This guide will help you configure Atlas to authenticate and proxy requests to the Argo CD API.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It provides a web UI and a CLI for managing applications and their deployments.
Argo CD also provides a REST API for programmatic access to the Argo CD platform. This includes APIs for managing applications, repositories, and settings.
At the end of this guide, your running instance of Atlas will be configured to:
- Proxy HTTP requests to the Argo CD API.
- Authenticate these requests using one or more Argo CD API tokens.
Public alpha. This integration is available to all Atlas users, but the API may change.
- A running instance of Atlas. See installation guides for more details.
- A running instance of Argo CD. See installation guides for more details.
- Access to an Argo CD user with
role:admin. - The
argocdCLI. See installation guides for more details.
Note: This guide currently requires TLS to be disabled on the
argo-serverservice. In future releases, Atlas will support loading certificates to communicate with Argo CD over TLS.
-
Use
argocdto log into an Argo CD instance with an account that hasrole:adminprivileges.argocd login <ARGOCD_SERVER>
-
Edit the user list in the Argo CD
ConfigMapto create a service account for Atlas to use to authenticate with Argo CD. This service account must haveapiKeyauthentication enabled. See Create new user guide for more details. Usually this involves changing theargocd-cmConfigMapto add a new user to theuserslist. For example, the last two lines of thisConfigMapadd a user namedatlas.apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd name: argocd-cm data: accounts.<ACCOUNT NAME>: apiKey accounts.<ACCOUNT NAME>.enabled: "true"
-
Grant the service account appropriate privileges. Many times this role will be
role:admin. Usually this means editing theargocd-rbac-cmConfigMapto add the service account to thepolicy.csvlist. For example, the last two lines of thisConfigMap:apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-rbac-cm app.kubernetes.io/part-of: argocd name: argocd-rbac-cm data: policy.csv: | p, role:org-admin, applications, *, */*, allow p, role:org-admin, clusters, get, *, allow p, role:org-admin, repositories, get, *, allow p, role:org-admin, repositories, create, *, allow p, role:org-admin, repositories, update, *, allow p, role:org-admin, repositories, delete, *, all g, <ACCOUNT NAME>, role:org-admin policy.default: role:''
-
Check that
argo-serveris running without TLS. Usually this means settingserver.insecuretotruein theargocd-rbac-cmConfigMap.apiVersion: v1 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-cmd-params-cm app.kubernetes.io/part-of: argocd name: argocd-cmd-params-cm data: server.insecure: "true"
-
Deploy the updated
ConfigMapto Argo CD. This step will vary depending on how you deployed Argo CD. For some people, it will involve updating a Helm chart, for others it will involve runningkubectl apply -fon a YAML file. -
Generate an API key for the service account. Save this API key somewhere safe for the subsequent steps.
argocd account generate-token --account <ACCOUNT NAME>
- Choose an environment variable name for the Argo CD API token. Generally this is something like
ARGOCD_TOKEN. - Add the Argo CD API token you provisioned as an environment variables to your Atlas deployment.
The install guides have instructions for how to do this for each deployment method.
For example, if you deployed Atlas using ECS, you might add an environment variable
ARGOCD_TOKENto the Pulumi configuration. If you deployed using Kubernetes, you might add theARGOCD_TOKENenvironment variable to a.envfile. - Note the name of the environment variable you chose. We will use this in the next step to configure the HTTP adapter.
We can use the mom CLI to add the Argo CD API token to the Atlas configuration.
Run this command, changing
YOUR_ATLAS_CONFIG.ymlwith the path to your Atlas configuration fileARGOCD_TOKENto the name of the environment variable you chose in the previous stepYOUR_ADAPTER_NAMEto the name you want to use for the HTTP adapter in Atlas, e.g.,argocdYOUR_ARGOCD_SERVERto the URL of your Argo CD server, e.g.,http://argocd-server.argocd.svc.
mom atlas config add-http-adapter \
-f YOUR_ATLAS_CONFIG.yml \
--adapter-name YOUR_ADAPTER_NAME \
--base-url http://YOUR_ARGOCD_SERVER \
-H 'Authorization: "Bearer ${{ ARGOCD_TOKEN }}"'The diff in your version control system should look something like this:
diff --git a/YOUR_ATLAS_CONFIG.yml b/YOUR_ATLAS_CONFIG.yml
index 1434ece..204ebde 100644
--- a/YOUR_ATLAS_CONFIG.yml
+++ b/YOUR_ATLAS_CONFIG.yml
@@ -12,6 +12,10 @@ spec:
apiVersion: moment.dev/adapters/v1alpha1
kind: AWS
name: aws
+ - adapterRef:
+ apiVersion: moment.dev/adapters/v1alpha1
+ kind: HTTP
+ name: YOUR_ADAPTER_NAME
exposedPorts: {}
gatewayRegistration:
backoff:
@@ -50,3 +54,13 @@ spec:
headers:
- name: Authorization
value: '"token ${{ GITHUB_TOKEN }}"'
+---
+apiVersion: moment.dev/adapters/v1alpha1
+kind: HTTP
+metadata:
+ name: YOUR_ADAPTER_NAME
+spec:
+ baseUrl: http://YOUR_ARGOCD_SERVER
+ headers:
+ - name: Authorization
+ value: Bearer ${{ ARGOCD_TOKEN }}The install guides have instructions for how to deploy Atlas into a variety of environments, including Kubernetes and ECS.
Once deployed, we can use the mom curl command to test the integration.
Be sure to replace argocd with the name you chose in the previous step if it is different.
mom curl /v1/apis/http/argocd/api/v1/applicationsThis integration can be used in Moment by creating a new cell in a Moment canvas, and pasting the following code.
Note that you will need to assign httpAdapterName to the name you chose for the HTTP adapter in the previous step, e.g., argocd.
const httpAdapterName = "argocd";
const response = await atlasProxyFetch(`/v1/apis/http/${httpAdapterName}/api/v1/applications`);
return await response.json();If the integration is working, you should see a JSON object with a list of Argo CD users.