How ArgoCD and Sealed Secret works

How ArgoCD and Sealed Secret works

Streamlining Secret Management in Kubernetes with ArgoCD and Sealed Secrets

In the ever-evolving landscape of Kubernetes and DevOps, orchestrating seamless deployments while maintaining top-notch security is the holy grail. In this comprehensive blog, we'll take you on an in-depth journey into two powerful tools that can elevate your Kubernetes game to the next level: ArgoCD and Sealed Secrets.

The Power of GitOps

  • Understanding GitOps: We'll start by dissecting the concept of GitOps, exploring its origins, and why it has become a game-changer in the Kubernetes ecosystem.

  • ArgoCD Unveiled: A deep dive into ArgoCD, including its architecture, components, and how it manages Kubernetes applications declaratively.

  • Git Repository as the Source of Truth: Learn why your Git repository becomes the ultimate source of truth for your Kubernetes configurations, bringing transparency, accountability, and robust version control to your deployments.

Setting Up ArgoCD

Installation and Configuration

  • To get started with ArgoCD, you'll first need to install it in your Kubernetes cluster. This can be achieved using a simple Kubernetes manifest or a Helm chart. We will walk you through both methods, providing guidance on choosing the one that best fits your requirements.


      # ArgoCD Installation via Helm
      helm repo add argo
      helm install my-argocd argo/argo-cd

    Once installed, you'll need to configure ArgoCD to connect to your Git repository where your Kubernetes manifests and ArgoCD Application configurations are stored. We'll show you how to set up these configurations, including connecting to private Git repositories securely.

    Multi-Cluster Support

    ArgoCD excels in managing applications across multiple Kubernetes clusters. We'll guide you through the process of configuring ArgoCD to support multi-cluster environments, allowing you to deploy and manage applications seamlessly, no matter how complex your infrastructure.

    Role-Based Access Control (RBAC)

    Securing your ArgoCD instance is paramount. We'll provide best practices for implementing Role-Based Access Control (RBAC) within ArgoCD. You'll learn how to create custom roles, define permissions, and manage user access effectively.


      # Define a custom Role in ArgoCD
      kind: Role
        name: my-custom-role
      - apiGroups: [""]
        resources: ["applications"]
        verbs: ["get", "list", "create", "update", "delete"]

Deploying Applications with ArgoCD

Now that you have ArgoCD set up, it's time to dive into deploying applications. In this chapter, we'll guide you through defining Application Custom Resource Definitions (CRDs) and deploying your first application.

Defining Application CRDs

Applications in ArgoCD are defined using Application Custom Resource Definitions (CRDs). These YAML manifests declare how ArgoCD should deploy and manage your application.


# Application CRD for a sample application
kind: Application
  name: sample-app
  namespace: argocd
    targetRevision: HEAD
    path: apps/sample
    server: 'https://kubernetes.default.svc'
    namespace: sample-namespace
  project: default
      prune: true
      selfHeal: true

Here, we're defining an application named sample-app that resides in a Git repository. ArgoCD will automatically synchronize this application according to the defined sync policy.

Syncing Applications

ArgoCD continuously monitors your Git repositories for changes. When it detects updates, it syncs applications to match the desired state defined in your Git repository.


# Triggering a manual sync for an application
argocd app sync sample-app

ArgoCD also provides a web-based dashboard for easy application monitoring and manual syncing.

Application Rollbacks

Sometimes, things don't go as planned. ArgoCD supports application rollbacks, allowing you to easily revert to a previous version of your application when issues arise.


# Rollback an application to a previous version
argocd app rollback sample-app

Manifests and Application Resources

In this section, we'll explore how ArgoCD deals with Kubernetes manifests and different application resources. By the end, you'll have a solid understanding of how to manage and deploy complex applications using ArgoCD.

Managing Manifests

ArgoCD shines when it comes to managing Kubernetes manifests. You can keep your application manifests in a Git repository, and ArgoCD will automatically synchronize them with your Kubernetes clusters.

Example: Here's a simplified directory structure for your application's manifests:

├── deployment.yaml
├── service.yaml
├── configmap.yaml
├── route.yaml

ArgoCD will track changes in this repository and ensure that the application state matches the definitions in these manifests.

Resource Dependency

Kubernetes applications often consist of multiple resources that depend on each other. For example, a Deployment may depend on a ConfigMap and a Service.

Example: In the deployment.yaml, you might reference a ConfigMap:

apiVersion: apps/v1
kind: Deployment
  name: my-app-deployment
        - name: my-app
          image: my-app-image
            - configMapRef:
                name: my-app-config

ArgoCD understands these dependencies and ensures that resources are synchronized in the correct order.

Application Resources

Applications often involve various Kubernetes resources. ArgoCD makes managing these resources straightforward.

Example: Consider a YAML manifest for a Service:

apiVersion: v1
kind: Service
  name: my-app-service
    app: my-app
    - port: 80
      targetPort: 8080

ArgoCD handles resources like Services, Deployments, ConfigMaps, and Routes seamlessly, deploying and managing them according to your Git repository's state.

Deployment and Synchronization

Whenever you push changes to your Git repository, ArgoCD automatically detects the updates and synchronizes your application to match the desired state.

Example: After you push an update to your manifests, ArgoCD will sync the application:

# Triggering a sync
argocd app sync my-app

Sealed Secrets with ArgoCD

In this section, we'll dive deeper into the world of Sealed Secrets and see how ArgoCD can securely simplify the management of secrets.

What are Sealed Secrets?

Sealed Secrets are an innovative way of managing Kubernetes secrets in a GitOps workflow. They work by encrypting your sensitive data and storing it as a SealedSecret custom resource in your Git repository.

How to Use Sealed Secrets with ArgoCD

Step 1: Install Sealed Secrets Controller

The first step is to install the Sealed Secrets controller in your Kubernetes cluster. This controller is responsible for decrypting SealedSecrets objects during runtime.

shellCopy code# Install Sealed Secrets Controller
kubectl apply -f

Step 2: Create a Sealed Secret

Now, let's create a Sealed Secret from a regular Kubernetes Secret. You'll need to use the kubeseal command-line tool.

shellCopy code# Create a Sealed Secret from a regular Secret
kubectl create secret generic my-secret --dry-run=client --from-literal=my-key=my-value -o json | kubeseal > my-sealed-secret.yaml

This command generates a SealedSecret YAML file that you can store in your Git repository.

Step 3: Add Sealed Secret to Git Repository

Commit the my-sealed-secret.yaml file to your Git repository, just like you would with other Kubernetes manifests.

Step 4: Deploy Sealed Secret with ArgoCD

ArgoCD can automatically deploy Sealed Secrets. Create an ArgoCD Application resource for your Sealed Secret, just as you would for any other resource.

yamlCopy codeapiVersion:
kind: Application
  name: my-app
  project: default
    targetRevision: HEAD
    path: path/to/secrets
    server: https://kubernetes.default.svc
    namespace: my-namespace

ArgoCD will handle the deployment of the Sealed Secret to your cluster securely.

Benefits of Using Sealed Secrets with ArgoCD

  1. Security: Sensitive data is encrypted and stored in version control, reducing the risk of exposure.

  2. GitOps: Sealed Secrets fit perfectly into the GitOps workflow. You define, version, and track your secrets in your Git repository.

  3. Auditing: All changes to secrets are traceable through Git commits, providing a clear audit trail.

  4. Easy Management: ArgoCD simplifies the deployment and synchronization of Sealed Secrets, making secret management a breeze.

Enhancing Security with Sealed Secrets

  • The Challenge of Secrets: Delve into the critical issue of securing sensitive data within Kubernetes and why traditional Secrets fall short.

  • Sealed Secrets Revealed: Learn about the architecture of Sealed Secrets and how it encrypts your secrets into a safe, Git-friendly format.

  • Public Key Encryption: Understand how Sealed Secrets leverages public key encryption to ensure that only your target cluster can decrypt and utilize the secrets

The Future of Kubernetes Deployments

  • Emerging Trends: Get a glimpse into the future of Kubernetes deployments, including the evolution of GitOps, new security paradigms, and the latest tools on the horizon.

This blog aims to provide you with a comprehensive understanding of these powerful Kubernetes tools, offering the knowledge and expertise you need to optimize your Kubernetes deployments, enhance security, and stay ahead in the ever-changing world of DevOps. Get ready to embark on a deep dive into the world of ArgoCD and Sealed Secrets.

Did you find this article valuable?

Support TechWithHuz by becoming a sponsor. Any amount is appreciated!