GitOps ArgoCD

ArgoCD Image Updater - using polling

look for new version in ACR and update k8s manifest in github (use ssh keys store private key in k8s secret and public key in GitHub repo setting with write access)

ArgoCD keep eye on git and sync changes and apply any changes (ssh key via ui and pub key in github repo in deploy keys with write access)

Prerequisites:

HELM

AKS Cluster

kubectl create namespace argocd
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install argocd argo/argo-cd -n argocd
helm install argocd argo/argo-cd -n argocd -f argocd-values.yaml
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 --decode

Argocd eks/aks integration

ArgoCD connects to EKS/AKS using Kubernetes RBAC + kubeconfig credentials. But the way ArgoCD gets these credentials is different for AKS and EKS.

Below is the clear, real-world explanation.

✅ 1. How ArgoCD Gets Access to a Cluster (General Concept)

ArgoCD must talk directly to the Kubernetes API server using:

A kubeconfig
With a user/service-account
That has permissions (RBAC) like:
- get, list, watch, patch, create, delete on deployments, services, secrets, etc.

ArgoCD uses this command (internally):

argocd cluster add <context>

This:

Reads your local kubeconfig.
Extracts the cluster certificates.
Creates a ServiceAccount → argocd-manager in that cluster.
Binds RBAC → cluster-admin (or a restricted role).
Stores this credential in ArgoCD secrets.

📌 2. How ArgoCD Connects to AKS

When you run:

argocd cluster add aks-dev

ArgoCD:

Uses your Azure CLI credentials (az login → gives kubectl auth)
Applies this ServiceAccount inside AKS:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-manager
  namespace: kube-system

Creates ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-manager
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: argocd-manager
    namespace: kube-system

Stores the service-account token inside ArgoCD:

kubectl get secret argocd-manager-token -o yaml

ArgoCD stores this token under:

argocd-secret

No need for Azure AD, managed identity, or AAD Pod Identity.

ArgoCD → Kubernetes API authentication = ServiceAccount token

📌 3. How ArgoCD Connects to EKS

Same process, but authentication works through aws eks update-kubeconfig.

Steps:

Your system runs:

aws eks update-kubeconfig --name prod-eks

You authenticate using AWS IAM (via aws-cli).
ArgoCD then runs:

argocd cluster add prod-eks

This also:

Creates argocd-manager ServiceAccount
Creates ClusterRoleBinding
Stores the token into ArgoCD secret

Important:

EKS uses:

IAM → kubectl access
RBAC → ArgoCD access

Once the service-account token is created, ArgoCD no longer needs IAM.

📌 4. Simplified Diagram (AKS & EKS)

ArgoCD
   ↓ uses stored token
Kubernetes API
   ↓
ServiceAccount (argocd-manager)
   ↓
ClusterRoleBinding (cluster-admin)

🎯 Summary: How ArgoCD Gets Permission

Operation

AKS

EKS

Authenticate your local kubectl

Azure AD via az login

AWS IAM via aws eks update-kubeconfig

ArgoCD creates service-account

✔ Yes

ArgoCD creates RBAC

✔ Yes

Token stored in Argo

✔ Stored in argocd-secret

Needs Azure AD?

❌ No

Needs AWS IAM?

❌ No

After onboarding, ArgoCD uses only the service-account token, not your cloud identity.

⭐ OPTIONAL: Avoid Cluster-Admin (Production RBAC)

If you want safer permissions:

Create minimal RBAC:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: argocd-role
rules:
  - apiGroups: ["", "apps", "extensions"]
    resources: ["pods","deployments","services","secrets","configmaps"]
    verbs: ["get","list","watch","create","update","patch","delete"]

Bind it:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: argocd-role-binding
subjects:
  - kind: ServiceAccount
    name: argocd-manager
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: argocd-role
  apiGroup: rbac.authorization.k8s.io

Want me to also explain?

✅ How ArgoCD pulls private ACR/ECR images ✅ How ArgoCD integrates with Azure AD login ✅ How to do GitOps with AKS/EKS step-by-step ✅ How to give least-privilege RBAC to ArgoCD

Just tell me!

581KB

argo-image-updater.pdf

PDF

Open

263KB

helm-setup.pdf

PDF

Open

PreviousConnect Private Github and Other VCS NextAzure DevOps

Last updated 2 months ago

hashtag✅ 1. How ArgoCD Gets Access to a Cluster (General Concept)

hashtag📌 2. How ArgoCD Connects to AKS

hashtagWhen you run:

hashtagNo need for Azure AD, managed identity, or AAD Pod Identity.

hashtag📌 3. How ArgoCD Connects to EKS

hashtagImportant:

hashtag📌 4. Simplified Diagram (AKS & EKS)

hashtag🎯 Summary: How ArgoCD Gets Permission

hashtag⭐ OPTIONAL: Avoid Cluster-Admin (Production RBAC)

hashtagWant me to also explain?