DO380 - ch05s03

Bookmark this page

GitOps for Cluster Administration

Objectives

Configure the default Argo CD instance from OpenShift GitOps for cluster administration.

The Red Hat OpenShift GitOps Operator

Red Hat OpenShift GitOps is an operator in OperatorHub, from the Red Hat operator catalog. OperatorHub provides a latest channel, with the most recent stable version of the operator. OperatorHub also provides gitops-version channels, such as the gitops-1.10 channel, to install specific versions of the operator.

You can install the operator in a similar way to any other operator, for example by using the installation wizard from the web console. You can use the default operator installation options, although most deployments require customization after the operator installation.

The operator creates its workload in the openshift-gitops-operator namespace. This workload includes a deployment that monitors Argo CD custom resources and manages their workloads.

Argo CD Custom Resources

The OpenShift GitOps operator installs the ArgoCD custom resource definition. Cluster administrators can use this custom resource definition to declaratively create multiple Argo CD instances in the cluster. The operator manages the workloads to run the Argo CD instances.

With this capability, administrators can introduce instances with different permissions. Because Argo CD applications can create and modify any type of OpenShift resource, limiting the permissions of Argo CD instances can reduce risks. With the OpenShift GitOps operator, you can create Argo CD instances by creating a custom resource that describes an instance (including RBAC configuration), and the operator manages the Argo CD instance. This process helps administrators apply the principle of least privilege, by creating Argo CD instances with granular permissions.

Warning

Any user that can push resources to an application Git repository can perform operations with the permissions of the Argo CD instance, even without direct access to the Kubernetes API or Argo CD. For example, these operations might delete data or override access control, whether by accident or malicious intent. Although Argo CD has role-based access control for its resources, Argo CD trusts the content of the application Git repositories. Follow the same considerations for access control for the Git repositories as for granting cluster permissions.

You can also set repositories as private, and configure Argo CD to use credentials to access repositories.

OpenShift GitOps includes further resources. For example, Argo CD uses the Application custom resource to manage applications. When you create an application with the Argo CD web interface, Argo CD creates an Application custom resource. This course does not cover working with those resources.

The Default Argo CD Instance

By default, the OpenShift GitOps operator creates a default Argo CD instance with the openshift-gitops name for both the instance and the namespace. This default instance has a set of permissions to support cluster administration. Red Hat recommends using this instance only for administering the cluster or for creating other instances for regular application deployment with minimal privileges.

The default instance has a limited configuration that might require further configuration to meet organizational requirements.

With the openshift-gitops-server route in the openshift-gitops namespace, the Argo CD web console is accessible outside the OpenShift cluster. By default, the web console is at the openshift-gitops-server-openshift-gitops.apps.cluster_domain URL.

Setting the Default Argo CD Instance as Unmanaged

The operator manages the default Argo CD instance. If you modify the instance, then the operator can revert your changes.

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  creationTimestamp: "2024-01-02T11:27:35Z"
  finalizers:
  - argoproj.io/finalizer
  generation: 1
  name: openshift-gitops
  namespace: openshift-gitops
  ownerReferences:
  - apiVersion: pipelines.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: GitopsService
    name: cluster
    uid: a7a0a073-0328-449e-8ffc-038854feb1c9
  resourceVersion: "262080"
  uid: 1d530e04-8068-4f6f-a066-c3ae36ba34f4
spec:
  applicationSet:
...output omitted...

For example, if you remove the ownerReferences key from the instance metadata, then the operator does not restore the instance.

However, setting the default instance as unmanaged might prevent operator updates from applying updates to the default instance. You can also consider ignoring the default instance (or setting it as unmanaged and deleting it, to save resources), and always creating your own instance. Depending on the criticality of your environment, consider extra testing of operator updates in a non-production environment.

Configuring Argo CD RBAC

Users can interact with Argo CD through the Kubernetes API, or through the Argo CD API, web interface, or command-line tool. Each Argo CD instance has a role-based access control system to manage permissions in the Argo CD interfaces.

Argo CD can use both local users that are defined in Argo CD and users from external authentication systems. The OpenShift GitOps operator includes features to automate integration with the OpenShift cluster authentication.

The default Argo CD instance includes a local admin user. This user has full permissions in the Argo CD interfaces. Argo CD updates the cluster by using a Kubernetes service account. Even unrestricted users in Argo CD are limited in how they can update the cluster, according to the permissions of the Argo CD service account.

The openshift-gitops-cluster secret in the openshift-gitops namespace contains the password for this user. Although this user can be suitable for small environments or experiments in test clusters, administrators usually integrate Argo CD with other authentication sources, such as the OpenShift cluster authentication.

The following excerpt from the default Argo CD instance shows the default authentication configuration:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
...output omitted...
spec:
...output omitted...
  rbac:
    defaultPolicy: ""
    policy: |
      g, system:cluster-admins, role:admin
      g, cluster-admins, role:admin
    scopes: '[groups]'
...output omitted...
  sso:
    dex:
      openShiftOAuth: true
...output omitted...

The rbac key contains the Argo CD role-based access control configuration. This configuration grants the admin role to the cluster-admins group.

You can create a cluster-admins group in the cluster and add users to have administrator privileges for the Argo CD instance. Alternatively, you can edit the policy to grant administrator privileges to existing groups.

Warning

Argo CD resources, such as applications, are Kubernetes resources. Argo CD RBAC controls the use of resources through Argo CD, not through the Kubernetes API.

Use Kubernetes role-based access control to prevent access to Argo CD Kubernetes resources through the Kubernetes API.

The sso key contains the authentication configuration. In the default Argo CD instance, the openShiftOAuth key is set to the true value. With this configuration, OpenShift users can log in to the Argo CD web console by clicking LOG IN VIA OPENSHIFT. By default, OpenShift users have limited privileges.

Configuring Trusted Certificates for Git Repository Access

Argo CD validates HTTPS certificates when accessing Git repositories, and can access only trusted repositories.

The repo server component of Argo CD handles communicating with Git repositories. To change the trusted certificate authorities, modify the certificate bundle in the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem path of the repo server.

The Argo CD custom resource contains fields to customize the repo server, similar to the volumes and volumeMounts keys of a pod template. The following example shows how to replace the certificate bundle with a bundle that is stored in a configuration map:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: openshift-gitops
  namespace: openshift-gitops
...output omitted...
spec:
...output omitted...
  repo:
    volumeMounts:
    - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
      name: volume_name
      subPath: bundle_name
    volumes:
    - configMap:
        name: configuration_map_name
      name: volume_name
...output omitted...

Configuring the Cluster Certificate Authority

If your repositories use certificates that the cluster certificate authority signed (for example, you expose them by using OpenShift routes), then you can use certificate injection to help configure Argo CD to trust the repositories.

Create an empty configuration map in the openshift-gitops namespace. Add the config.openshift.io/inject-trusted-cabundle label to the configuration map with the true value. OpenShift adds the bundle with the cluster certificate authority to the configuration map, in the ca-bundle.crt key. Then, you can follow the previous example to configure the repo server to trust the bundle.

Customizing the Argo CD Web Interface Certificate

The default Argo CD instance has its own self-signed HTTPS certificate. The Argo CD resource has a termination key to change the route termination. Use the reencrypt termination so that Argo CD uses the default router certificate.

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
...output omitted...
spec:
...output omitted...
  server:
...output omitted...
    route:
      enabled: true
      tls:
        termination: reencrypt
...output omitted...

The Argo CD Web Interface

By default, the web console for an Argo CD instance is at the argo_cd_instance-server-namespace.apps.cluster_domain URL. Log in to Argo CD by accessing this URL.

Figure 5.1: The Argo CD login page

If the Argo CD instance is configured with the openShiftOAuth key, then click LOG IN VIA OPENSHIFT to log in by using the cluster authentication.

Alternatively, you can use the Username and Password fields, and the SIGN IN button to use Argo CD local users.

When you log in, the web console displays the Applications page. The web console contains a navigation panel:

Figure 5.2: The Argo CD navigation panel

You can view and create applications in the Applications page. You can use the User Info page to view details about the logged-in user. These details can be useful to troubleshoot authentication issues.

Figure 5.3: The Argo CD applications page

Figure 5.4: Application details

The application details page displays the Kubernetes resources that are associated with an Argo CD application. For each resource, you can view the synchronization status and resource details.

Important

When Argo CD displays a large amount of resources, the web interface might not be easy to work with.

Because Argo CD displays both the resources in your application and related resources, more resources might be displayed than expected.

To reduce the number of displayed resources, you can collapse resources to hide dependent resources.

With large applications, you might need to use other means of examining resources, such as the kubectl and oc commands, or the Kubernetes API.

Creating Applications

You can create Argo CD applications by using the Kubernetes API, the argocd command-line application, or the web console.

By default, the Argo CD web console shows a form to customize the application. The console also provides a YAML resource editor, which is similar to the OpenShift web console.

Figure 5.5: Application creation form

Use the following fields to create your application:

Application Name: The application resource name.
Project Name: Argo CD uses projects to group applications and to apply further access controls. Projects are not covered in this course. You can create applications in the default project that Argo CD provides.
Sync Policy: The Automatic policy synchronizes periodically. With the Manual policy, administrators must trigger synchronizations.
Retry: As described later in this lecture, you can use these fields to add retries to the synchronization process. You might need to configure retries when working with complex applications.
Repository URL: The URL of the repository with the application definition. If you use the HTTPS protocol to access the repository, then the repo server must trust the HTTPS certificate.
Path: The path in the Git repository that contains the resource definitions. You can define multiple applications from different paths in the same repository. A repository might also contain other content.
Cluster URL: The URL of the Kubernetes API for the cluster to deploy the application to. Use the https://kubernetes.default.svc URL to deploy to the same cluster where Argo CD is deployed.

When you create an application, Argo CD retrieves the contents of the repository. In the exercises of this course, applications are YAML files that describe application resources. Argo CD supports other ways to define applications, including the following technologies:

Kustomize
Helm charts
Jsonnet
Other configuration management tools that additional plug-ins support

Deploying Complex Resources by Using Sync Waves and Retries

Although you can usually create resources in any order and ultimately resources reach the intended state, in some cases creating resources can require further work. For example, you must create a namespace before creating the resources in the namespace. With custom resources, you usually need to wait until their operator installs the custom resource definitions.

You can use the argocd.argoproj.io/sync-wave annotation on resources to help with dependencies. The annotation value must be a positive or negative integer or zero. Resources without the annotation default to 0.

A group of resources with the same annotation is a sync wave.

Argo CD synchronizes sync waves in order, starting with sync waves with lower numbers. Argo CD synchronizes a sync wave only when all lower sync waves are healthy.

Argo CD performs a dry run before synchronizations. When deploying custom resources, the synchronization continues only if the corresponding custom resource definitions exist when Argo CD performs the dry run. To prevent this problem, add the argocd.argoproj.io/sync-options annotation to these resources by adding the SkipDryRunOnMissingResource=true option.

For example, the following manifest defines an operator subscription and a custom resource:

---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: example-operator
...output omitted...
---
kind: ExampleCustomResource
metadata:
  name: example
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
    argocd.argoproj.io/sync-wave: "1"
...output omitted...

Because the subscription does not have an explicit sync wave, Argo CD considers the subscription to be part of the 0 sync wave. Because the custom resource belongs to the 1 sync wave, Argo CD creates the custom resource only when the subscription is healthy. The sync options also exclude the custom resource from the dry run.

However, the previous example might still fail. The next section describes additional issues with deploying complex applications.

Eventual Consistency in Kubernetes

Kubernetes is a resilient distributed system, to fulfill its requirement to be a framework to run distributed systems resiliently. Building resilient distributed systems adds significant complexity.

Kubernetes uses the eventual consistency model to help achieve reliability and also preserving scalability. In distributed systems, changes must propagate to all nodes. Because systems that use eventual consistency do not apply updates immediately, updates can take a perceivable amount of time to be effective across the cluster or even in a single node.

Eventual consistency avoids some scalability and reliability issues. However, non-immediate updates add complexity to many processes, because some operations might need to wait until other operations are effective. For changes for non-immediate updates, one option is to retry operations until they succeed after dependent operations take effect. Software that works with Kubernetes often uses retries to work correctly.

Sync waves are often insufficient when working with complex applications such as operators. If you face issues with deploying applications, then consider configuring retries in your Argo CD applications for more reliable synchronization.

However, retries can clutter logs, slow down feedback loops, and hide problems. To limit problems that derive from excessive retries, consider investing effort in finding an adequate retry configuration.

Administrating Clusters with OpenShift GitOps

Although organizations often use Argo CD to deploy applications, cluster administrators can also use the default Argo CD instance to administer a cluster. By using Argo CD, administrators can customize authentication or deploy operators with all the benefits of GitOps.

When administering a cluster with Argo CD, you might need to patch existing resources, which is an uncommon scenario when deploying applications.

For example, cluster authentication uses the cluster resource of the OAuth type. You must edit this resource instead of creating other resources.

Argo CD can use the server-side apply process to edit existing resources. The server-side apply process is an alternative to the client-side apply process that kubectl apply and other processes use by default.

With client-side apply, commands such as kubectl apply submit the full definition of a resource to the API server. The API server overwrites the entire resource with the submitted definition.

With server-side apply, API clients submit partial resource definitions, and the API server updates only the submitted parts. Then, your application definitions can include only your changes and exclude parts of the resource that you do not want to manage.

For patching, use the ServerSideApply=true sync option. Also, add the Validate=false sync option to disable validation, because the partial resource definition might not be a valid complete resource definition.

The following manifest shows how to patch a resource:

apiVersion: operator.openshift.io/v1
kind: Console
metadata:
  name: cluster
  annotations:
    argocd.argoproj.io/sync-options: ServerSideApply=true,Validate=false
spec:
  customization:
    customProductName: Production

This specification does not contain all the fields that a full console specification requires. The Validate=false sync option ensures that even if the partial definition lacks mandatory fields, Argo CD submits the change.

This change is less likely to interfere with other changes to the cluster such as cluster updates.

References

For more information about the installation process, refer to the Installing Red Hat OpenShift GitOps chapter in the Red Hat OpenShift GitOps 1.10 Installing GitOps documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_gitops/1.10/html-single/installing_gitops/index#installing-openshift-gitops

For more information about certificate injection, refer to the Certificate Injection Using Operators section in the Configuring a Custom PKI chapter in the Red Hat OpenShift Container Platform 4.14 Networking documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/networking/index#certificate-injection-using-operators_configuring-a-custom-pki

For more information about Argo CD role-based access control, refer to the Access Control and User Management chapter in the Red Hat OpenShift GitOps 1.10 Access Control and User Management documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_gitops/1.10/html-single/access_control_and_user_management/index#configuring-argo-cd-rbac

For more information about cluster administration with OpenShift GitOps, refer to the Declarative Cluster Configuration chapter in the Red Hat OpenShift GitOps 1.10 Declarative Cluster Configuration documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_gitops/1.10/html-single/declarative_cluster_configuration/index#configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations

Server-Side Apply

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507