Zum Inhalt

ArgoCD Cheat Sheet

generieren

Überblick

ArgoCD ist ein deklaratives, GitOps kontinuierliches Lieferwerkzeug für Kubernetes. Es folgt dem GitOps-Muster der Verwendung von Git-Repositorien als Quelle der Wahrheit zur Definition des gewünschten Anwendungszustands und synchronisiert automatisch Anwendungen mit ihren Zielumgebungen.

ZEIT Anmerkung: Erfordert den Zugang zum Kubernetes Cluster. Unterstützt Kubernetes 1.19+ Versionen.

Installation

Schnelle Installation starten

```bash

Create namespace

kubectl create namespace argocd

Install ArgoCD

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Wait for pods to be ready

kubectl wait --for=condition=available --timeout=300s deployment/argocd-server -n argocd ```_

Helm Installation

```bash

Add ArgoCD Helm repository

helm repo add argo https://argoproj.github.io/argo-helm helm repo update

Install with Helm

helm install argocd argo/argo-cd \ --namespace argocd \ --create-namespace \ --set server.service.type=LoadBalancer ```_

Hohe Verfügbarkeit Installation

```yaml

argocd-ha.yaml

apiVersion: v1 kind: ConfigMap metadata: name: argocd-cmd-params-cm namespace: argocd data: server.insecure: "true" application.instanceLabelKey: "argocd.argoproj.io/instance"

apiVersion: apps/v1 kind: Deployment metadata: name: argocd-server spec: replicas: 3 template: spec: containers: - name: argocd-server env: - name: ARGOCD_SERVER_INSECURE value: "true" ```_

CLI Installation

ArgoCD CLI

```bash

Linux

curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd rm argocd-linux-amd64

macOS

brew install argocd

Windows (PowerShell)

$version = (Invoke-RestMethod https://api.github.com/repos/argoproj/argo-cd/releases/latest).tag_name Invoke-WebRequest -Uri "https://github.com/argoproj/argo-cd/releases/download/$version/argocd-windows-amd64.exe" -OutFile "argocd.exe" ```_

CLI Authentication

```bash

Port forward to access ArgoCD server

kubectl port-forward svc/argocd-server -n argocd 8080:443

Get initial admin password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Login via CLI

argocd login localhost:8080 --username admin --password --insecure

Change admin password

argocd account update-password ```_

Grundlegende Befehle

Anwendungsmanagement

```bash

List applications

argocd app list

Get application details

argocd app get myapp

Create application

argocd app create myapp \ --repo https://github.com/myorg/myrepo \ --path manifests \ --dest-server https://kubernetes.default.svc \ --dest-namespace default

Sync application

argocd app sync myapp

Delete application

argocd app delete myapp ```_

Repository Management

```bash

Add Git repository

argocd repo add https://github.com/myorg/myrepo \ --username myuser \ --password mytoken

List repositories

argocd repo list

Remove repository

argocd repo rm https://github.com/myorg/myrepo ```_

Cluster Management

```bash

Add cluster

argocd cluster add my-cluster-context

List clusters

argocd cluster list

Remove cluster

argocd cluster rm https://kubernetes.default.svc ```_

Anwendungskonfiguration

Grundlagen der Anwendung

```yaml

application.yaml

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: myapp namespace: argocd spec: project: default source: repoURL: https://github.com/myorg/myrepo targetRevision: HEAD path: manifests destination: server: https://kubernetes.default.svc namespace: myapp syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true ```_

Anwendungsbereich

yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: nginx-helm namespace: argocd spec: project: default source: repoURL: https://charts.bitnami.com/bitnami chart: nginx targetRevision: 13.2.23 helm: parameters: - name: service.type value: LoadBalancer - name: ingress.enabled value: "true" values: | replicaCount: 3 resources: limits: cpu: 100m memory: 128Mi destination: server: https://kubernetes.default.svc namespace: nginx syncPolicy: automated: {}_

Kustomize Anwendung

yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: kustomize-app namespace: argocd spec: project: default source: repoURL: https://github.com/myorg/myrepo targetRevision: HEAD path: overlays/production kustomize: images: - myapp:v1.2.3 patchesStrategicMerge: - deployment-patch.yaml destination: server: https://kubernetes.default.svc namespace: production_

Sync Policies

Automatisierte Sync

yaml syncPolicy: automated: prune: true # Delete resources not in Git selfHeal: true # Revert manual changes allowEmpty: false # Don't sync if no resources syncOptions: - CreateNamespace=true - PrunePropagationPolicy=foreground - PruneLast=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m_

Manuelle Sync mit Optionen

```bash

Sync with prune

argocd app sync myapp --prune

Dry run sync

argocd app sync myapp --dry-run

Force sync (ignore differences)

argocd app sync myapp --force

Sync specific resources

argocd app sync myapp --resource apps:Deployment:myapp ```_

Sync Waves

```yaml

Use annotations to control sync order

apiVersion: apps/v1 kind: Deployment metadata: name: database annotations: argocd.argoproj.io/sync-wave: "1"

apiVersion: apps/v1 kind: Deployment metadata: name: backend annotations: argocd.argoproj.io/sync-wave: "2"

apiVersion: apps/v1 kind: Deployment metadata: name: frontend annotations: argocd.argoproj.io/sync-wave: "3" ```_

Projekte und RBAC

Projektkonfiguration

yaml apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: myproject namespace: argocd spec: description: My application project sourceRepos: - 'https://github.com/myorg/*' destinations: - namespace: 'myproject-*' server: https://kubernetes.default.svc clusterResourceWhitelist: - group: '' kind: Namespace - group: 'rbac.authorization.k8s.io' kind: ClusterRole namespaceResourceWhitelist: - group: 'apps' kind: Deployment - group: '' kind: Service roles: - name: admin description: Admin access policies: - p, proj:myproject:admin, applications, *, myproject/*, allow groups: - myorg:team-leads_

RBAC Konfiguration

```yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm namespace: argocd data: policy.default: role:readonly policy.csv: | p, role:admin, applications, , /, allow p, role:admin, clusters, , , allow p, role:admin, repositories, , *, allow

p, role:developer, applications, get, */*, allow
p, role:developer, applications, sync, */*, allow

g, myorg:admins, role:admin
g, myorg:developers, role:developer

```_

Multi-Cluster Management

Hinzufügen externer Cluster

```bash

Add cluster with service account

kubectl create serviceaccount argocd-manager -n kube-system kubectl create clusterrolebinding argocd-manager-binding \ --clusterrole=cluster-admin \ --serviceaccount=kube-system:argocd-manager

Get service account token

TOKENNAME=$(kubectl -n kube-system get serviceaccount/argocd-manager -o jsonpath='{.secrets[0].name}') TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)

Add cluster to ArgoCD

argocd cluster add my-cluster \ --server https://my-cluster-api-server \ --service-account argocd-manager \ --system-namespace kube-system ```_

Geheime

yaml apiVersion: v1 kind: Secret metadata: name: my-cluster-secret namespace: argocd labels: argocd.argoproj.io/secret-type: cluster type: Opaque stringData: name: my-cluster server: https://my-cluster-api-server config: | { "bearerToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9...", "tlsClientConfig": { "insecure": false, "caData": "LS0tLS1CRUdJTi..." } }_

Anwendungssets

Grundlegende Anwendung Set

yaml apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: cluster-addons namespace: argocd spec: generators: - clusters: {} template: metadata: name: '{{name}}-addons' spec: project: default source: repoURL: https://github.com/myorg/cluster-addons targetRevision: HEAD path: '{{name}}' destination: server: '{{server}}' namespace: kube-system syncPolicy: automated: {}_

Git Generator

yaml apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: microservices namespace: argocd spec: generators: - git: repoURL: https://github.com/myorg/microservices revision: HEAD directories: - path: services/* template: metadata: name: '{{path.basename}}' spec: project: default source: repoURL: https://github.com/myorg/microservices targetRevision: HEAD path: '{{path}}' destination: server: https://kubernetes.default.svc namespace: '{{path.basename}}' syncPolicy: automated: {}_

Liste Generator

yaml apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: environments namespace: argocd spec: generators: - list: elements: - cluster: dev url: https://dev-cluster namespace: myapp-dev - cluster: staging url: https://staging-cluster namespace: myapp-staging - cluster: prod url: https://prod-cluster namespace: myapp-prod template: metadata: name: 'myapp-{{cluster}}' spec: project: default source: repoURL: https://github.com/myorg/myapp targetRevision: HEAD path: manifests/{{cluster}} destination: server: '{{url}}' namespace: '{{namespace}}'_

Überwachung und Beobachtungsfähigkeit

Metrics Konfiguration

yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-server-config namespace: argocd data: application.instanceLabelKey: argocd.argoproj.io/instance server.metrics.enabled: "true" controller.metrics.enabled: "true" reposerver.metrics.enabled: "true"_

Prometheus Integration

yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: argocd-metrics namespace: argocd spec: selector: matchLabels: app.kubernetes.io/name: argocd-metrics endpoints: - port: metrics interval: 30s path: /metrics_

Grafana Dashboard

```bash

Import ArgoCD dashboard

Dashboard ID: 14584 (ArgoCD Operational)

Dashboard ID: 19993 (ArgoCD Application)

Key metrics to monitor:

- Application sync status

- Sync frequency

- Repository connection status

- Controller performance

- API server response times

```_

Mitteilungen

Anmeldung Konfiguration

yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-notifications-cm namespace: argocd data: service.slack: | token: $slack-token template.app-deployed: | message: | {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version. template.app-health-degraded: | message: | {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. trigger.on-deployed: | - description: Application is synced and healthy send: - app-deployed when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' trigger.on-health-degraded: | - description: Application has degraded send: - app-health-degraded when: app.status.health.status == 'Degraded'_

Slack Integration

```yaml apiVersion: v1 kind: Secret metadata: name: argocd-notifications-secret namespace: argocd stringData: slack-token: xoxb-your-slack-bot-token

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: myapp annotations: notifications.argoproj.io/subscribe.on-sync-succeeded.slack: my-channel notifications.argoproj.io/subscribe.on-health-degraded.slack: alerts-channel ```_

Sicherheit

TLS Konfiguration

yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-server-config namespace: argocd data: tls.config: | certificates: - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----_

OIDC Integration

yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd data: oidc.config: | name: OIDC issuer: https://your-oidc-provider.com clientId: argocd clientSecret: $oidc.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] requestedIDTokenClaims: {"groups": {"essential": true}} url: https://argocd.example.com_

Repository Credentials

yaml apiVersion: v1 kind: Secret metadata: name: private-repo namespace: argocd labels: argocd.argoproj.io/secret-type: repository stringData: type: git url: https://github.com/myorg/private-repo password: ghp_xxxxxxxxxxxxxxxxxxxx username: not-used_

Fehlerbehebung

Gemeinsame Themen

```bash

Application stuck in sync

argocd app get myapp --hard-refresh argocd app sync myapp --force

Check application events

kubectl describe application myapp -n argocd

View controller logs

kubectl logs -n argocd deployment/argocd-application-controller

Check repository connection

argocd repo get https://github.com/myorg/myrepo ```_

Debug Befehle

```bash

Enable debug logging

kubectl patch configmap argocd-cmd-params-cm -n argocd --patch '{"data":{"controller.log.level":"debug"}}'

Check sync status

argocd app wait myapp --health

Validate manifests

argocd app manifests myapp --source live

Compare desired vs live state

argocd app diff myapp ```_

Leistung Tuning

```yaml

Controller configuration

apiVersion: v1 kind: ConfigMap metadata: name: argocd-cmd-params-cm namespace: argocd data: controller.status.processors: "20" controller.operation.processors: "10" controller.self.heal.timeout.seconds: "5" controller.repo.server.timeout.seconds: "60" ```_

Best Practices

Repository Struktur

```bash

Recommended structure:

apps/ ├── base/ │ ├── kustomization.yaml │ └── deployment.yaml ├── overlays/ │ ├── dev/ │ ├── staging/ │ └── production/ └── argocd/ └── applications/ ```_

GitOps Workflow

```bash

1. Developers commit code changes

2. CI pipeline builds and pushes images

3. CI updates manifest repository

4. ArgoCD detects changes and syncs

5. Applications updated automatically

```_

Sicherheit Best Practices

```bash

- Use least privilege RBAC

- Enable TLS for all connections

- Regularly rotate credentials

- Monitor access logs

- Use signed commits

- Implement admission controllers

```_

Ressourcen

Dokumentation

Gemeinschaft

%20Ausbildung

-%20ArgoCD%20Tutorial - GitOps Fundamentals - Kubernetes GitOps