metalstack cloud

Integrate metalstack.cloud Cluster into ArgoCD

This developer guide was kindly written by iSecNG. The security specialists at iSecNG use metalstack.cloud to securely host Wazuh, an open source XDR and SIEM. Learn more about their services and solutions on their website.

Introduction

At iSecNG, we leverage ArgoCD as our GitOps platform to streamline application deployments in Kubernetes. By defining deployments through HELM charts and storing them in Git repositories, we ensure everything is version-controlled and traceable, providing a clear audit trail for changes. ArgoCD continuously syncs with the repository, aligning the actual state of applications with their desired state.

Instead of installing ArgoCD on every cluster, we utilize a central ArgoCD instance to manage all our Kubernetes clusters. This approach enables us to harness metalstack.cloud at scale while simplifying multi-cluster management. Once integrated, deploying to different environments becomes seamless and scalable. Additionally, ArgoCD’s monitoring and alerting capabilities quickly detect discrepancies, facilitating rapid issue resolution and enhancing stability.

Integrating ArgoCD into our CI/CD pipeline has significantly improved deployment speed, security, and visibility, enabling us to deliver consistent and reliable updates. To establish a persistent connection between your ArgoCD instance and the metalstack.clou` cluster, several configurations are required.

Preparing Token-based Authentication with the Kubernetes API on metalstack.cloud

ArgoCD uses token-based authentication to securely interact with the Kubernetes API. This process is centered around the use of Service Accounts in Kubernetes, which grant external tools like ArgoCD the necessary permissions to manage cluster resources.

Service Account Creation

A ServiceAccount is created in the Kubernetes cluster to represent an identity that ArgoCD will use. This Service Account is granted specific permissions (using Role-Based Access Control, or RBAC) through a ClusterRole or Role, which define the allowed actions in the cluster.

resource "kubernetes_manifest" "metal_service_account" {
  manifest = {
    "apiVersion" = "v1"
    "kind" = "ServiceAccount"
    "metadata" = {
      "name" = "argocd-manager"
      "namespace" = "kube-system"
    }
  }
}

Defining Permissions (RBAC)

Permissions are assigned via RBAC. In this case, the Service Account is granted a ClusterRole, which provides cluster-wide access. This role is defined in the following Terraform configuration:

resource "kubernetes_manifest" "metal_cluster_role" {
  manifest = {
    "apiVersion" = "rbac.authorization.k8s.io/v1"
    "kind" = "ClusterRole"
    "metadata" = {
      "name" = "argocd-manager-role"
    }
    "rules" = [
      {
        "apiGroups" = [
          "*",
        ]
        "resources" = [
          "*",
        ]
        "verbs" = [
          "*",
        ]
      },
      {
        "nonResourceURLs" = [
          "*",
        ]
        "verbs" = [
          "*",
        ]
      },
    ]
  }
}

Token Generation

Kubernetes automatically generates a token for each Service Account. This token is stored as a Secret in the cluster. ArgoCD will use this token to authenticate its requests to the Kubernetes API. The following configuration generates and stores the token as a Kubernetes Secret:

resource "kubernetes_manifest" "metal_argocd_manager_token" {

  manifest = {
    "apiVersion" = "v1"
    "kind" = "Secret"
    "metadata" = {
      "annotations" = {
        "kubernetes.io/service-account.name" = "argocd-manager"
      }
      "name" = "argocd-manager-token"
      "namespace" = "kube-system"
    }
    "type" = "kubernetes.io/service-account-token"
  }

  depends_on = [
    kubernetes_manifest.metal_argocd_manager_role_binding
  ]
}

Using the Token for API Authentication

The token generated for the Service Account is a secure string used to authenticate API requests. When ArgoCD interacts with the Kubernetes API, it includes this token in the HTTP request headers using the Authorization: Bearer <token> format. This allows Kubernetes to verify ArgoCD’s identity and grant or deny access based on the permissions defined in the Service Account’s RBAC policy.

Providing the Token-based Authentication to the central ArgoCD

Once the token is configured, ArgoCD uses it to authenticate every time it needs to interact with the metalstack.cloud cluster. This includes tasks like synchronizing application states, creating or updating resources, and monitoring the health of deployments.

  • Seamless Connection: The token allows ArgoCD to maintain a secure and continuous connection with the cluster, enabling automated management without manual intervention.
  • Controlled Access: Through RBAC, ArgoCD’s access to the cluster is tightly controlled. The ClusterRole and token restrict what ArgoCD can do, ensuring that it only has the necessary permissions.
  • Secure Communication: Token-based authentication ensures that all communication between ArgoCD and the Kubernetes API is secure, using the token as a bearer authentication mechanism to validate requests.

This method of authentication enhances security and ensures that ArgoCD can efficiently and securely manage applications within the Metalstack cluster.

Include the token into ArgoCD

To allow ArgoCD to securely connect to your metalstack.cloud cluster, you need to provide the authentication token through a Kubernetes Secret and label the target cluster accordingly.

Prerequisites:

Before proceeding, you’ll need the following:

  • Authentication Token: This is the token you generated in the steps described above for the argocd-manager Service Account.

  • Kubernetes API Endpoint: The URL for the Kubernetes API of your metalstack.cloud cluster.

  • CA Certificate: The certificate authority (CA) of the metalstack.cloud cluster for secure communication.

You can easily retrieve most of this information using the kubeconfig data source from the metalstack.cloud Terraform provider.

Creating the Secret in the ArgoCD Cluster:

Once you have the token, API endpoint, and CA certificate, you need to create a Kubernetes Secret in the ArgoCD cluster. This Secret will store the necessary credentials that ArgoCD uses to authenticate with the metalstack.cloud cluster.

Here’s an example of how to define this Secret in your ArgoCD Kubernetes cluster:

apiVersion: v1
kind: Secret
metadata:
  name: metalstack-cluster
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: metalstack
  server: ## API URI HERE ##
  config: |
    { 
      "bearerToken": "## TOKEN HERE ##", 
      "tlsClientConfig": { 
         "insecure": false, 
         "caData": "## CA HERE (as base64) ##" 
      } 
    }

Conclusion

At iSecNG, we rely on metalstack.cloud for its highly scalable and reliable Bare Metal Kubernetes as a Service offering. This ensures optimal performance for our workloads, while keeping all instances and stored data within a secure data center in Germany.

By integrating metalstack.cloud with ArgoCD, we simplify our deployment processes through GitOps, making application management more efficient and transparent. This combination allows us to maintain full control over our infrastructure while benefiting from automated, version-controlled deployments that enhance both security and productivity.

Awesome work!

You've completed this developer guide. We have many more, so feel free to explore our other guides! Should you have any questions about our products or need help with metalstack.cloud, please reach out to us anytime.