Deploying argocd apps to other clusters

This is easier in the cli, where argocd add cluster will just do everything in the background with the kubeconfig context.

Anyways what actually happens there is that, it creates a service account, assigns a cluster role, and creates a secret associated with the service account. Not just that, all the above happens in the cluster where you wanna deploy, and then now, the cluster which has the argocd installed should create a secret of type cluster-secret, with the token from the cluster where you wanna deploy to.

The following needs to be added to the cluster you wanna deploy to.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-manager
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argocd-manager-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-manager-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argocd-manager-role
subjects:
- kind: ServiceAccount
  name: argocd-manager
  namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
  name: argocd-manager-token
  namespace: kube-system 
  annotations:
    kubernetes.io/service-account.name: argocd-manager
type: kubernetes.io/service-account-token

The token, ca, kubeserver and the name of the cluster, these are the values which has to be noted.

You can get the token and ca data from the above created secret.

//This will give the ca data
kubectl get -n kube-system secret/argocd-manager-token -o jsonpath='{.data.ca\.crt}'

//This will give the token ( To note - we have to decode(base64) the token )
kubectl get -n kube-system secret/argocd-manager-token -o jsonpath='{.data.token}' | base64 --decode

kubeserver, Name of the cluster – You can get this from the kubeconfig file or I guess you can get this from the secrets in the kube-system namespace as well.
The following needs to be added to the cluster which has argocd installed.

apiVersion: v1
kind: Secret
metadata:
  name: <any-name>
  namespace: argo-cd
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: <cluster-name>
  server: <kubeserver>
  config: |
    {
      "bearerToken": "<token-from-the-above-step>",
      "tlsClientConfig": {
        "insecure": false,
        "ca": "<ca-from-the-above-step>"
      }
    }


//For example, If your cluster name is abc and the kube-server is https:abc.aws.com, your secret would look something like this.

apiVersion: v1
kind: Secret
metadata:
  name: abcclustersecret
  namespace: argo-cd
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: abc
  server: https://abc.aws.com
  config: |
    {
      "bearerToken": "<token-from-the-above-step>",
      "tlsClientConfig": {
        "insecure": false,
        "ca": "<ca-from-the-above-step>"
      }
    }

This is what happens when you say “argocd add cluster” to the CLI.

This is how you can create a config to the argocd cluster for deploying to other clusters.

Now when you are deploying an argo-cd app, you can mention the kubeserver in the application config and the app will be deployed to that cluster.

Feel free to reach out, if you have any doubts.

References :
Learn how to manage apps across multiple Kubernetes clusters – Inlets – The Cloud Native Tunnel

Leave a Reply

Your email address will not be published. Required fields are marked *