|
| 1 | +# Rethinking Argo CD Architecture in GitOps Service |
| 2 | + |
| 3 | +### Written by |
| 4 | +- Jonathan West (@jgwest) |
| 5 | +- Originally written in June 20, 2023 |
| 6 | + |
| 7 | +This document: |
| 8 | + |
| 9 | +* Explores the advantages/disadvantages/tradeoffs of various possible Argo CD architectures, in the context of a GitOps Service |
| 10 | +* Excludes any considerations of interaction with AppStudio. |
| 11 | + |
| 12 | +## A) Current Architecture: what is currently implemented in managed-gitops repo |
| 13 | + |
| 14 | +*How it works:* Two controllers that abstract over multiple Argo CD instances: a 'backend' controller that reads the user API and updates a database with desired state of Argo CD, a 'cluster-agent' controller that lives on a Argo CD cluster acts on that state to configure one or more Argo CD instances. |
| 15 | + |
| 16 | +**Advantages:** |
| 17 | + |
| 18 | +* Already implemented |
| 19 | +* A single 'pane of glass' to control deployment from multiple Argo CD instances |
| 20 | + * e.g. CRs created in (AppStudio) user's namespace may target any Argo CD instance, even if that Argo CD instance is not on the same cluster, or even accessible from the public internet |
| 21 | +* Ability to transparently scale a single user, or users generally, across multiple Argo CD instances |
| 22 | +* Ability to transparently scale users across Argo CD instances on different clusters |
| 23 | +* Support for user-administered cluster credentials and user-administered repository credentials (e.g. GitOpsDeploymentRepositoryCredentials and GitOpsDeploymentManagedEnvironments) |
| 24 | +* Straightforward to implement deploying to a cluster behind the user's firewall (link above) |
| 25 | + |
| 26 | +**Disadvantages:** |
| 27 | + |
| 28 | +* Not a part of upstream Argo CD project |
| 29 | +* Does not use Argo CD Application API (but nothing in the architecture us from moving to this API) |
| 30 | +* Cannot use ApplicationSets (since ApplicationSets don't support multi-tenancy), or any other Argo ecosystem project that expects to be running in the Argo CD namespace. |
| 31 | +* Cannot use Argo projects that expect to generate/modify Argo CD Application CRs |
| 32 | +* Does not support Argo CD web UI or CLI |
| 33 | + |
| 34 | +## B) 'Application in any namespace' Argo CD |
| 35 | + |
| 36 | +Each user is given their own Namespace on a (AppStudio) cluster, with that namespace being an ['Application in any namespace' Namespace](https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/). We would also need some additional controller logic for setting up AppProjects, and handling validating/mutating webhooks. |
| 37 | + |
| 38 | +AppStudio (et al) would create Argo CD Application CRs within this namespace. |
| 39 | + |
| 40 | +**Advantages:** |
| 41 | + |
| 42 | +* Uses upstream Argo CD Application API |
| 43 | +* Code for this can be contributed to upstream Argo CD project (except for the additional controller logic) |
| 44 | +* Supports Argo CD web UI (and, I think, CLI?) |
| 45 | + |
| 46 | +**Disadvantages:** |
| 47 | + |
| 48 | +* See this [list of advanced use cases not supported by this model](advanced-use-cases-not-covered-by-application-in-any-namespace-gitops-service-model/advanced-use-cases-not-covered-by-application-in-any-namespace-gitops-service-model.md) |
| 49 | +* Beta feature |
| 50 | +* ~~Currently requires restart of Argo CD each time a new user (Namespace) is added.~~ For AppStudio, I think the ‘\*-tenant’ glob will work for this |
| 51 | +* Currently does not support namespace-scoped Argo CD, so it’s not possible to have multiple Argo CD instances on a single cluster, for example to allow dedicated Argo CD instances, or for scalability reasons (DevSandbox has 3000+ users for their service, split over 2-3 clusters, I believe) |
| 52 | +* No support for user namespace-scoped cluster secrets or namespace-scoped repository credentials, at this time. |
| 53 | +* Cannot use ApplicationSets (since ApplicationSets don't support multi-tenancy), or any other Argo projects that expect to be running in the Argo CD namespace. No “ApplicationSets in any Namespace” functionality. |
| 54 | +* A large customer may overwhelm the ability of a single Argo CD instance to handle all their deployments. |
| 55 | + * This mechanism prevents more than 1 Argo CD instance from reconciling a Namespace at a time. E.g. there is necessarily 1-1 from namespace to a single Argo CD. |
| 56 | + * In contrast, architecture A) could have multiple Argo CD instances reconciling a single user’s Namespace. |
| 57 | +* No single pane of glass (all Argo CD Applications a user creates will necessarily be reconciled by a single Argo CD instance: for example, you cannot have an Argo CD on another cluster reconcile that namespace) |
| 58 | +* You cannot scale across multiple Argo CD instances (without using an architecture like C): the user is tightly coupled to the cluster (and Argo CD instance) that their Argo CD instance is on. |
| 59 | +* Not clear how to use this mechanism to deploy to a cluster behind the user's firewall. |
| 60 | +* Not implemented in full: significant gaps that would need to be implemented, as described above. In aggregate, they are: repo creds, cluster creds, app project/webhooks, dedicated instances, namespace scoped ApplicationSets, restart of Argo CD. |
| 61 | + |
| 62 | +## C) Fully dedicated Argo CD instance for users and (potentially) users have admin access over that Argo CD instance |
| 63 | + |
| 64 | +Each user would have full access to their own Argo CD instance (via OpenShift GitOps). AppStudio (et al) would create Argo CD Application CRs within this namespace. |
| 65 | + |
| 66 | +**Advantages:** |
| 67 | + |
| 68 | +* Uses upstream Argo CD Application API |
| 69 | +* A part of upstream Argo CD project |
| 70 | +* Users can create any Argo CD Applications/AppProjects/Secrets they want |
| 71 | +* Users can take advantage of the full Argo CD ecosystem |
| 72 | + * For example, they could use ApplicationSet controller, since ApplicationSet controller writes directly to argocd namespace. |
| 73 | +* No need to worry about multi-tenant Argo CD. |
| 74 | +* Supports Argo CD Web UI and CLI |
| 75 | + |
| 76 | +**Disadvantages:** |
| 77 | + |
| 78 | +* No single 'pane of glass to control deployment', using the same definition as above |
| 79 | +* A large customer may overwhelm the ability of a single Argo CD instance to handle all their deployments. (And this mechanism prevents more than 1 Argo CD instance from reconciling the user's Application at a time). |
| 80 | + * Or, said another way, you cannot scale across multiple Argo CD instances: if a user overwhelms their single Argo CD instance (including replicas), we have no path forward for them. |
| 81 | +* Users can easily break their Argo CD instance, if they aren't careful |
| 82 | + * Perhaps a variant of C is one where we let uses create Applications CRs (et al), but don't allow them to touch the Argo CD itself. |
| 83 | +* Significantly more memory intensive (costly) than other solutions (need to run controllers for application, applicationset, server, repo server, redis controllers per user) |
| 84 | +* The user is tightly coupled to the cluster that their Argo CD instance is on. |
| 85 | + |
| 86 | +## D) A custom controller that is a layer of abstraction between the user and Argo CD |
| 87 | + |
| 88 | +We write a new custom controller to sync Argo CD Applications from user namespaces (e.g. ‘jgwest-tenant’) into the corresponding Argo CD instance (e.g. ‘gitops-service-argocd’). |
| 89 | + |
| 90 | +* For example, as an AppStudio user I create a 'myapp' Argo CD Application in 'jgwest-tenant'. |
| 91 | +* The custom controller sees that, and ensures there exists a corresponding 'myapp-jgwest-tenant' in ‘gitops-service-argocd’ on that cluster. |
| 92 | +* The Argo CD Application in 'jgwest-tenant' is thus never reconciled directly by Argo CD. |
| 93 | + |
| 94 | +With this architecture, a cluster might contain one or more Argo CD instances. But, those Argo CD instances are only configured to watch their own namespace: we are not using the 'Application in any namespace' feature. |
| 95 | + |
| 96 | +Arguably, option A is just a variant of this architecture, but option A is splitting the controller in 2, and using an RDBMS as the representation of Argo CD's desired state. |
| 97 | + |
| 98 | +**Advantages:** |
| 99 | + |
| 100 | +* Uses upstream Argo CD Application API |
| 101 | +* A single 'pane of glass' to control deployment (e.g. CRs created in user's namespace may target any Argo CD instance, even if it is not on the same cluster) |
| 102 | + |
| 103 | +**Disadvantages:** |
| 104 | + |
| 105 | +* Not a part of upstream Argo CD project |
| 106 | + * E.g. this would need to be contributed to argoproj-labs, not Argo CD itself. It is thus no different than A in this respect. |
| 107 | +* Not clear how to support Argo CD instances that are running inside the customer firewall (ACM agent has been floated as an option, but this idea seems like it is in its infancy, but likewise ACM is not a part of the Argo project.) |
| 108 | +* Would need to implement namespace-scoped cluster secrets, and namespace-scoped credentials |
| 109 | +* Cannot use ApplicationSets (since ApplicationSets does not support multi-tenancy), or any other Argo projects that expect to be running in the Argo CD namespace. |
| 110 | +* Does not supports Argo CD Web UI and CLI |
| 111 | +* Similar to option A, which already exists: the only major difference between A and D 1\) A uses an RDBMS, and 2\) a lack of a cluster-agent component (which makes customer firewall scenario more difficult) |
| 112 | + |
0 commit comments