCP-specific configurations and integrations.

Video Tutorial

Learn more about setting up ArgoCD on GCP in this comprehensive video tutorial:

View Source Code

Prerequisites

  • Google Cloud SDK installed and configured
  • kubectl configured for GKE
  • gcloud CLI authenticated
  • Required GCP IAM permissions

GKE Cluster Setup

1. Create GKE Cluster

gcloud container clusters create argocd-cluster \
  --region us-central1 \
  --node-locations us-central1-a,us-central1-b \
  --num-nodes 3 \
  --machine-type e2-standard-4 \
  --enable-autoscaling \
  --min-nodes 3 \
  --max-nodes 10 \
  --enable-autorepair \
  --enable-autoupgrade \
  --enable-ip-alias \
  --workload-pool=PROJECT_ID.svc.id.goog

2. Configure Workload Identity

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-application-controller
  namespace: argocd
  annotations:
    iam.gke.io/gcp-service-account: argocd-sa@PROJECT_ID.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: argocd-sa
spec:
  displayName: ArgoCD Service Account

ArgoCD Installation

1. Install ArgoCD

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

2. Configure Cloud Load Balancer

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.global-static-ip-name: "argocd-static-ip"
    networking.gke.io/managed-certificates: "argocd-certificate"
spec:
  rules:
  - host: argocd.example.com
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: argocd-server
            port:
              number: 443

GCP IAM Integration

1. Service Account Setup

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: argocd-workload-identity
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: argocd-sa
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[argocd/argocd-application-controller]

2. Required IAM Roles

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argocd-gke-admin
spec:
  member: serviceAccount:argocd-sa@PROJECT_ID.iam.gserviceaccount.com
  role: roles/container.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argocd-storage-admin
spec:
  member: serviceAccount:argocd-sa@PROJECT_ID.iam.gserviceaccount.com
  role: roles/storage.admin

Secret Management

1. Google Secret Manager Integration

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: gcp-secret-store
  namespace: argocd
spec:
  provider:
    gcpsm:
      projectID: PROJECT_ID
      auth:
        workloadIdentity:
          serviceAccountRef:
            name: argocd-application-controller

2. External Secrets Configuration

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: argocd-secrets
  namespace: argocd
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-secret-store
    kind: SecretStore
  target:
    name: argocd-secret
  data:
  - secretKey: admin.password
    remoteRef:
      key: argocd-admin-password
  - secretKey: server.secretkey
    remoteRef:
      key: argocd-server-secret

GCS Integration

1. Backup Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  backup.destination: gs://argocd-backup/
  backup.schedule: "0 * * * *"

2. GCS IAM Configuration

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argocd-storage-object-admin
spec:
  member: serviceAccount:argocd-sa@PROJECT_ID.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: argocd-backup

Cloud Operations Integration

1. Cloud Monitoring Setup

apiVersion: monitoring.googleapis.com/v1
kind: ServiceMonitor
metadata:
  name: argocd-metrics
  namespace: argocd
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-metrics
  endpoints:
  - port: metrics
    interval: 30s

2. Cloud Logging Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  logging.format: json
  logging.level: info
  google.analytics.trackingID: UA-XXXXXXXXX-Y

Auto Scaling Configuration

1. Horizontal Pod Autoscaling

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: argocd-server
  namespace: argocd
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: argocd-server
  minReplicas: 2
  maxReplicas: 5
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 80

2. Node Pool Autoscaling

apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerNodePool
metadata:
  name: argocd-node-pool
spec:
  location: us-central1
  cluster: argocd-cluster
  initialNodeCount: 3
  autoscaling:
    minNodeCount: 3
    maxNodeCount: 10
  nodeConfig:
    machineType: e2-standard-4
    serviceAccount: argocd-sa@PROJECT_ID.iam.gserviceaccount.com

Best Practices Checklist

  1. Enable Workload Identity
  2. Configure Cloud Load Balancer
  3. Setup GCS backup
  4. Enable Cloud Operations monitoring
  5. Configure auto scaling
  6. Implement secret management
  7. Enable encryption
  8. Regular backups
  9. Monitor costs
  10. Security compliance

Cost Optimization

1. Node Pool Configuration

apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerNodePool
metadata:
  name: argocd-spot-pool
spec:
  location: us-central1
  cluster: argocd-cluster
  initialNodeCount: 3
  nodeConfig:
    spot: true
    machineType: e2-standard-4
  autoscaling:
    minNodeCount: 3
    maxNodeCount: 10

2. Resource Quotas

apiVersion: v1
kind: ResourceQuota
metadata:
  name: argocd-quota
  namespace: argocd
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi

Security Hardening

1. Binary Authorization

apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
  name: argocd-cluster
spec:
  enableBinaryAuthorization: true
  workloadIdentityConfig:
    workloadPool: PROJECT_ID.svc.id.goog

2. Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: argocd-network-policy
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 443

Conclusion

This guide provides a comprehensive setup for running ArgoCD on GKE. Regular monitoring and updates are essential for optimal performance.

Additional Resources