You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
description:"Generate Argo CD Admin API token to authenticate Runtime to existing Argo CD instance"
4
+
toc:true
5
+
---
6
+
7
+
8
+
##Argo CD admin API token
9
+
When installing the GitOps Runtime with an existing Argo CD instance, the Runtime must authenticate to Argo CD. It does this using an Argo CD Admin API token, which you must provide during installation.
10
+
11
+
If you don't have an Argo CD Admin API token, generate one from the Argo CD UI or CLI as described below.
12
+
13
+
Codefresh GitOps supports both[token-based or a username-password-based authentication](#authentication-methods-for-existing-argo-cd) mechanisms for GitOps Runtimes.
14
+
15
+
16
+
17
+
##Generating Argo CD Admin API token
18
+
Follow these steps to generate an Argo CD Admin API token:
19
+
1.[Verify Argo CD account privileges](#verify-argo-cd-account-privileges)
20
+
1.[Enable`apikey` privilege for Argo CD account](#enable-apikey-privilege-for-argo-cd-account)
21
+
1.[Generate Argo CD Admin API token](#generate-argo-cd-admin-api-token)
22
+
23
+
###Verify Argo CD account privileges
24
+
Ensure that the admin account or the account used for token generation has the following privileges:
25
+
*`apiKey`: Enables API token generation
26
+
*`login`: Enables UI login
27
+
28
+
#####How to
29
+
1. From the Argo CD Dashboard, go to**Settings > Accounts**.
30
+
1. Select the admin account or another account to use.
31
+
1. Confirm that the account includes these privileges:`apiKey` and`login`.
alt="Argo CD account privileges for Argo CD Admin API token generation"
39
+
caption="Argo CD account privileges for Argo CD Admin API token generation"
40
+
max-width="60%"
41
+
%}
42
+
43
+
{:start="4"}
44
+
1. Continue with[Enable`apikey` privilege for Argo CD account](#enable-apikey-privilege-for-argo-cd-account).
45
+
46
+
###Enable`apikey` privilege for Argo CD account
47
+
If the account does not include the`apikey` privilege, enable it in either the ConfigMap or the Helm values file, depending on your Argo CD installation method.
48
+
49
+
#####Update argocd-cm ConfigMap
50
+
Edit the`argocd-cm` ConfigMap.
51
+
Make sure`data.accounts.admin` includes`apiKey` and`login`, and`data.accounts.admin.enabled` is set to`true`.
52
+
53
+
```yaml
54
+
apiVersion:v1
55
+
kind:ConfigMap
56
+
metadata:
57
+
name:argocd-cm
58
+
namespace:argocd
59
+
data:
60
+
accounts.admin:apiKey, login
61
+
accounts.admin.enabled:"true"
62
+
```
63
+
64
+
##### Update Helm values.yaml
65
+
If you installed Argo CD using Helm, update your`values.yaml`:
66
+
67
+
```yaml
68
+
configs:
69
+
cm:
70
+
accounts.admin: apiKey,login
71
+
```
72
+
73
+
Refresh the Dashboard and verify the account has been updated with the new privileges.
74
+
If needed, [generate the Argo CD Admin API token](#generate-argo-cd-admin-api-token).
75
+
76
+
### Generate Argo CD Admin API token
77
+
Generate the Argo CD Admin API token using the Argo CD Dashboard or CLI.
78
+
79
+
##### Generate via Admin API token Dashboard
80
+
1. Go to **Settings > Accounts**.
81
+
1. Click the account enabled with `apiKey` privilege.
alt="Argo CD dashboard:Generate new Argo CD Admin API token"
90
+
caption="Argo CD dashboard:Generate new Argo CD Admin API token"
91
+
max-width="60%"
92
+
%}
93
+
94
+
95
+
{:start="4"}
96
+
1. Copy the generated token and store it securely.
97
+
You will need to paste it into the Argo CD Admin API token field during installation.
98
+
99
+
##### Generate via Admin API token CLI
100
+
`argocd account generate-token --account admin`
101
+
102
+
For details, see the [argocd account generate-token](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_account_generate-token/){:"\_blank"} command.
103
+
104
+
## Authentication methods for existing Argo CD
105
+
The GitOps Runtime authenticates with the external Argo CD instance using either a token or a username-password combination.
106
+
107
+
The installation wizard supports API token-based authentication, allowing you to paste the API token directly into the Argo CD Admin API token field.
108
+
You can also configure authentication by referencing a token secret or using a username-password combination.
109
+
110
+
111
+
### Token-based authentication for Argo CD Admin API
112
+
The token must be a non-expiring API key. If revoked, GitOps operations stop until you manually update the token for the Runtime, as the system does not regenerate or validate it automatically.
113
+
114
+
You can:
115
+
* Provide a token directly
116
+
OR
117
+
* Reference a Kubernetes secret containing the token
118
+
* The secret must already exist and include a key with a valid, non-expiring `argo-cd apiKey`
119
+
* The system injects the key into the required services that the Runtime connects to, including App Proxy (`app-proxy`), Source Server (`sources-server`), Event Reporter (`event-reporter`), and GitOps Operator (`gitops-operator`).
120
+
121
+
##### Example: Referencing a token secret in `values.yaml` file
122
+
123
+
```yaml
124
+
global:
125
+
external-arg-cd:
126
+
auth:
127
+
type: token
128
+
tokenSecretKeyRef:
129
+
name: "secret-name"
130
+
key: "secret-key"
131
+
```
132
+
133
+
### Password-based authentication for Argo CD Admin API
134
+
This method uses an Argo CD username and password for authentication.
135
+
The system:
136
+
* Generates both an API key and a session token, which differ primarily in their expiration dates
137
+
* Stores the API key in the `argocd-token` Secret, and automatically regenerates it when needed
138
+
139
+
You can:
140
+
* Specify the username and password as plain text
141
+
* The Helm chart creates a secret to store the password.
142
+
* The App Proxy uses these credentials to generate API keys and session tokens as needed.
143
+
OR
144
+
* Specify the username in plain text and reference a Kubernetes secret containing the password
145
+
* The secret must already exist and contain a key with the password.
146
+
* The App Proxy uses the secret name, key, and the plain-text username to generate API keys and session tokens.
147
+
148
+
##### Example username and password as plain text
149
+
```yaml
150
+
global:
151
+
external-arg-cd:
152
+
auth:
153
+
type: password
154
+
username: "user-name"
155
+
password: "explicit-password"
156
+
```
157
+
158
+
##### Example username as plain text and password as secret reference
159
+
```yaml
160
+
global:
161
+
external-arg-cd:
162
+
auth:
163
+
type: password
164
+
username: "some-user-name"
165
+
passwordSecretKeyRef:
166
+
name: "secret-name"
167
+
key: "secret-key"
168
+
```
169
+
## Related articles
170
+
[Install GitOps Runtime with existing Argo CD]({{site.baseurl}}/docs/installation/gitops/runtime-install-with-existing-argo-cd/)
Copy file name to clipboardExpand all lines: _docs/installation/gitops/runtime-install-with-existing-argo-cd.md
+3-165Lines changed: 3 additions & 165 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ toc: true
9
9
##GitOps Runtime with existing Argo CD
10
10
This article describes how to install GitOps Runtimes in a Codefresh account using a Helm chart on a_cluster that already has an Argo CD instance_.
11
11
12
-
This option allows you to install the GitOps Runtime without deploying a new Argo CD instance. Instead, you_install the GitOps Runtime in the same namespace as the existing Argo CD instance_. The Runtimeintegrates with theexistingArgo CDby connecting with its key Argo CD services.
12
+
This option allows you to install the GitOps Runtime without deploying a new Argo CD instance. Instead, you_install the GitOps Runtime in the same namespace as the existing Argo CD instance_. The Runtimeauthenticates with theArgo CD instance through the[Argo CDAdmin API token](({{site.baseurl}}/docs/installation/gitops/runtime-argocd-admin-api-token/)) which you need to provide, and connects to key Argo CD services.
13
13
14
14
#####Runtime values.yaml
15
15
The Codefresh`values.yaml` available[here](https://github.com/codefresh-io/gitops-runtime-helm/blob/main/charts/gitops-runtime/){:target="\_blank"}, contains all the arguments you can configure, including optional ones.
@@ -18,98 +18,10 @@ Review how Codefresh [validates the Runtime's values.yaml]({{site.baseurl}}/docs
18
18
19
19
To install the GitOps Runtime with a new Argo CD instance, see[Install GitOps Runtime with new Argo CD]({{site.baseurl}}/docs/installation/gitops/hybrid-gitops-helm-installation/).
20
20
21
-
22
-
##Argo CD admin token
23
-
The GitOps Runtime needs an Argo CD Admin API token to communicate with your Argo CD instance. You need to provide this token during Runtime installation.
24
-
If you don't have an Argo CD Admin API token, you can generate one from the Argo CD UI or the Argo CD CLI, following the steps below.
25
-
26
-
###Verify Argo CD account privileges
27
-
The admin account or the account you use for token generation must have these privileges:
28
-
*`apiKey` to enable API token generation
29
-
*`login` to enable login from the UI
30
-
31
-
#####How to
32
-
1. From the Argo CD Dashboard, go to**Settings > Accounts**.
33
-
1. Select the admin account or another account to use.
34
-
1. Confirm that the account includes these privileges:`apiKey` and`login`.
alt="Argo CD account privileges for Argo CD Admin API token generation"
42
-
caption="Argo CD account privileges for Argo CD Admin API token generation"
43
-
max-width="60%"
44
-
%}
45
-
46
-
{:start="4"}
47
-
1. If needed,[Enable`apikey` privilege for Argo CD account](#enable-apikey-privilege-for-argo-cd-account).
48
-
49
-
###Enable`apikey` privilege for Argo CD account
50
-
If the account does not include the`apikey` privilege, enable it using either the ConfigMap or the Helm values file, depending on how you installed Argo CD.
51
-
52
-
#####Update argocd-cm ConfigMap
53
-
Edit the`argocd-cm` ConfigMap.
54
-
Make sure`data.accounts.admin` includes`apiKey` and`login`, and`data.accounts.admin.enabled` is set to`true`.
55
-
56
-
```yaml
57
-
apiVersion:v1
58
-
kind:ConfigMap
59
-
metadata:
60
-
name:argocd-cm
61
-
namespace:argocd
62
-
data:
63
-
accounts.admin:apiKey, login
64
-
accounts.admin.enabled:"true"
65
-
```
66
-
67
-
##### Update Helm values.yaml
68
-
If you installed Argo CD using Helm, update your`values.yaml`:
69
-
70
-
```yaml
71
-
configs:
72
-
cm:
73
-
accounts.admin: apiKey,login
74
-
```
75
-
76
-
Refresh the Dashboard and verify the account has been updated with the new privileges.
77
-
If needed, [generate the Argo CD Admin API token](#generate-argo-cd-admin-api-token).
78
-
79
-
### Generate Argo CD Admin API token
80
-
Generate the Argo CD Admin API token via the Argo CD Dashboard or via the Argo CD CLI.
81
-
82
-
##### Generate via Dashboard
83
-
1. Go to **Settings > Accounts**.
84
-
1. Click the account enabled with `apiKey` privilege.
alt="Argo CD dashboard:Generate new Argo CD Admin API token"
93
-
caption="Argo CD dashboard:Generate new Argo CD Admin API token"
94
-
max-width="60%"
95
-
%}
96
-
97
-
98
-
{:start="4"}
99
-
1. Copy the generated token and store it securely.
100
-
You will need to paste it into the Argo CD Admin API token field during installation.
101
-
102
-
##### Generate via CLI
103
-
`argocd account generate-token --account admin`
104
-
105
-
For the complete CLI reference, see the [argocd account generate-token](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_account_generate-token/){:"\_blank"} command.
106
-
107
-
108
-
109
21
##Before you begin
110
22
* Make sure you meet the[minimum requirements]({{site.baseurl}}/docs/installation/gitops/runtime-system-requirements/) for installation
111
23
* Verify that you complete all the[prerequisites]({{site.baseurl}}/docs/installation/gitops/runtime-prerequisites/)
112
-
* Verify you have a [valid Argo CD Admin API token](#argo-cd-admin-api-token)
24
+
* Verify you have a[valid Argo CD Admin API token]({{site.baseurl}}/docs/installation/gitops/runtime-argocd-admin-api-token/)
113
25
* For ingress-based and service-mesh based Runtimes only, verify that these ingress controllers are configured correctly:
The GitOps Runtime authenticates with the external Argo CD instance using either a token or a username-password combination.
343
-
344
-
The installation wizard supports API token-based authentication, allowing you to paste the API token directly.
345
-
You can also configure authentication by referencing a token secret or using a username-password combination.
346
-
347
-
348
-
### Token-based authentication for Argo CD Admin API
349
-
The token must be a non-expiring API key. If revoked, GitOps operations stop until you manually update the token for the Runtime, as the system does not regenerate or validate it automatically.
350
-
351
-
You can:
352
-
* Provide a token directly
353
-
OR
354
-
* Reference a Kubernetes secret containing the token
355
-
* The secret must already exist and include a key with a valid, non-expiring `argo-cd apiKey`
356
-
* The system injects the key into the required services<!---, including App Proxy (`app-proxy`), Source Server (`sources-server`), Event Reporter (`event-reporter`), and GitOps Operator (`gitops-operator`)-->.
357
-
358
-
##### Example: Referencing a token secret in `values.yaml` file
359
-
360
-
```yaml
361
-
global:
362
-
external-arg-cd:
363
-
auth:
364
-
type: token
365
-
tokenSecretKeyRef:
366
-
name: "secret-name"
367
-
key: "secret-key"
368
-
```
369
-
370
-
### Password-based authentication for Argo CD Admin API
371
-
This method uses an Argo CD username and password for authentication.
372
-
The system:
373
-
* Generates both an API key and a session token, which differ primarily in their expiration dates
374
-
* Stores the API key in the `argocd-token` Secret, and automatically regenerates it when needed
375
-
376
-
You can:
377
-
* Specify the username and password as plain text
378
-
* The Helm chart creates a secret to store the password.
379
-
* The App Proxy uses these credentials to generate API keys and session tokens as needed.
380
-
OR
381
-
* Specify the username in plain text and reference a Kubernetes secret containing the password
382
-
* The secret must already exist and contain a key with the password.
383
-
* The App Proxy uses the secret name, key, and the plain-text username to generate API keys and session tokens.
384
-
385
-
##### Example username and password as plain text
386
-
```yaml
387
-
global:
388
-
external-arg-cd:
389
-
auth:
390
-
type: password
391
-
username: "user-name"
392
-
password: "explicit-password"
393
-
```
394
-
395
-
##### Example username as plain text and password as secret reference
396
-
```yaml
397
-
global:
398
-
external-arg-cd:
399
-
auth:
400
-
type: password
401
-
username: "some-user-name"
402
-
passwordSecretKeyRef:
403
-
name: "secret-name"
404
-
key: "secret-key"
405
-
```
406
-
407
-
408
-
## Upgrade Runtimes
409
-
For upgrade instructions, see [Upgrade GitOps Runtimes]({{site.baseurl}}/docs/installation/gitops/manage-runtimes/#upgrade-gitops-runtimes/).
410
-
411
-
For details on Argo CD versions and their compatible Kubernetes versions, see [Argo CD versioning information](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/){:target="\_blank"} and [Kubernetes tested versions](https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#tested-versions){:target="\_blank"}.