ArgoCD Setup
This page covers the installation, configuration, and RBAC setup for ArgoCD in the MATIH platform. ArgoCD is deployed to the argocd namespace and configured to manage applications across control plane, data plane, and monitoring namespaces.
Installation
ArgoCD is installed via the official Helm chart:
helm repo add argo https://argoproj.github.io/argo-helm
helm upgrade --install argocd argo/argo-cd \
--namespace argocd \
--create-namespace \
--values infrastructure/helm/argocd/values.yaml \
--values infrastructure/helm/argocd/values-dev.yaml \
--wait --timeout 10mConfiguration
Server Settings
| Setting | Dev | Production |
|---|---|---|
| Insecure mode | Enabled (no TLS) | Disabled |
| Admin password | Generated, stored in K8s Secret | Stored in Key Vault |
| SSO | Disabled | OIDC via IAM service |
| Repository access | HTTPS with deploy key | SSH with deploy key |
Repository Configuration
# argocd-cm ConfigMap
repositories:
- url: https://github.com/matih-labs/matih-prototype.git
type: git
passwordSecret:
name: argocd-repo-creds
key: password
usernameSecret:
name: argocd-repo-creds
key: usernameRBAC Configuration
| Role | Permissions | Users |
|---|---|---|
admin | Full access to all applications | Platform team |
readonly | View applications and logs | Development teams |
tenant-admin | Manage applications in tenant namespace | Tenant administrators |
RBAC Policy
p, role:admin, applications, *, */*, allow
p, role:admin, clusters, get, *, allow
p, role:readonly, applications, get, */*, allow
p, role:readonly, logs, get, */*, allow
p, role:tenant-admin, applications, *, matih-data-plane/*, allowManaged Namespaces
| Namespace | ArgoCD Project | Applications |
|---|---|---|
matih-control-plane | control-plane | CP services, API gateway |
matih-data-plane | data-plane | DP services, compute engines |
matih-monitoring-control-plane | monitoring | CP monitoring stack |
matih-monitoring-data-plane | monitoring | DP monitoring stack |
matih-ingress | infrastructure | Ingress controller |
Health Checks
ArgoCD uses custom health checks for MATIH-specific resources:
| Resource | Health Check |
|---|---|
| SparkApplication | Check .status.applicationState.state |
| FlinkDeployment | Check .status.jobManagerDeploymentStatus |
| RayCluster | Check .status.state |
Related Pages
- Application Sets -- Dynamic application generation
- Platform Versions -- Version management
- CD Pipeline -- Script-based alternative