ArgoCD
ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It automates the deployment of applications and infrastructure by synchronizing the desired state defined in Git repositories with the actual state in Kubernetes clusters. It is the primary GitOps tool for Natron Managed Kubernetes Service customers and is actively maintained by Natron.
Key Features
- Declarative GitOps: ArgoCD uses Git repositories as the source of truth for defining the desired state of applications and infrastructure.
- Automated Synchronization: ArgoCD continuously monitors Git repositories and automatically applies changes to the Kubernetes cluster to ensure that the actual state matches the desired state.
- Multi-Cluster Support: ArgoCD can manage applications across multiple Kubernetes clusters from a single control plane.
- Role-Based Access Control (RBAC): ArgoCD provides fine-grained access control to manage permissions for users and teams.
- Web UI and CLI: ArgoCD offers both a web-based user interface and a command-line interface for managing applications and deployments.
Accessing ArgoCD in Natron Managed Kubernetes Service
To access ArgoCD in your Natron Managed Kubernetes cluster, you can either use the ArgoCD web UI or the ArgoCD CLI tool.
ArgoCD Web UI
The ArgoCD web UI provides a user-friendly interface for managing your applications and deployments. Use Teleport Connect or the Teleport Web UI to access your Kubernetes cluster.
Open Teleport
Launch the Teleport Connect application or access the Teleport Web UI and log in to your Teleport cluster.
Locate ArgoCD Application
In Teleport, look for the argocd application. You can use the filter and search for the application type to find it quickly.
Access ArgoCD Web UI
Click Launch to open the ArgoCD web UI in your browser.
Log in to ArgoCD
Log into your ArgoCD instance using your configured SSO provider or local ArgoCD credentials.
ArgoCD CLI
To use the ArgoCD CLI, you need to install it on your local machine. Follow the official ArgoCD CLI Installation Guide for instructions. After installing the CLI, you can log in to your ArgoCD instance using the following command:
argocd login <ARGOCD_SERVER> --username <USERNAME> --password <PASSWORD>Replace <ARGOCD_SERVER>, <USERNAME>, and <PASSWORD> with your ArgoCD server address and credentials.
For SSO login, use the --sso, --sso-launch-browser, or --sso-port flags as needed. Refer to the ArgoCD CLI Login Documentation for more details.
Best Practices & Concepts
Application Structure
In the Natron architecture, the Root Application acts as an "App of Apps" and is deployed itself by FluxCD. This pattern allows for managing multiple applications declaratively.
Namespace Management
There are two main options to create namespaces for your applications:
1. Using a Kustomization
Deploy an additional ns.yaml Namespace file with Kustomize alongside your application and set spec.destination.namespace to this Namespace.
2. ArgoCD Auto Create
Use the managedNamespaceMetadata feature inside the Application manifest:
managedNamespaceMetadata:
labels:
app.kubernetes.io/managed-by: argocd-namspace-autocreation
annotations:
gitops.natron.io/application: 'podinfo'
syncOptions:
- CreateNamespace=true| Feature | Kustomize | ArgoCD Auto Create |
|---|---|---|
| Control | Full Control | Limited (Labels/Annotations) |
| Deletion | Auto Deletion | No Auto Pruning |
| Visibility | Shows in UI | Does not show in UI |
| Complexity | Extra YAML files | Config in App manifest |
Resource Deletion
Resources can be deleted in different ways associated with different behaviors.
Pruning
- Manual Sync: Pruning happens by default. Can be disabled per resource:
argocd.argoproj.io/sync-options: Prune=false. - Automated Sync: Pruning needs to be explicitly enabled:
spec.syncPolicy.automated.prune: true.
Finalizers
By default, if an application is deleted, its resources remain. To delete resources when the App is deleted, use a finalizer:
resources-finalizer.argocd.argoproj.io
| Deletion Method | Behavior |
|---|---|
| Foreground | Resources are "Terminating" until fully deleted (K8s Default). |
| Background | Resources are deleted immediately from API; deletion happens in background. |
| Non-cascading | Only delete ArgoCD Application, but not its resources. |
[!WARNING] If you delete an App via the ArgoCD UI, it will automatically add the finalizer and delete sub-resources if you choose foreground or background deletion!
SOPS Decryption
If you need SOPS decryption before build (using a Config Management Plugin), you can specify the plugin in your Application spec:
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
source:
plugin:
name: test # or specific plugin nameWhy we are not using ApplicationSets
While ApplicationSets allow generating Applications, we generally avoid them due to:
- Templating Limitations: Limited to
fasttemplate(no complex Go templating). - Multiple Sources Issues: Require multiple sources for value files, which is not fully supported by the GUI and can complicate rollbacks.
- Redundancy: Managing
targetRevisionper client becomes redundant without using generic generators, which lack flexibility.
Troubleshooting
App Stuck in Sync
If an app is stuck in Sync or unable to refresh, it might be due to a bug with the diff of the valuesObject.
Solution: Delete the .status data of the Application. This forces a fresh state calculation.
Delete App in "Unknown" Status
If an Application is stuck in deletion (e.g. because the cluster is gone), you can force prune it by removing finalizers:
kubectl patch app -n argocd <app-name> -p '{"metadata": {"finalizers": null}}' --type mergeSupport
If you encounter any issues or have questions about using ArgoCD with Natron Managed Kubernetes Service, please reach out to Natron Support for assistance.