Deploying applications on Kubernetes can be a complex and challenging process, especially when it comes to managing multiple environments and ensuring that the deployment process is streamlined and error-free. This is where the Argo CD tool comes in: it simplifies the entire continuous delivery process by automating deployment tasks. It also eliminates the need for complex scripts or manual intervention.
One of the key advantages of Argo CD is its declarative approach to deployment management. Rather than relying on manual scripts or commands, Argo CD uses a declarative configuration to specify the desired state of your application and infrastructure. This simplifies the management of complex deployments, and ensures that your applications are always in sync with the desired version.
However, as with any tool, there are some best practices that you should follow to ensure that you get the most out of Argo CD. Here are some tips to help you streamline your CD process and avoid common pitfalls.
1. Use a separate Git repository for Kubernetes Manifests
One of the best practices that you simply cannot afford to ignore is keeping your configuration separate from your application source code. The best way to do this is by using a separate Git repository to hold your Kubernetes manifests.
Why is using a separate Git repository for Kubernetes Manifests in Argo CD so important?
It keeps the application code and configuration apart. There are times when you’ll want to modify your manifests without triggering a full CI build, and having a separate repository makes this easier.
Having a separate repository for your configuration also means a cleaner audit log. You’ll have a much clearer history of changes made to your configuration, without the noise that comes from regular development activity.
By having separate repositories, you can grant commit access only to the source code repository, rather than the application configuration repository (it’s handy in case developers who are developing the application are not the same ones who push it into production environments).
Pushing configuration changes to the same Git repository can enable an infinite loop of Git commit triggers and build jobs. Having a separate repository to push manifests changes prevents this, and makes your CI pipeline run smoothly.
2. Update released applications versions with use of Argo CD Image Updater
Argo CD Image Updater is a powerful tool that simplifies the process of updating container images in Kubernetes deployments managed by Argo CD. With this tool, you can automate the image update process without having to modify your Kubernetes manifests manually, making it faster, more reliable, and less error-prone. It provides advanced features such as automated detection of new container image versions, support for different container registries, and customizable update policies, allowing you to manage your images with ease and efficiency. Using Argo CD Image Updater can help you reduce downtime, improve security, and ensure your deployments are always up-to-date with the latest versions of your container images.
3. Implement Apps of Apps pattern
The Argo CD Apps of Apps pattern is a powerful technique for managing large and complex Kubernetes clusters. It allows organizing and deploying multiple Argo CD applications with a single Argo CD application as a top-level orchestrator.
With this pattern, you can define your application configuration as a template, then generate multiple instances of the same application with different configuration values. This makes managing many related applications with similar configurations easy.
There is more: using the Apps of Apps pattern with Argo CD helps to simplify the management of application dependencies and versioning. You can easily update all applications within the Apps of Apps structure, or roll back to a previous version if necessary.
Overall, the Argo CD Apps of Apps pattern is a powerful tool for managing large and complex Kubernetes environments, making it easier to deploy and manage multiple applications and their dependencies.
4. Implement ApplicationSet for efficient application management
Argo ApplicationSet is a tool for managing multiple ArgoCD applications in an automated and scalable way. It enables defining a set of templates that can be parameterized using a set of values and then generates and deploys multiple ArgoCD applications based on those templates and values. It can be useful when managing a large number of applications that share the same configuration but need deployment with different parameters, such as separate environments or regions. With Argo ApplicationSet, you can simplify the management and deployment of many applications while maintaining consistency across them.
5. Implement Argo CD Vault plugin
The Argo CD Vault plugin is a useful tool that helps securely manage secrets and configuration data in your Argo CD environment. It integrates Argo CD with HashiCorp Vault, a popular open-source tool for managing secrets and sensitive data.
With the Argo CD Vault plugin, you can easily store and retrieve secrets from Vault without exposing them to the Argo CD web interface or configuration files. This enhances the security of your secrets management and minimizes the risk of accidental exposure.
6. Pay attention to the namespace of your custom resources
Another practice worth keeping in mind when managing your applications with Argo CD is to make sure that all of your custom resources match the namespace of the ArgoCD instance. It may sound simple, but it’s actually a critical step that can make all the difference in optimizing Argo CD’s functionality and preventing issues down the road.
For a start, if you have multiple repositories with different Application and AppProject manifests, it’s crucial that they all share the same metadata.namespace. This ensures that everything stays in sync and that Argo CD can do its job as efficiently as possible. With the standard deployment approach, Argo CD creates ClusterRoles and ClusterRoleBindings, referencing argocd namespace by default. To avoid any problems, it’s a good idea to use the argocd namespace and make sure that all Argo CD resources match the namespace of the instance.
7. Mitigate the risks of Argo CD’s secret injection plug-ins
Are you using Argo CD’s secret injection plugins? If so, it’s important to note that the manifests and secrets generated by these components are cached in Argo CD’s Redis instance and are also accessible via the repo server API. In other words, anyone with access to them could potentially gain access to your secrets, making your applications vulnerable to attack.
There are few ways to mitigate these risks and keep your secrets safe:
First, consider setting up network policies to prevent direct access to Argo CD components. This will ensure that only authorized users can access these resources.
Run Argo CD on its own cluster, with no other applications running on it. This way, you can isolate your CD process and minimize the risk of unauthorized access or interference.
Make sure to enable password authentication on your Redis instance (note that it is currently only supported for non-HA Argo CD’s installations).
By taking these steps, you can rest assured that your secrets are safe and secure, and that your applications are protected against any potential threats.