ArgoCD on AKS with AGIC and Azure AD Authentication

A key point to a successful Kubernetes deployment is to have a solid and automated foundation by deploying the cluster with Infrastructure as Code and bootstrapping it with minimum required components. One option is to use Azure Bicep to deploy an AKS cluster with Application Gateway Ingress Controller (see my previous blog post), and bootstrapping it with ArgoCD. ArgoCD enables further deployments (both platform and apps) using GitOps.

Bootstrapping with ArgoCD is simple enough in theory using Helm, but requires some minor configurations to function with AGIC. I’ve also decided to include how to configure the cluster with automatic certificates from buypass (awaiting my PR fixing the documentation on Microsoft Docs), as well as how to configure ArgoCD with authentication using Azure AD.

Assuming we have a cluster with AGIC and a functioning CD pipeline, the first step is to install cert-manager for automatic certificate retrieval and renewal.

# Download and install helm
curl -fsSL -o \
chmod 700

# Install cert-manager
helm repo add jetstack
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
--set installCRDs=true --namespace cert-manager \
--create-namespace --version v1.7.1

# Deploy ClusterIssuer using variables passed from CD pipeline
kind: ClusterIssuer
  name: buypass-prod
    email: $ACME_EMAIL
      name: buypass-prod
    - http01:
echo "$clusterissuervar" | kubectl apply -f -

Next up is to register and configure the Azure AD Application used by ArgoCD for SSO. Follow the first two points in the instructions by ArgoCD, and assign two groups to the application (e.g. using the portal).

# Setting required values for ArgoCD Azure AD Authentication
oidcvar="name: Azure AD
clientSecret: \$
        essential: true
    - openid
    - profile
    - email"

# Setting ArgoCD RBAC policy referring to Azure AD groupIds
policyvar="g\, $ARGO_ADMINGROUP\, role:admin
g\, $ARGO_READGROUP\, role:readonly"

The last piece of the puzzle is to configure the remaining helm values required for ArgoCD to use AGIC as ingress and cert-manager for certificate. All of the remaining helm values are static and are therefore placed in a yaml-file.

# values.yaml
    enabled: true
    annotations: azure/application-gateway buypass-prod
    - --insecure

Finally, we can deploy ArgoCD with automatic certificate from cert-manager, ingress through AGIC, and Azure AD authentication.

# Set ingress tls secret name
tlssecret=$(echo $DNS_FQDN | tr . -)

# Install argocd using previously created vars and the values.yaml file
helm repo add argo
helm repo update
helm upgrade --install argocd argo/argo-cd -f values.yaml \
--namespace argocd --create-namespace \
--set server.ingress.hosts[0]=$DNS_FQDN \ 
--set server.config.url=https://$DNS_FQDN \
--set "server.config.oidc\.config=$oidcvar" \
--set "server.rbacConfig.policy\.csv=$policyvar" \
--set "configs.secret.extra.oidc\.azure\.clientSecret=$ARGO_SECRET" \
--set server.ingress.tls[0].hosts[0]=$DNS_FQDN \
--set "server.ingress.tls[0].secretName=$tlssecret"

To wrap it up, these are the required variables/secrets passed from the CD pipeline:

  • $ACME_EMAIL – Email address for notifications from ACME provider
  • $AZURE_TENANT – Azure Tenant ID
  • $ARGO_CLIENTID – Client ID for AAD App for ArgoCD authentication
  • $ARGO_ADMINGROUP – Azure AD Group ID for ArgoCD admin group
  • $ARGO_READGROUP – Azure AD Group ID for ArgoCD read-only group
  • $DNS_FQDN – FQDN for ArgoCD (e.g.
  • $ARGO_SECRET – Client Secret for AAD App for ArgoCD authentication

One Reply to “ArgoCD on AKS with AGIC and Azure AD Authentication”

Leave a Reply

Your email address will not be published.