Skip to content

Latest commit



106 lines (91 loc) · 4.15 KB

File metadata and controls

106 lines (91 loc) · 4.15 KB

ArgoCD Master and Child 👩‍👦


  1. Deploy a master instance of argocd if you do not already have one. This is deployed into the master-argocd project.
helm upgrade --install bootstrap -f bootstrap-master/values-bootstrap.yaml bootstrap --create-namespace --namespace labs-bootstrap
  1. Login to your ArgoCD master and run to create a new project to manage deployments in the Lab's namespace along with the repositories to be allowed pull from:
argocd login $(oc get route argocd-server --template='{{ }}' -n master-argocd):443 --sso --insecure

argocd proj create bootstrap-journey \
  -d https://kubernetes.default.svc,master-argocd \
  -d https://kubernetes.default.svc,labs-ci-cd \
  -d https://kubernetes.default.svc,labs-dev \
  -d https://kubernetes.default.svc,labs-test \
  -d https://kubernetes.default.svc,labs-staging \
  -d https://kubernetes.default.svc,labs-pm \
  -d https://kubernetes.default.svc,labs-cluster-ops \
  -s \
  -s \
  1. You will require elevated permissions in the master argocd project:
argocd proj allow-cluster-resource bootstrap-journey "*" "*"
  1. Create your ArgoCD App for bootrstrap in your master-argocd namespace and sync it!
argocd app create bootstrap-journey \
  --project bootstrap-journey \
  --dest-namespace master-argocd \
  --dest-server https://kubernetes.default.svc \
  --repo \
  --sync-policy automated \
  --path "bootstrap" \
  --values "values-bootstrap.yaml"
  1. Your new ArgoCD instance should spin up. You can now connect your ubiquitous-journey or example-deployment to it by following the instructions above.

Restricted Children

There are two main roles in argocd, the argocd-server role is used in the ArgoCD UI, and the argocd-application-controller role is used by the server pods:

  • oc edit clusterrole argocd-server
  • oc edit clusterrole argocd-application-controller

By default we give argocd cluster-admin privileges. We usually want this for the master-argocd but not for any children argo's such as argocd in the labs-ci-cd namespace.

The chart supports restricting the argocd-application-controller cluster role binding to the default ClusterRole installed by the operator which is:

kind: ClusterRole
- apiGroups:
  - '*'
  - '*'
  - get
  - list
  - watch
- nonResourceURLs:
  - '*'
  - get
  - list

We can set the namespaceRoleBinding.enabled flag in Step 4 above, by doing:

# 4. Create your ArgoCD App for `bootrstrap` in your `master-argocd` namespace and sync it!
argocd app create bootstrap-journey \
  --project bootstrap-journey \
  --dest-namespace master-argocd \
  --dest-server https://kubernetes.default.svc \
  --repo \
  --sync-policy automated \
  --path "bootstrap" \
  --helm-set argocd-operator.namespaceRoleBinding.enabled=true \
  --values "values-bootstrap.yaml"

We can test that we can't do cluster-admin type things (like install cluster operators), for example this will fail:

oc project labs-ci-cd
argocd login $(oc get route argocd-server --template='{{ }}' -n labs-ci-cd):443 --sso --insecure
argocd app create tekton \
  --repo \
  --path tekton/base \
  --dest-server https://kubernetes.default.svc \
  --dest-namespace openshift-operators \
  --revision master \
  --sync-policy automated

With an error: is forbidden: User "system:serviceaccount:labs-ci-cd:argocd-argocd-application-controller" cannot create resource "subscriptions" in API group "" in the namespace "openshift-operators"

You can install the tekton app in the master-argocd instance though.

If you restrict the children, you will also want to control which adult users and groups have admin/edit RBAC onto the master-argocd and labs-bootstrap projects accordingly!