In the ever-evolving landscape of Kubernetes and DevOps, orchestrating seamless deployments while maintaining top-notch security is the holy grail. In this blog, we’ll take you on an in-depth journey into two powerful tools that can elevate your Kubernetes game to the next level: ArgoCD and Sealed Secret.

In my last blog of Kubernetes series we saw how we can create Kubernetes Operator using Go lang. In this blog we will go through ArgoCD and use GitOps approach.

The Power of GitOps

Understanding GitOps: We’ll start by going through the concept of GitOps, exploring its origins, and why it has become a game-changer in the Kubernetes ecosystem.

ArgoCD: A deep dive into ArgoCD, including its architecture, components, and how it manages Kubernetes applications declaratively.

Git Repository as the Source of Truth: Learn why your Git repository becomes the ultimate source of truth for your Kubernetes configurations, bringing transparency, accountability, and robust version control to your deployments.

Setting Up ArgoCD

Installation and Configuration

To get started with ArgoCD, you’ll first need to install it in your Kubernetes cluster. This can be achieved using a simple Kubernetes manifest or a Helm chart. We will walk you through both methods, providing guidance on choosing the one that best fits your requirements.

Example:

# ArgoCD Installation via Helm
helm repo add argo https://argoproj.github.io/argo-helm
helm install my-argocd argo/argo-cd

Once installed, you’ll need to configure ArgoCD to connect to your Git repository where your Kubernetes manifests and ArgoCD Application configurations are stored. We’ll show you how to set up these configurations, including connecting to private Git repositories securely.

Multi-Cluster Support

ArgoCD excels in managing applications across multiple Kubernetes clusters. We’ll guide you through the process of configuring ArgoCD to support multi-cluster environments, allowing you to deploy and manage applications seamlessly, no matter how complex your infrastructure.

Role-Based Access Control (RBAC)

Securing your ArgoCD instance is paramount. We’ll provide best practices for implementing Role-Based Access Control (RBAC) within ArgoCD. You’ll learn how to create custom roles, define permissions, and manage user access effectively.

Example:

# Define a custom Role in ArgoCD
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-custom-role
rules:
  - apiGroups: [""]
      resources: ["applications"]
      verbs: ["get", "list", "create", "update", "delete"]

Deploying Applications with ArgoCD

Now that you have ArgoCD set up, it’s time to dive into deploying applications. Now, we’ll guide you through defining Application Custom Resource Definitions (CRDs) and deploying your first application.

Defining Application CRDs

Applications in ArgoCD are defined using Application Custom Resource Definitions (CRDs). These YAML manifests declare how ArgoCD should deploy and manage your application.

Example:

#Application CRD for a sample application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
   name: sample-app
   namespace: argocd
spec:
   source:
       repoURL: https://github.com/your-org/your-repo
       targetRevision: HEAD
       path: apps/sample
    destination:
       server: 'https://kubernetes.default.svc'
       namespace: sample-namespace
    project: default
    syncPolicy:
      automated:
           prune: true
           selfHeal: true

Here, we’re defining an application named sample-app that resides in a Git repository. ArgoCD will automatically synchronize this application according to the defined sync policy.

Syncing Applications

ArgoCD continuously monitors your Git repositories for changes. When it detects updates, it syncs applications to match the desired state defined in your Git repository.

Example:

#Triggering a manual sync for an application

argocd app sync sample-app

ArgoCD also provides a web-based dashboard for easy application monitoring and manual syncing.

Application Rollbacks

Sometimes, things don’t go as planned. ArgoCD supports application rollbacks, allowing you to easily revert to a previous version of your application when issues arise.

Example:

Rollback an application to a previous version

argocd app rollback sample-app

Manifests and Application Resources

In this section, we’ll explore how ArgoCD deals with Kubernetes manifests and different application resources. By the end, you’ll have a solid understanding of how to manage and deploy complex applications using ArgoCD.

Managing Manifests

ArgoCD shines when it comes to managing Kubernetes manifests. You can keep your application manifests in a Git repository, and ArgoCD will automatically synchronize them with your Kubernetes clusters.

Example: Here’s a simplified directory structure for your application’s manifests:

my-app/
├── deployment.yaml
├── service.yaml
├── configmap.yaml
├── route.yaml

ArgoCD will track changes in this repository and ensure that the application state matches the definitions in these manifests.

Resource Dependency

Kubernetes applications often consist of multiple resources that depend on each other. For example, a Deployment may depend on a ConfigMap and a Service.

Example: In the deployment.yaml, you might reference a ConfigMap:

apiVersion: apps/v1
kind: Deployment
metadata:
    name: my-app-deployment
spec:
   template:
      spec:
           containers:
               - name: my-app
                   image: my-app-image
                   envFrom:
                    - configMapRef:
                        name: my-app-config

ArgoCD understands these dependencies and ensures that resources are synchronized in the correct order.

Application Resources

Applications often involve various Kubernetes resources. ArgoCD makes managing these resources straightforward.

Example: Consider a YAML manifest for a Service:

apiVersion: v1
kind: Service
metadata:
    name: my-app-service
spec:
    selector:
        app: my-app
    ports:
      - port: 80
         targetPort: 8080

ArgoCD handles resources like Services, Deployments, ConfigMaps, and Routes seamlessly, deploying and managing them according to your Git repository’s state.

Deployment and Synchronization

Whenever you push changes to your Git repository, ArgoCD automatically detects the updates and synchronizes your application to match the desired state.

Example: After you push an update to your manifests, ArgoCD will sync the application:

#Triggering a sync
argocd app sync my-app

ArgoCD and Sealed Secret

In this section, we’ll dive deeper into the world of Sealed Secrets and see how ArgoCD can securely simplify the management of secrets.

What are Sealed Secrets?
Sealed Secrets are an innovative way of managing Kubernetes secrets in a GitOps workflow. They work by encrypting your sensitive data and storing it as a SealedSecret custom resource in your Git repository.

How to Use ArgoCD and Sealed Secret

Step 1: Install Sealed Secrets Controller

The first step is to install the Sealed Secrets controller in your Kubernetes cluster. This controller is responsible for decrypting SealedSecrets objects during runtime.

# Install Sealed Secrets Controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml

Step 2: Create a Sealed Secret

Now, let’s create a Sealed Secret from a regular Kubernetes Secret. You’ll need to use the kubeseal command-line tool.

# Create a Sealed Secret from a regular Secret
kubectl create secret generic my-secret --dry-run=client --from-literal=my-key=my-value -o json | kubeseal > my-sealed-secret.yaml

This command generates a SealedSecret YAML file that you can store in your Git repository.

Step 3: Add Sealed Secret to Git Repository

Commit the my-sealed-secret.yaml file to your Git repository, just like you would with other Kubernetes manifests.

Step 4: Deploy Sealed Secret with ArgoCD

ArgoCD can automatically deploy Sealed Secrets. Create an ArgoCD Application resource for your Sealed Secret, just as you would for any other resource.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
    name: my-app
spec:
   project: default
   source:
      repoURL:
      targetRevision: HEAD
      path: path/to/secrets
   destination:
     server: https://kubernetes.default.svc
     namespace: my-namespace

ArgoCD will handle the deployment of the Sealed Secret to your cluster securely.

Benefits of Using ArgoCD and Sealed Secret

Security: Sensitive data is encrypted and stored in version control, reducing the risk of exposure.

GitOps: Sealed Secrets fit perfectly into the GitOps workflow. You define, version, and track your secrets in your Git repository.

Auditing: All changes to secrets are traceable through Git commits, providing a clear audit trail.

Easy Management: ArgoCD simplifies the deployment and synchronization of Sealed Secrets, making secret management a breeze.

Enhancing Security with Sealed Secrets
The Challenge of Secrets: Delve into the critical issue of securing sensitive data within Kubernetes and why traditional Secrets fall short.

Sealed Secrets Revealed: Learn about the architecture of Sealed Secrets and how it encrypts your secrets into a safe, Git-friendly format.

Public Key Encryption: Understand how Sealed Secrets leverages public key encryption to ensure that only your target cluster can decrypt and utilize the secrets

The Future of Kubernetes Deployments – ArgoCD and Sealed Secret

Emerging Trends: Get a glimpse into the future of Kubernetes deployments, including the evolution of GitOps, new security paradigms, and the latest tools on the horizon.
This blog aims to provide you with a comprehensive understanding of these powerful Kubernetes tools, offering the knowledge and expertise you need to optimize your Kubernetes deployments, enhance security, and stay ahead in the ever-changing world of DevOps. Get ready to embark on a deep dive into the world of ArgoCD and Sealed Secrets.