ArgoCD on AKS with AGIC and Azure AD Authentication

by Posted on

A key point to a successful Kubernetes deployment is to have a solid and automated foundation by deploying the cluster with Infrastructure as Code and bootstrapping it with minimum required components. One option is to use Azure Bicep to deploy an AKS cluster with Application Gateway Ingress Controller (see my previous blog post), and bootstrapping it with ArgoCD. ArgoCD enables further deployments (both platform and apps) using GitOps.

Bootstrapping with ArgoCD is simple enough in theory using Helm, but requires some minor configurations to function with AGIC. I’ve also decided to include how to configure the cluster with automatic certificates from buypass (awaiting my PR fixing the documentation on Microsoft Docs), as well as how to configure ArgoCD with authentication using Azure AD.

Assuming we have a cluster with AGIC and a functioning CD pipeline, the first step is to install cert-manager for automatic certificate retrieval and renewal.

# Download and install helm
curl -fsSL -o get_helm.sh \
https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

# Install cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
--set installCRDs=true --namespace cert-manager \
--create-namespace --version v1.7.1

# Deploy ClusterIssuer using variables passed from CD pipeline
clusterissuervar="apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: buypass-prod
spec:
  acme:
    email: $ACME_EMAIL
    server: https://api.buypass.com/acme/directory
    privateKeySecretRef:
      name: buypass-prod
    solvers:
    - http01:
        ingress:
          ingressTemplate:
            metadata:
              annotations:
                kubernetes.io/ingress.class: azure/application-gateway"
echo "$clusterissuervar" | kubectl apply -f -

Next up is to register and configure the Azure AD Application used by ArgoCD for SSO. Follow the first two points in the instructions by ArgoCD, and assign two groups to the application (e.g. using the portal). 

# Setting required values for ArgoCD Azure AD Authentication
oidcvar="name: Azure AD
issuer: https://login.microsoftonline.com/$AZURE_TENANT/v2.0
clientID: $ARGO_CLIENTID
clientSecret: \$oidc.azure.clientSecret
requestedIDTokenClaims:
    groups:
        essential: true
requestedScopes:
    - openid
    - profile
    - email"

# Setting ArgoCD RBAC policy referring to Azure AD groupIds
policyvar="g\, $ARGO_ADMINGROUP\, role:admin
g\, $ARGO_READGROUP\, role:readonly"

The last piece of the puzzle is to configure the remaining helm values required for ArgoCD to use AGIC as ingress and cert-manager for certificate. All of the remaining helm values are static and are therefore placed in a yaml-file.

# values.yaml
server:
  ingress:
    enabled: true
    annotations: 
      kubernetes.io/ingress.class: azure/application-gateway
      cert-manager.io/cluster-issuer: buypass-prod
  extraArgs:
    - --insecure

Finally, we can deploy ArgoCD with automatic certificate from cert-manager, ingress through AGIC, and Azure AD authentication.

# Set ingress tls secret name
tlssecret=$(echo $DNS_FQDN | tr . -)

# Install argocd using previously created vars and the values.yaml file
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm upgrade --install argocd argo/argo-cd -f values.yaml \
--namespace argocd --create-namespace \
--set server.ingress.hosts[0]=$DNS_FQDN \ 
--set server.config.url=https://$DNS_FQDN \
--set "server.config.oidc\.config=$oidcvar" \
--set "server.rbacConfig.policy\.csv=$policyvar" \
--set "configs.secret.extra.oidc\.azure\.clientSecret=$ARGO_SECRET" \
--set server.ingress.tls[0].hosts[0]=$DNS_FQDN \
--set "server.ingress.tls[0].secretName=$tlssecret"

To wrap it up, these are the required variables/secrets passed from the CD pipeline:

  • $ACME_EMAIL – Email address for notifications from ACME provider
  • $AZURE_TENANT – Azure Tenant ID
  • $ARGO_CLIENTID – Client ID for AAD App for ArgoCD authentication
  • $ARGO_ADMINGROUP – Azure AD Group ID for ArgoCD admin group
  • $ARGO_READGROUP – Azure AD Group ID for ArgoCD read-only group
  • $DNS_FQDN – FQDN for ArgoCD (e.g. argocd.eldar.cloud)
  • $ARGO_SECRET – Client Secret for AAD App for ArgoCD authentication

2 Replies to “ArgoCD on AKS with AGIC and Azure AD Authentication”

  1. “Next up is to register and configure the Azure AD Application used by ArgoCD for SSO. Follow the first two points in the instructions by ArgoCD, and assign two groups to the application (e.g. using the portal).”

    Where do you use this? It’s really unclear here what to do with this part?

    # Setting required values for ArgoCD Azure AD Authentication

    Reply
  2. Pingback: ArgoCD App of Apps for infra provisioning - Eldar Borge

Leave a Reply

Your email address will not be published. Required fields are marked *