Skip to main content

EKS with ArgoCD

Argo CD is an open-source declarative, GitOps continuous delivery tool for Kubernetes applications. It enables developers to manage and deploy applications on Kubernetes clusters using Git repositories as the source of truth for configuration and definitions. Argo CD follows the GitOps methodology, which means that the entire application configuration, including manifests, parameters, and even application state, is stored in a Git repository.

SAML Security Considerations

SAML is an industry-standard but security concerns have been raised by Dex, Mastadon, and others, due to the inherent difficulty of validating XML documents and inconsistent handling by SAML libraries in various languages. Our ArgoCD implementation by default uses SAML authentication with Dex and ArgoCD.

For more information, please see:

Overview

Argo CD simplifies the deployment and management of applications on Kubernetes by leveraging GitOps principles, providing a clear separation between the desired state of applications and the operational state of the cluster. This approach enhances collaboration, repeatability, and traceability in the deployment process.

Deployment

Application repository will create a deployment when a workflow is triggered and call the relevant shared workflow.

Deploy
# .github/workflows/feature-branch.yaml
name: Feature Branch
on:
pull_request:
branches: [ 'main' ]
types: [opened, synchronize, reopened, closed, labeled, unlabeled]

permissions:
pull-requests: write
deployments: write
id-token: write
contents: read

jobs:
do:
uses: cloudposse/github-actions-workflows-docker-ecr-eks-helm-argocd/.github/workflows/feature-branch.yml@main
with:
organization: "${{ github.event.repository.owner.login }}"
repository: "${{ github.event.repository.name }}"
open: ${{ github.event.pull_request.state == 'open' }}
labels: ${{ toJSON(github.event.pull_request.labels.*.name) }}
ref: ${{ github.event.pull_request.head.ref }}
secrets:
github-private-actions-pat: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
registry: "${{ secrets.ECR_REGISTRY }}"
secret-outputs-passphrase: "${{ secrets.GHA_SECRET_OUTPUT_PASSPHRASE }}"
ecr-region: "${{ secrets.ECR_REGION }}"
ecr-iam-role: "${{ secrets.ECR_IAM_ROLE }}"

That workflow calls a Reusable Workflow, cloudposse/github-actions-workflows-docker-ecr-eks-helm-argocd, that is designed to deploy a dockerized application from ECR to EKS using ArgoCD specifically.

Hotfix Workflows

Hotfix workflows are designed to push changes directly to a released version in production. Ideally we want any change to move through the standard release lifecycle, but in reality there are times when we need the ability to push a hotfix directly to production.

In order to enable hotfix workflows, create two additional workflows and modify the existing release workflow. See each of the following workflows:

Hotfix Workflows

Before running any hotfix workflows, we must first create release branches with any release. Modify the existing release workflow to include the hotfix job below.

# .github/workflows/release.yaml
name: Release
on:
release:
types: [published]

permissions:
id-token: write
contents: write

jobs:
perform:
...

hotfix:
name: release / branch
uses: cloudposse/github-actions-workflows-docker-ecr-eks-helm-argocd/.github/workflows/hotfix-mixin.yml@main
with:
version: ${{ github.event.release.tag_name }}

These workflows also call the same Reusuable Workflow repository, cloudposse/github-actions-workflows-docker-ecr-eks-helm-argocd, as well as several of the same Reusuable Workflows called from that repository. For example, cloudposse/github-actions-workflows and cloudposse/actions-private.

Verify environment configs carefully

Be sure the environment configuration mapping includes hotfix. This typically lives with your private configuration repository, for example cloudposse/actions-private, and is called by the cloudposse/github-action-interface-environment action.

For example, add the following:

runs:
using: "composite"
steps:
- name: Environment info
uses: cloudposse/github-action-yaml-config-query@0.1.0
id: result
with:
query: .${{ inputs.environment }}
config: |
...
hotfix:
cluster: https://github.com/GH_ORG/argocd-deploy-prod/blob/main/plat/use2-prod/apps
cluster-role: arn:aws:iam::PRODUCTION_ACCOUNT_ID:role/acme-plat-use2-prod-eks-cluster-gha
namespace: ${{ inputs.namespace }}
ssm-path: platform/acme-plat-use2-prod-eks-cluster

Implementation

  • eks/argocd: This component is responsible for provisioning ArgoCD.
  • eks/platform: This component maps another components' outputs into SSM parameter store to declare platform context used by CI/CD workflows.
  • argocd-repo: This component is responsible for creating and managing an ArgoCD desired state repository.
  • sso-saml-provider: This component reads sso credentials from SSM Parameter store and provides them as outputs

References