How to Establish and Modify Viewer Account on ArgoCD

ArgoCD serves as a robust instrument for facilitating continuous delivery and GitOps workflows. Within this article, we will delve into a comprehensive, step-by-step walkthrough, covering the process of creating backups for your ArgoCD configuration and implementing necessary adjustments to the configuration map for the viewer account.

1. Take Backups

a. Export the Current ArgoCD Configuration

The first step is to create backups of your current ArgoCD configuration. This ensures that you can always revert to a stable state if needed.

kubectl get cm argocd-cm -oyaml -n argocd > argocd-cm_qa_backup.yaml kubectl get services argocd-server -o yaml -n argocd > argocd-server_service_qa_backup.yaml kubectl get cm argocd-rbac-cm -o yaml > argocd-rbac-cm.yaml

b. Verify the Contents of the Backup Files and config map

To confirm that the backup files have been created successfully, use the following command:

kubectl get cm -n argocd kubectl get cm argocd-cm -oyaml -n argocd cat argocd-cm_qa_backup.yaml

2. Create a New Configuration File

a. Copy the Backup Configuration File

Now, let's create a new configuration file based on the backup. This file will be your canvas for making changes.

cp -rvpf argocd-cm_qa_backup.yaml argocd-cm_qa_new.yaml

b. Edit the New Configuration File

Edit the configuration file to add the required data fields

data: accounts.viewer: apiKey, login

apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"accounts.viewer":"apiKey, login","resourceVersion":"9010","uid":"fe599239-2557-4127-b3d5-3faf9386a8f0"},"kind":"ConfigMap","metadata":{"annotations":{},"creationTimestamp":"2023-09-08T08:40:40Z","labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}} data: accounts.viewer: apiKey, login resourceVersion: "9010" uid: fe599239-2557-4127-b3d5-3faf9386a8f0 url: https://argo.colliycool.com dex.config: | logger: level: debug connectors: - type: saml id: jumpcloud name: JumpCloud config: ssoURL: https://sso.jumpcloud.com/saml2/argo caData: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGZkRDQ0EyU2dBd0lCQWdJVWF0YXJRaTBlU2ZJcEVtYUFsN0h0RUlYTWt5WXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3ZURFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05QTVJBd0RnWURWUVFIRXdkQ2IzVnNaR1Z5DQpNUk13RVFZRFZRUUtFd3BqYjJ4c2FYbGpiMjlzTVJrd0Z3WURWUVFMRXhCS2RXMXdRMnh2ZFdSVFFVMU1TV1JRDQpNUm93R0FZRFZRUURFeEZLZFcxd1EyeHZkV1JUUVUxTVZYTmxjakFlRncweU16QTJNVFF4T1RFMk16VmFGdzB5DQpPREEyTVRReE9URTJNelZhTUhneEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pEVHpFUU1BNEdBMVVFDQpCeE1IUW05MWJHUmxjakVUTUJFR0ExVUVDaE1LWTI5c2JHbDVZMjl2YkRFWk1CY0dBMVVFQ3hNUVNuVnRjRU5zDQpiM1ZrVTBGTlRFbGtVREVhTUJnR0ExVUVBeE1SU25WdGNFTnNiM1ZrVTBGTlRGVnpaWEl3Z2dJaU1BMEdDU3FHDQpTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDb0RydUkvVXB0RlpHU0xDaktXN3ZTSUc5VWEyUzdobGMrDQp5WVU2TUtPQlRTNW9ZTi80M1RKN082N0JIUXpiV2NLUXJtZWxwcVN0U3ZlYUZ4ZHhUeHZJZjFyS2c5b00xMlVHDQpUME1McU8zMTJ1U3VCZGVRSXVHd0ZQRGdGTkR2NlZNRDBNNnRYdmI2Qk1Ic2FrSlphanJsSlIvTVlOZHdXdHE2DQpndlNJU0UzNnIwa0IvRVZaU0Z4cmxiVkE4QjZ5NnFSR1dldDBDRFNFdG5ReWdHUkxtSGNhMjB0WEhYcEZOLzJ3DQp1QXlXMWo1RUpBNXdXclptQWo3YndBcHk3Y2FiST72UkZsSHgvS3NOUHJFVXZJcjJhWitvdlB4amFMZlVpeW5RDQp4TmpIVU10dlEvR2swUHZ2emNWckHGMFNtd3FoUDVQZGhDeGVQT3NvSkJseGhjNmVQUDFXUTFGTGJwdkNBaXRKDQpReHh4R1pSbnNBY2RRMlBuUHNjZFptZGlXMW9ZSnFWNE11M2wyeFRCUW9RR0tIZGhQTlVOY3JaRFg2TkM5ejdyDQprUE1lZHZxZ0N5YkZXWXpvZU1GdFpXWXF2UGpIL3hlNlJEQnVrZTRSWFlVOE52WEN5cCt2UHNUZ2FXOEZiNVoyDQoxNnhodlpFaXkzV0djQUlEd3duOUxxTlBzS3l2Q2ppaDBzQi9WTW5CVW1GL2VJRjRieXh4RWtERk1EaW1kSWM4DQpuSVp5UitnaUtIY3FRdUNBSHlFbzR3QXNSUm0vMm9RUE5LbjEyR0lDS1d4djhqaWg2VWV3VHlXTDhycGRFQ0l6DQpKb2tPM3FKUytxKzYvcGRCQkYzc3hMeU15N0NORW5pSkhFNXh3bmtoYjJrdlZqb0lpM0lnVmJXMGhEdkRhNHNzDQpHQ3ZGcXpNVUJ3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFBV01OUFI5ZC9xNks4UnppOXcvb3NuDQoxY0dHWHd2MExrQjZuNENMVmhZWTRVVUlBTkFwWXlkUUxYalpGK3p1amtxLzIyM0Q3RTZacnNLdlhpNVpZTzdWDQpzMEdZT0Y2d2V1V0M2UlhST0hIZ2M2ME0zYWVpajF5Z2RnenlBYXJaSURCUCtXdVlKdzBsL3owa2ZLY045NmlpDQovbmdFUjRlOUYxdkkzeXZ6NVYrV2ZRakZZdnVXc0FIVStoMWlyb2Nlbys2cXBvM1pkNDV5SjJETlMyaFdPeUQ4DQpzMkZmWFBvVi9yakhiT2oyRDg3em9NL3RoTVZXOWtzdTJrZDZmdTVZdXVacW1tNnZhZW9XOXlMNXN6dC9Zb3k4DQpXdUhmT2w4dlkxSzdMZS9vMEdSNzN3ekxBWFlRcG8zaTNydFNtZHFCdUhuTEJwajhZckhoanAwZXErYU8zQ2cvDQo4WEdXZzltWk5GR0FDMUV3Q2JvYmc2d1pleHgyMFh0cGxOL3VrMjNRTTVuWWJ0NmN4N2lhMGYyRlFqamhUb0xaDQpaV1B6WmFCRW5IWGZCVWFOMGo1cTlGd2kzcFJjSEJzcEJWN6IzYSjIyY0dHWHd2MExrQjZuNENMVmhZWTRVVUlBTkFwWXlkUUxYalpGK3p1amtxLzIyM0Q3RTZacnNLdlhpNVpZTzdWDQpzMEdZT0Y2d2V1V0M2UlhST0hIZ2M2ME0zYWVpajF5Z2RnenlBYXJaSURCUCtXdVlKdzBsL3owa2ZLY045NmlpDQovbmdFUjRlOUYxdkkzeXZ6NVYrV2ZRakZZdnVXc0FIVStoMWlyb2Nlbys2cXBvM1pkNDV5SjJETlMyaFdPeUQ4DQpzMkZmWFBvVi9yakhiT2oyRDg3em9NL3RoTVZXOWtzdTJr

c. Apply the Changes to the ArgoCD Configuration

To apply the changes made to the configuration file, execute the following command:

kubectl apply -f argocd-cm_qa_new.yaml

3. Install ArgoCD Utility and Login

a. Install the ArgoCD Command-Line Utility

To interact with ArgoCD from the command line, you need to install the ArgoCD CLI utility. Make it executable and move it to your system's PATH location.

curl -LO https://github.com/argoproj/argo-cd/releases/download/v2.8.3/argocd-linux-amd64 chmod +x argocd-linux-amd64 sudo mv argocd-linux-amd64 /usr/local/bin/argocd

4. Access the ArgoCD API Server

Method A: Using LoadBalancer

If your ArgoCD API server is exposed via a LoadBalancer, follow these steps:

a. Change the Service Type to LoadBalancer

Modify the service type to LoadBalancer using one of the following commands:

kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "LoadBalancer"}]' # OR kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

b. Log in to ArgoCD

Log in to ArgoCD using the LoadBalancer public IP:

kubectl get svc -n argocd argocd login <LoadBalancer public IP> --username admin

 

kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE argocd-applicationset-controller ClusterIP 172.20.2.208 <none> 7000/TCP,8080/TCP 169d argocd-dex-server ClusterIP 172.20.109.187 <none> 5556/TCP,5557/TCP,5558/TCP 169d argocd-metrics ClusterIP 172.20.38.78 <none> 8082/TCP 169d argocd-notifications-controller-metrics ClusterIP 172.20.35.128 <none> 9001/TCP 169d argocd-redis-ha ClusterIP None <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-0 ClusterIP 172.20.28.212 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-1 ClusterIP 172.20.151.54 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-2 ClusterIP 172.20.61.253 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-haproxy ClusterIP 172.20.203.6 <none> 6379/TCP 169d argocd-repo-server ClusterIP 172.20.1.199 <none> 8081/TCP,8084/TCP 169d argocd-server LoadBalancer 172.20.247.17 a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com 80:31774/TCP,443:32111/TCP 169d argocd-server-metrics ClusterIP 172.20.55.183 <none> 8083/TCP nslookup a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com Address: 13.43.16.112 Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com Address: 18.169.212.131 Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com Address: 13.42.108.97 argocd login 13.43.16.112 WARNING: server is not configured with TLS. Proceed (y/n)? y Username: admin Password: 'admin:login' logged in successfully Context '13.43.16.112' updated argocd account list NAME ENABLED CAPABILITIES admin true login viewer true apiKey, login

Method B: Using Port Forwarding

If your ArgoCD API server is exposed as a ClusterIP, follow these steps:

kubectl port-forward svc/argocd-server -n argocd 8080:443

Now, you can log in to ArgoCD by accessing it at localhost:8080:

argocd login localhost:8080

5. Update Viewer Account Password

To update the password for the viewer account, use the following command:

argocd account update-password --account viewer --new-password <new-password>

argocd account update-password --account viewer --new-password <new passwd> *** Enter password of currently logged in user (admin): Password updated

 

6. Revert ArgoCD Server Type (If Necessary)

a. Revert to ClusterIP (Method A Only)

If you followed Method A in Step 4 and need to revert to the ClusterIP service type, use the following command:

kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "ClusterIP"}]'

❯ kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "ClusterIP"}]' service/argocd-server patched ❯ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE argocd-applicationset-controller ClusterIP 172.20.2.208 <none> 7000/TCP,8080/TCP 169d argocd-dex-server ClusterIP 172.20.109.187 <none> 5556/TCP,5557/TCP,5558/TCP 169d argocd-metrics ClusterIP 172.20.38.78 <none> 8082/TCP 169d argocd-notifications-controller-metrics ClusterIP 172.20.35.128 <none> 9001/TCP 169d argocd-redis-ha ClusterIP None <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-0 ClusterIP 172.20.28.212 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-1 ClusterIP 172.20.151.54 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-announce-2 ClusterIP 172.20.61.253 <none> 6379/TCP,26379/TCP 169d argocd-redis-ha-haproxy ClusterIP 172.20.203.6 <none> 6379/TCP 169d argocd-repo-server ClusterIP 172.20.1.199 <none> 8081/TCP,8084/TCP 169d argocd-server ClusterIP 172.20.247.17 <none> 80/TCP,443/TCP 169d argocd-server-metrics ClusterIP 172.20.55.183 <none> 8083/TCP 169d

 

7. Apply the policy in rbac cm

Reference built-in policy https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv

RBAC Configuration - Argo CD - Declarative GitOps CD for Kubernetes

kubectl apply -f argocd-rbac-cm.yaml

apiVersion: v1 kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-rbac-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-rbac-cm","namespace":"argocd"}} creationTimestamp: "2023-04-03T13:02:21Z" labels: app.kubernetes.io/name: argocd-rbac-cm app.kubernetes.io/part-of: argocd name: argocd-rbac-cm namespace: argocd resourceVersion: "394651408" uid: c7c895a5-4f82-4314-9d0c-ab7ffaf02d83 data: policy.csv: | g, viewer, role:readonly policy.default: role:readonly

Test the viewer account.