Merge pull request #26 from ADORSYS-GIS/22-automate-argocd-multi-tenant-cluster-configuration

feat: ArgoCD Agent Multi-Tenant Cluster Infrastructure with Terraform

Author: onelrian

.github/workflows/checks.yaml

@@ -0,0 +1,103 @@
+name: Terraform CI
+
+on:
+  pull_request:
+    paths:
+      - '**/terraform/**'
+      - '.github/workflows/terraform-ci.yaml'
+  push:
+    branches:
+      - main
+    paths:
+      - '**/terraform/**'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform-fmt:
+    name: Format Check
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - argocd-agent
+          - argocd
+          - cert-manager
+          - ingress-controller
+          - lgtm-stack
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~> 1.0"
+
+      - name: Terraform Format Check
+        id: fmt
+        working-directory: ${{ matrix.component }}/terraform
+        run: terraform fmt -check -recursive
+        continue-on-error: false
+
+  terraform-validate:
+    name: Validate
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - argocd-agent
+          - argocd
+          - cert-manager
+          - ingress-controller
+          - lgtm-stack
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~> 1.0"
+
+      - name: Terraform Init
+        id: init
+        working-directory: ${{ matrix.component }}/terraform
+        run: terraform init -backend=false
+
+      - name: Terraform Validate
+        id: validate
+        working-directory: ${{ matrix.component }}/terraform
+        run: terraform validate -no-color
+
+  tfsec:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - argocd-agent
+          - argocd
+          - cert-manager
+          - ingress-controller
+          - lgtm-stack
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-action@v1.0.3
+        with:
+          working_directory: ${{ matrix.component }}/terraform
+          soft_fail: true
+
+

.github/workflows/terraform-ci.yaml

@@ -97,10 +97,9 @@ yarn.lock
 *.tfstate.*
 *.tfstate.backup
 *.backup
-*.tfvars
-!*.tfvars.template
 .terraform/
 .terraform.lock.hcl
+terraform.tfplan
 
 # Crash logs
 crash.log
@@ -109,3 +108,33 @@ crash.*.log
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Terraform sensitive variable files
+*.tfvars
+*.auto.tfvars
+*.auto.tfvars.json
+!*.tfvars.template
+!*.tfvars.example
+
+# Terraform override files (for personal configs)
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Environment variables with secrets
+.env.local
+*.env
+
+# PKI backups (contain sensitive keys)
+pki-ca-backup-*.yaml
+pki-ca-backup*.yaml
+pki-ca-backup*.yaml.gpg
+
+# Terraform temp files
+.principal_ip.json
+*LOG_FILE
+
+# Zencoder files
+.zencoder
+.zenflow

.gitignore

@@ -21,6 +21,9 @@ Comprehensive monitoring, logging, and distributed tracing platform built on Gra
 ### [ArgoCD GitOps Engine](argocd/README.md)
 Declarative continuous delivery system for managing Kubernetes applications and configurations through Git-based workflows.
 
+### [ArgoCD Agent (Hub-and-Spoke)](argocd-agent/README.md)
+Production-grade multi-cluster GitOps with Argo CD Agent Managed Mode for centralized control plane with distributed spoke clusters.
+
 ### [cert-manager Certificate Authority](cert-manager/README.md)
 Automated X.509 certificate lifecycle management with native support for ACME providers including Let's Encrypt.
 

README.md

@@ -0,0 +1,46 @@
+# ArgoCD Agent (Hub-and-Spoke)
+
+Multi-cluster GitOps with centralized control plane and distributed agents. Single ArgoCD UI manages applications across unlimited Kubernetes clusters.
+
+**Official Documentation**: [argocd-agent.readthedocs.io](https://argocd-agent.readthedocs.io/)  
+**GitHub Repository**: [argoproj-labs/argocd-agent](https://github.com/argoproj-labs/argocd-agent)
+
+## Architecture
+
+Hub-and-spoke pattern where hub cluster runs ArgoCD control plane (UI + Principal), spoke clusters run lightweight agents that connect via gRPC to deploy applications.
+
+**Use ArgoCD Agent when**:
+- Managing 5+ clusters across networks/clouds
+- Clusters behind NAT/firewalls need centralized GitOps
+- Need local repo servers per cluster for compliance
+
+**Use Standard ArgoCD when**:
+- < 5 clusters in same VPC with full mesh connectivity
+- Need full UI features (terminal, pod logs, tree view)
+
+See [Architecture guide](../docs/argocd-agent-architecture.md) for detailed comparison.
+
+## Deployment
+
+### Automated (Terraform)
+Recommended for production with infrastructure-as-code.
+
+See [Terraform deployment guide](../docs/argocd-agent-terraform-deployment.md)
+
+### Manual (Shell Scripts)
+Step-by-step deployment using `scripts/01-hub-setup.sh` through `05-verify.sh`.
+
+See [Terraform deployment guide](../docs/argocd-agent-terraform-deployment.md#manual-deployment-scripts) for script usage.
+
+## Configuration & Operations
+
+- **Configuration Reference**: [All Terraform variables](../docs/argocd-agent-configuration.md)
+- **Operations Guide**: [Day-2 ops, scaling, upgrades, certificates, teardown](../docs/argocd-agent-operations.md)
+- **RBAC & SSO**: [Keycloak integration](../docs/argocd-agent-rbac.md)
+- **Troubleshooting**: [Common issues and solutions](../docs/argocd-agent-troubleshooting.md)
+
+## Version Compatibility
+
+- ArgoCD Agent: v0.5.3
+- Kubernetes: 1.24-1.28
+- Terraform: >= 1.0

argocd-agent/README.md

@@ -0,0 +1,69 @@
+#!/bin/bash
+# Step 1: Control Plane Setup (Official Guide)
+# 1.1 Create Namespace
+# 1.2 Install Argo CD (Principal Profile)
+# 1.3 Enable Apps-in-Any-Namespace
+# 1.4 Expose UI
+
+set -e
+
+# Configuration
+HUB_CTX="${HUB_CTX:-}"
+VERSION="${VERSION:-v0.5.3}"
+
+# Usage
+if [ -z "$HUB_CTX" ]; then
+  echo "Usage: HUB_CTX=<context> [VERSION=v0.5.3] $0"
+  echo ""
+  echo "Example:"
+  echo "  HUB_CTX=gke_project_region_cluster VERSION=v0.5.3 $0"
+  echo ""
+  echo "Available contexts:"
+  kubectl config get-contexts -o name
+  exit 1
+fi
+
+echo "════════════════════════════════════════════════"
+echo "  Step 1: Control Plane Setup"
+echo "════════════════════════════════════════════════"
+echo ""
+
+# 1.1 Create Namespace
+echo "→ Creating namespace 'argocd'..."
+kubectl create namespace argocd --context $HUB_CTX --dry-run=client -o yaml | kubectl apply --context $HUB_CTX -f -
+
+# 1.2 Install Argo CD (Principal Profile)
+echo "→ Installing Argo CD (Principal Profile) ref=${VERSION}..."
+kubectl apply -n argocd \
+  -k "https://github.com/argoproj-labs/argocd-agent/install/kubernetes/argo-cd/principal?ref=${VERSION}" \
+  --context $HUB_CTX
+
+echo "→ Waiting for argocd-server..."
+kubectl wait --for=condition=available --timeout=300s \
+  deployment/argocd-server -n argocd --context $HUB_CTX
+
+# 1.3 Enable Apps-in-Any-Namespace
+echo "→ Enabling apps-in-any-namespace..."
+kubectl patch configmap argocd-cmd-params-cm -n argocd --context $HUB_CTX \
+  --type='merge' \
+  --patch '{"data":{"application.namespaces":"*"}}'
+
+echo "→ Restarting argocd-server..."
+kubectl rollout restart deployment argocd-server -n argocd --context $HUB_CTX
+kubectl rollout status deployment/argocd-server -n argocd --context $HUB_CTX
+
+# 1.4 Expose Argo CD UI (LoadBalancer)
+echo "→ Exposing Argo CD UI via LoadBalancer..."
+kubectl patch svc argocd-server -n argocd --context $HUB_CTX \
+  --patch '{"spec":{"type":"LoadBalancer"}}'
+
+echo "→ Waiting for External IP..."
+EXTERNAL_IP=""
+while [ -z "$EXTERNAL_IP" ]; do
+  echo "  Waiting for IP..."
+  sleep 5
+  EXTERNAL_IP=$(kubectl get svc argocd-server -n argocd --context $HUB_CTX -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null)
+done
+echo "✓ Argo CD UI available at https://$EXTERNAL_IP"
+echo ""
+echo "Step 1 Complete."