Disclosure: some links above are affiliate links — if you buy through them I may earn a small commission at no extra cost to you. Thanks for supporting the channel!
1. Take Backups
a. Export the Current ArgoCD Configuration
The first step is to create backups of your current ArgoCD configuration. This ensures that you can always revert to a stable state if needed.
kubectl get cm argocd-cm -oyaml -n argocd > argocd-cm_qa_backup.yaml
kubectl get services argocd-server -o yaml -n argocd > argocd-server_service_qa_backup.yaml
kubectl get cm argocd-rbac-cm -o yaml > argocd-rbac-cm.yamlb. Verify the Contents of the Backup Files and config map
To confirm that the backup files have been created successfully, use the following command:
kubectl get cm -n argocd
kubectl get cm argocd-cm -oyaml -n argocd
cat argocd-cm_qa_backup.yaml2. Create a New Configuration File
a. Copy the Backup Configuration File
Now, let's create a new configuration file based on the backup. This file will be your canvas for making changes.
cp -rvpf argocd-cm_qa_backup.yaml argocd-cm_qa_new.yamlb. Edit the New Configuration File
Edit the configuration file to add the required data fields
data:
accounts.viewer: apiKey, loginapiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"accounts.viewer":"apiKey, login","resourceVersion":"9010","uid":"fe599239-2557-4127-b3d5-3faf9386a8f0"},"kind":"ConfigMap","metadata":{"annotations":{},"creationTimestamp":"2023-09-08T08:40:40Z","labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}}
data:
accounts.viewer: apiKey, login
resourceVersion: "9010"
uid: fe599239-2557-4127-b3d5-3faf9386a8f0
url: https://argo.colliycool.com
dex.config: |
logger:
level: debug
connectors:
- type: saml
id: jumpcloud
name: JumpCloud
config:
ssoURL: https://sso.jumpcloud.com/saml2/argo
caData: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGZkRDQ0EyU2dBd0lCQWdJVWF0YXJRaTBlU2ZJcEVtYUFsN0h0RUlYTWt5WXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3ZURFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05QTVJBd0RnWURWUVFIRXdkQ2IzVnNaR1Z5DQpNUk13RVFZRFZRUUtFd3BqYjJ4c2FYbGpiMjlzTVJrd0Z3WURWUVFMRXhCS2RXMXdRMnh2ZFdSVFFVMU1TV1JRDQpNUm93R0FZRFZRUURFeEZLZFcxd1EyeHZkV1JUUVUxTVZYTmxjakFlRncweU16QTJNVFF4T1RFMk16VmFGdzB5DQpPREEyTVRReE9URTJNelZhTUhneEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pEVHpFUU1BNEdBMVVFDQpCeE1IUW05MWJHUmxjakVUTUJFR0ExVUVDaE1LWTI5c2JHbDVZMjl2YkRFWk1CY0dBMVVFQ3hNUVNuVnRjRU5zDQpiM1ZrVTBGTlRFbGtVREVhTUJnR0ExVUVBeE1SU25WdGNFTnNiM1ZrVTBGTlRGVnpaWEl3Z2dJaU1BMEdDU3FHDQpTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDb0RydUkvVXB0RlpHU0xDaktXN3ZTSUc5VWEyUzdobGMrDQp5WVU2TUtPQlRTNW9ZTi80M1RKN082N0JIUXpiV2NLUXJtZWxwcVN0U3ZlYUZ4ZHhUeHZJZjFyS2c5b00xMlVHDQpUME1McU8zMTJ1U3VCZGVRSXVHd0ZQRGdGTkR2NlZNRDBNNnRYdmI2Qk1Ic2FrSlphanJsSlIvTVlOZHdXdHE2DQpndlNJU0UzNnIwa0IvRVZaU0Z4cmxiVkE4QjZ5NnFSR1dldDBDRFNFdG5ReWdHUkxtSGNhMjB0WEhYcEZOLzJ3DQp1QXlXMWo1RUpBNXdXclptQWo3YndBcHk3Y2FiST72UkZsSHgvS3NOUHJFVXZJcjJhWitvdlB4amFMZlVpeW5RDQp4TmpIVU10dlEvR2swUHZ2emNWckHGMFNtd3FoUDVQZGhDeGVQT3NvSkJseGhjNmVQUDFXUTFGTGJwdkNBaXRKDQpReHh4R1pSbnNBY2RRMlBuUHNjZFptZGlXMW9ZSnFWNE11M2wyeFRCUW9RR0tIZGhQTlVOY3JaRFg2TkM5ejdyDQprUE1lZHZxZ0N5YkZXWXpvZU1GdFpXWXF2UGpIL3hlNlJEQnVrZTRSWFlVOE52WEN5cCt2UHNUZ2FXOEZiNVoyDQoxNnhodlpFaXkzV0djQUlEd3duOUxxTlBzS3l2Q2ppaDBzQi9WTW5CVW1GL2VJRjRieXh4RWtERk1EaW1kSWM4DQpuSVp5UitnaUtIY3FRdUNBSHlFbzR3QXNSUm0vMm9RUE5LbjEyR0lDS1d4djhqaWg2VWV3VHlXTDhycGRFQ0l6DQpKb2tPM3FKUytxKzYvcGRCQkYzc3hMeU15N0NORW5pSkhFNXh3bmtoYjJrdlZqb0lpM0lnVmJXMGhEdkRhNHNzDQpHQ3ZGcXpNVUJ3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFBV01OUFI5ZC9xNks4UnppOXcvb3NuDQoxY0dHWHd2MExrQjZuNENMVmhZWTRVVUlBTkFwWXlkUUxYalpGK3p1amtxLzIyM0Q3RTZacnNLdlhpNVpZTzdWDQpzMEdZT0Y2d2V1V0M2UlhST0hIZ2M2ME0zYWVpajF5Z2RnenlBYXJaSURCUCtXdVlKdzBsL3owa2ZLY045NmlpDQovbmdFUjRlOUYxdkkzeXZ6NVYrV2ZRakZZdnVXc0FIVStoMWlyb2Nlbys2cXBvM1pkNDV5SjJETlMyaFdPeUQ4DQpzMkZmWFBvVi9yakhiT2oyRDg3em9NL3RoTVZXOWtzdTJrZDZmdTVZdXVacW1tNnZhZW9XOXlMNXN6dC9Zb3k4DQpXdUhmT2w4dlkxSzdMZS9vMEdSNzN3ekxBWFlRcG8zaTNydFNtZHFCdUhuTEJwajhZckhoanAwZXErYU8zQ2cvDQo4WEdXZzltWk5GR0FDMUV3Q2JvYmc2d1pleHgyMFh0cGxOL3VrMjNRTTVuWWJ0NmN4N2lhMGYyRlFqamhUb0xaDQpaV1B6WmFCRW5IWGZCVWFOMGo1cTlGd2kzcFJjSEJzcEJWN6IzYSjIyY0dHWHd2MExrQjZuNENMVmhZWTRVVUlBTkFwWXlkUUxYalpGK3p1amtxLzIyM0Q3RTZacnNLdlhpNVpZTzdWDQpzMEdZT0Y2d2V1V0M2UlhST0hIZ2M2ME0zYWVpajF5Z2RnenlBYXJaSURCUCtXdVlKdzBsL3owa2ZLY045NmlpDQovbmdFUjRlOUYxdkkzeXZ6NVYrV2ZRakZZdnVXc0FIVStoMWlyb2Nlbys2cXBvM1pkNDV5SjJETlMyaFdPeUQ4DQpzMkZmWFBvVi9yakhiT2oyRDg3em9NL3RoTVZXOWtzdTJr
c. Apply the Changes to the ArgoCD Configuration
To apply the changes made to the configuration file, execute the following command:
kubectl apply -f argocd-cm_qa_new.yaml3. Install ArgoCD Utility and Login
a. Install the ArgoCD Command-Line Utility
To interact with ArgoCD from the command line, you need to install the ArgoCD CLI utility. Make it executable and move it to your system's PATH location.
curl -LO https://github.com/argoproj/argo-cd/releases/download/v2.8.3/argocd-linux-amd64
chmod +x argocd-linux-amd64
sudo mv argocd-linux-amd64 /usr/local/bin/argocd4. Access the ArgoCD API Server
Method A: Using LoadBalancer
If your ArgoCD API server is exposed via a LoadBalancer, follow these steps:
a. Change the Service Type to LoadBalancer
Modify the service type to LoadBalancer using one of the following commands:
kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "LoadBalancer"}]'
# OR
kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'b. Log in to ArgoCD
Log in to ArgoCD using the LoadBalancer public IP:
kubectl get svc -n argocd
argocd login <LoadBalancer public IP> --username admin
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
argocd-applicationset-controller ClusterIP 172.20.2.208 <none> 7000/TCP,8080/TCP 169d
argocd-dex-server ClusterIP 172.20.109.187 <none> 5556/TCP,5557/TCP,5558/TCP 169d
argocd-metrics ClusterIP 172.20.38.78 <none> 8082/TCP 169d
argocd-notifications-controller-metrics ClusterIP 172.20.35.128 <none> 9001/TCP 169d
argocd-redis-ha ClusterIP None <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-0 ClusterIP 172.20.28.212 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-1 ClusterIP 172.20.151.54 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-2 ClusterIP 172.20.61.253 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-haproxy ClusterIP 172.20.203.6 <none> 6379/TCP 169d
argocd-repo-server ClusterIP 172.20.1.199 <none> 8081/TCP,8084/TCP 169d
argocd-server LoadBalancer 172.20.247.17 a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com 80:31774/TCP,443:32111/TCP 169d
argocd-server-metrics ClusterIP 172.20.55.183 <none> 8083/TCP
nslookup a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com
Address: 13.43.16.112
Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com
Address: 18.169.212.131
Name: a0160aaec4e8c4fe1a1bee07729cd1c1-1485893582.eu-west-2.elb.amazonaws.com
Address: 13.42.108.97
argocd login 13.43.16.112
WARNING: server is not configured with TLS. Proceed (y/n)? y
Username: admin
Password:
'admin:login' logged in successfully
Context '13.43.16.112' updated
argocd account list
NAME ENABLED CAPABILITIES
admin true login
viewer true apiKey, loginMethod B: Using Port Forwarding
If your ArgoCD API server is exposed as a ClusterIP, follow these steps:
kubectl port-forward svc/argocd-server -n argocd 8080:443Now, you can log in to ArgoCD by accessing it at localhost:8080:
argocd login localhost:80805. Update Viewer Account Password
To update the password for the viewer account, use the following command:
argocd account update-password --account viewer --new-password <new-password>argocd account update-password --account viewer --new-password <new passwd>
*** Enter password of currently logged in user (admin):
Password updated
6. Revert ArgoCD Server Type (If Necessary)
a. Revert to ClusterIP (Method A Only)
If you followed Method A in Step 4 and need to revert to the ClusterIP service type, use the following command:
kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "ClusterIP"}]'❯ kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "ClusterIP"}]'
service/argocd-server patched
❯ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
argocd-applicationset-controller ClusterIP 172.20.2.208 <none> 7000/TCP,8080/TCP 169d
argocd-dex-server ClusterIP 172.20.109.187 <none> 5556/TCP,5557/TCP,5558/TCP 169d
argocd-metrics ClusterIP 172.20.38.78 <none> 8082/TCP 169d
argocd-notifications-controller-metrics ClusterIP 172.20.35.128 <none> 9001/TCP 169d
argocd-redis-ha ClusterIP None <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-0 ClusterIP 172.20.28.212 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-1 ClusterIP 172.20.151.54 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-announce-2 ClusterIP 172.20.61.253 <none> 6379/TCP,26379/TCP 169d
argocd-redis-ha-haproxy ClusterIP 172.20.203.6 <none> 6379/TCP 169d
argocd-repo-server ClusterIP 172.20.1.199 <none> 8081/TCP,8084/TCP 169d
argocd-server ClusterIP 172.20.247.17 <none> 80/TCP,443/TCP 169d
argocd-server-metrics ClusterIP 172.20.55.183 <none> 8083/TCP 169d
7. Apply the policy in rbac cm
Reference built-in policy https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
RBAC Configuration - Argo CD - Declarative GitOps CD for Kubernetes
kubectl apply -f argocd-rbac-cm.yamlapiVersion: v1
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-rbac-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-rbac-cm","namespace":"argocd"}}
creationTimestamp: "2023-04-03T13:02:21Z"
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: argocd
resourceVersion: "394651408"
uid: c7c895a5-4f82-4314-9d0c-ab7ffaf02d83
data:
policy.csv: |
g, viewer, role:readonly
policy.default: role:readonly
Test the viewer account.
