$ oc label node <node-name> node-role.kubernetes.io/infra=""
With Red Hat OpenShift GitOps, you can configure Argo CD to recursively sync the content of a Git directory with an application that contains custom configurations for your cluster.
Red Hat OpenShift GitOps is installed in your cluster.
Logged into Argo CD instance.
The default Argo CD instance and the accompanying controllers, installed by the Red Hat OpenShift GitOps Operator, can now run on the infrastructure nodes of the cluster by setting a simple configuration toggle.
Label the existing nodes:
$ oc label node <node-name> node-role.kubernetes.io/infra=""
Optional: If required, you can also apply taints and isolate the workloads on infrastructure nodes and prevent other workloads from scheduling on these nodes:
$ oc adm taint nodes -l node-role.kubernetes.io/infra \ infra=reserved:NoSchedule infra=reserved:NoExecute
runOnInfra toggle in the
GitOpsService custom resource:
apiVersion: pipelines.openshift.io/v1alpha1 kind: GitopsService metadata: name: cluster spec: runOnInfra: true
Optional: If taints have been added to the nodes, then add
tolerations to the
GitOpsService custom resource, for example:
spec: runOnInfra: true tolerations: - effect: NoSchedule key: infra value: reserved - effect: NoExecute key: infra value: reserved
Verify that the workloads in the
openshift-gitops namespace are now scheduled on the infrastructure nodes by viewing Pods → Pod details for any pod in the console UI.
Argo CD provides a dashboard which allows you to create applications.
This sample workflow walks you through the process of configuring Argo CD to recursively sync the content of the
cluster directory to the
cluster-configs application. The directory defines the OpenShift Container Platform web console cluster configurations that add a link to the Red Hat Developer Blog - Kubernetes under the menu in the web console, and defines a namespace
spring-petclinic on the cluster.
In the Argo CD dashboard, click NEW APP to add a new Argo CD application.
For this workflow, create a cluster-configs application with the following configurations:
Click CREATE to create your application.
Open the Administrator perspective of the web console and navigate to Administration → Namespaces in the menu on the left.
Search for and select the namespace, then enter
argocd.argoproj.io/managed-by=openshift-gitops in the Label field so that the Argo CD instance in the
openshift-gitops namespace can manage your namespace.
You can create Argo CD applications in your terminal by using the
Download the sample application:
$ git clone firstname.lastname@example.org:redhat-developer/openshift-gitops-getting-started.git
Create the application:
$ oc create -f openshift-gitops-getting-started/argo/app.yaml
oc get command to review the created application:
$ oc get application -n openshift-gitops
Add a label to the namespace your application is deployed in so that the Argo CD instance in the
openshift-gitops namespace can manage it:
$ oc label namespace spring-petclinic argocd.argoproj.io/managed-by=openshift-gitops
In the Argo CD dashboard, notice that the cluster-configs Argo CD application has the statuses Missing and OutOfSync. Because the application was configured with a manual sync policy, Argo CD does not sync it automatically.
Click SYNC on the cluster-configs tile, review the changes, and then click SYNCHRONIZE. Argo CD will detect any changes in the Git repository automatically. If the configurations are changed, Argo CD will change the status of the cluster-configs to OutOfSync. You can modify the synchronization policy for Argo CD to automatically apply changes from your Git repository to the cluster.
Notice that the cluster-configs Argo CD application now has the statuses Healthy and Synced. Click the cluster-configs tile to check the details of the synchronized resources and their status on the cluster.
Navigate to the OpenShift Container Platform web console and click to verify that a link to the Red Hat Developer Blog - Kubernetes is now present there.
Navigate to the Project page and search for the
spring-petclinic namespace to verify that it has been added to the cluster.
Your cluster configurations have been successfully synchronized to the cluster.
By default, the Argo CD instance has permissions to manage specific cluster-scoped resources such as cluster Operators, optional OLM Operators and user management.
Argo CD does not have cluster-admin permissions.
Permissions for the Argo CD instance:
Configure the user or administrator
Optional Operators managed by OLM
Groups, Users and their permissions
Control plane Operators managed by CVO used to configure cluster-wide build configuration, registry configuration and scheduler policies
You can grant permissions for an Argo CD instance to manage cluster configuration. Create a cluster role with additional permissions and then create a new cluster role binding to associate the cluster role with a service account.
Log in to the OpenShift Container Platform web console as an admin.
In the web console, select User Management → Roles → Create Role. Use the following
ClusterRole YAML template to add rules to specify the additional permissions.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secrets-cluster-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["*"]
Click Create to add the cluster role.
Now create the cluster role binding. In the web console, select User Management → Role Bindings → Create Binding.
Select All Projects from the Project drop-down.
Click Create binding.
Select Binding type as Cluster-wide role binding (ClusterRoleBinding).
Enter a unique value for the RoleBinding name.
Select the newly created cluster role or an existing cluster role from the drop down list.
Select the Subject as ServiceAccount and the provide the Subject namespace and name.
Click Create. The YAML file for the
ClusterRoleBinding object is as follows:
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-role-binding subjects: - kind: ServiceAccount name: openshift-gitops-argocd-application-controller namespace: openshift-gitops roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin