Argo, a CNCF project, helps engineers to use Kubernetes, covering many use cases from GitOps-based continuous deployment to event-based workflow automation. It can also be used to create an end-to-end DevOps platform. Alexander Matyushentsev from Akuity and Leonardo Luz Almeida from Intuit, maintainers of the CNCF project, spoke last week at KubeCon CloudNativeCon North America 2022 Conference on how to build a production-grade Argo-based DevOps platform using the Argoproj framework. They also provided best patterns for scaling Argo to support large enterprise needs.
Matyushentsev and Almeida started the presentation with a DevOps approach based on production tickets vs Gitops. They discussed how to get a Change Request (CR) in production approved, which is typically a workflow process. Argo CD can be interfaced with your own Git provider to integrate the CI/CD and DevOps processes into the software development lifecycle. They discussed two approaches for managing the Git repos: centralized repo vs individual repo.
Centralized repo is where the application code and manifest files are maintained in the same repository. This makes it easier to store and track the source code and configuration files together, but it suffers from a more complex authentication model and overall CI process. Individual repo approach offers the advantage of a simpler or no CI process, an easier authentication model between Dev and Ops teams, and cleaner history. But one of the downsides is its decentralized nature which requires additional management effort.
They discussed how to generate Kubernetes manifest files using the Kustomize tool. Engineers can leverage the overlay concept supported by the tool to manage the differences between Dev, Stage, and Production environments.
The Argo framework also supports multi-tenancy that helps to manage the hierarchy and dependencies between different aspects of software development like projects, applications, and teams. They also showed how to set up single sign-on (SSO) using the OIDC protocol supported by Argo CD. It works out of the box with OIDC-compatible providers like Auth0, Okta, and Azure IDP.
For authorization and access control requirements, Argo CD uses a role-based access model (RBAC) powered by Casbin framework. Casbin offers flexible configuration and allows users to define groups with an arbitrary set of permissions.
Projects in Argo CD provide multi-tenancy capability based on a logical grouping for applications. This allows users to define boundaries and isolate teams from each other. Users can connect SSO and RBAC, which help to integrate authentication and authorization to get a unified security model. Matyushentsev and Almeida demonstrated a project set up by showing the details using an example YAML file.
They said Pull Requests (PRs) can replace the traditional support tickets in the CI/CD process, for example, storing Argo CD configuration in a Git repo and using Argo CD to self-apply Git changes. Application developers can self-onboard via PRs, and platform admin users can review the changes and either approve or reject PRs. There is no need for separate tickets and offline approvals to deploy changes. Git also has the advantage of having no database dependencies, so it's relatively isolated and easier to install and configure in terms of deployments and dependency management.
The speakers concluded the presentation by showing an Argo CD control plane demo application and walked through the details of installation and configuration of Argo CD, how to onboard a team with multi-tenancy setup, and how to define cluster-level resources like cluster role, role binding, etc.
For more information on this and other sessions, check out KubeCon NA 2022 conference's main website.