Including Metalstack Cluster into ArgoCD

Markus Fritz

Introduction

At iSecNG, we leverage ArgoCD as our GitOps platform to streamline application deployments in Kubernetes. By defining deployments through HELM charts and storing them in Git repositories, we ensure everything is version-controlled and traceable, providing a clear audit trail for changes. ArgoCD continuously syncs with the repository, aligning the actual state of applications with their desired state.

Instead of installing ArgoCD on every cluster, we utilize a central ArgoCD instance to manage all our Kubernetes clusters. This approach enables us to harness Metalstack cloud at scale while simplifying multi-cluster management. Once integrated, deploying to different environments becomes seamless and scalable. Additionally, ArgoCD's monitoring and alerting capabilities quickly detect discrepancies, facilitating rapid issue resolution and enhancing stability.

Integrating ArgoCD into our CI/CD pipeline has significantly improved deployment speed, security, and visibility, enabling us to deliver consistent and reliable updates. To establish a persistent connection between your ArgoCD instance and the Metalstack cluster, several configurations are required.



This guide has also been included into the official documentation of metalstack.cloud

Preparing Token-based Authentication with the Kubernetes API on Metalstack Cloud

ArgoCD uses token-based authentication to securely interact with the Kubernetes API. This process is centered around the use of Service Accounts in Kubernetes, which grant external tools like ArgoCD the necessary permissions to manage cluster resources.

1. Service Account Creation: A Service Account is created in the Kubernetes cluster to represent an identity that ArgoCD will use. This Service Account is granted specific permissions (using Role-Based Access Control, or RBAC) through a ClusterRole or Role, which define the allowed actions in the cluster.

resource "kubernetes_manifest" "metal_service_account" {

  manifest = {

    "apiVersion" = "v1"

    "kind" = "ServiceAccount"

    "metadata" = {

      "name" = "argocd-manager"

      "namespace" = "kube-system"

    }

  }

}

2. Defining Permissions (RBAC): Permissions are assigned via RBAC. In this case, the Service Account is granted a ClusterRole, which provides cluster-wide access. This role is defined in the following Terraform configuration:


resource "kubernetes_manifest" "metal_cluster_role" {

  manifest = {

    "apiVersion" = "rbac.authorization.k8s.io/v1"

    "kind" = "ClusterRole"

    "metadata" = {

      "name" = "argocd-manager-role"

    }

    "rules" = [

      {

        "apiGroups" = [

          "*",

        ]

        "resources" = [

          "*",

        ]

        "verbs" = [

          "*",

        ]

      },

      {

        "nonResourceURLs" = [

          "*",

        ]

        "verbs" = [

          "*",

        ]

      },

    ]

  }

}

3. Token Generation: Kubernetes automatically generates a token for each Service Account. This token is stored as a Secret in the cluster. ArgoCD will use this token to authenticate its requests to the Kubernetes API. The following configuration generates and stores the token as a Kubernetes Secret:


resource "kubernetes_manifest" "metal_argocd_manager_token" {

  manifest = {

    "apiVersion" = "v1"

    "kind" = "Secret"

    "metadata" = {

      "annotations" = {

        "kubernetes.io/service-account.name" = "argocd-manager"

      }

      "name" = "argocd-manager-token"

      "namespace" = "kube-system"

    }

    "type" = "kubernetes.io/service-account-token"

  }

  depends_on = [ 

    kubernetes_manifest.metal_argocd_manager_role_binding

  ]

}

4. Using the Token for API Authentication: The token generated for the Service Account is a secure string used to authenticate API requests. When ArgoCD interacts with the Kubernetes API, it includes this token in the HTTP request headers using the Authorization: Bearer <token> format. This allows Kubernetes to verify ArgoCD’s identity and grant or deny access based on the permissions defined in the Service Account’s RBAC policy.

Providing the Token-based Authentication to the central ArgoCD

Once the token is configured, ArgoCD uses it to authenticate every time it needs to interact with the Metalstack cluster. This includes tasks like synchronizing application states, creating or updating resources, and monitoring the health of deployments.

  • Seamless Connection: The token allows ArgoCD to maintain a secure and continuous connection with the cluster, enabling automated management without manual intervention.
  • Controlled Access: Through RBAC, ArgoCD’s access to the cluster is tightly controlled. The ClusterRole and token restrict what ArgoCD can do, ensuring that it only has the necessary permissions.
  • Secure Communication: Token-based authentication ensures that all communication between ArgoCD and the Kubernetes API is secure, using the token as a bearer authentication mechanism to validate requests.

This method of authentication enhances security and ensures that ArgoCD can efficiently and securely manage applications within the Metalstack cluster.

Include the token into ArgoCD

To allow ArgoCD to securely connect to your Metalstack cluster, you need to provide the authentication token through a Kubernetes Secret and label the target cluster accordingly.

Prerequisites:

Before proceeding, you’ll need the following:

  1. Authentication Token: This is the token you generated in the steps described above for the argocd-manager Service Account.
  2. Kubernetes API Endpoint: The URL for the Kubernetes API of your Metalstack cluster.
  3. CA Certificate: The certificate authority (CA) of the Metalstack cluster for secure communication.

You can easily retrieve most of this information using the kubeconfig data source from the Metalstack Terraform provider:
Metalstack Kubeconfig Data Source.

Creating the Secret in the ArgoCD Cluster:

Once you have the token, API endpoint, and CA certificate, you need to create a Kubernetes Secret in the ArgoCD cluster. This Secret will store the necessary credentials that ArgoCD uses to authenticate with the Metalstack cluster.

Here’s an example of how to define this Secret in your ArgoCD Kubernetes cluster:


apiVersion: v1

kind: Secret

metadata:

  name: metalstack-cluster

  namespace: argocd

  labels:

    argocd.argoproj.io/secret-type: cluster

type: Opaque

stringData:

  name: metalstack

  server: ## API URI HERE ##

  config: |

    {

      "bearerToken": "## TOKEN HERE ##",

      "tlsClientConfig": {

         "insecure": false,

         "caData": "## CA HERE (as base64) ##"

      }

    }

Conclusion 

At iSecNG, we rely on Metalstack for its highly scalable and reliable Bare Metal Kubernetes as a Service offering. This ensures optimal performance for our workloads, while keeping all instances and stored data within a secure data center in Germany.

By integrating Metalstack with ArgoCD, we simplify our deployment processes through GitOps, making application management more efficient and transparent. This combination allows us to maintain full control over our infrastructure while benefiting from automated, version-controlled deployments that enhance both security and productivity.

Machen Sie schon heute den ersten Schritt

Unser Managed Detection & Response Service schützt Ihr Unternehmen unkompliziert vor Bedrohungen.

Per E-Mail anfragen

Termin anfragen

MDR
GesamtpaketManaged SIEMManaged SOCManaged Detection Rules
Defensive Security consulting
Wazuh SupportSIEM Beratung
Offensive Security
PentestingRed-Teaming
Weiteres
Security VorträgeBlogDatenschutzerklärungImpressum