7. Deploy workloads

Overview

This guide will help you deploy your workload using Argo CD by creating an application manifest that utilizes secrets from Azure Key Vault and targets your GitHub repository.

Prerequisites

• A GitHub repository with your application code.
• Secrets stored in Azure Key vault (if your application requires it).

Proposed Git structure

• You should have at least two repositories.

  • One repository for your application code. This will include your application backend and frontend.
  • One repository for your Kubernetes manifests and platform specific things. This will include ArgoCD applications, application sets and YAML files.
    • You should split this repository up into logical folders.
      • apps: this folder holds all your Kubernetes manifests for your applications.
      • projects: this folder holds all your ArgoCD projects, applications and application sets.

  Info

  Whatever combination of repositories you prefer is sufficient to follow and complete this guide.

  However, you should opt for a more structured approach for your production workloads.

Deploy your workloads

1. Prepare your Application Manifest:
   • Create your application manifest in your Github repository.
     • Remember to reference the SecretProviderClass in your Kubernetes deployment manifests to use secrets from Azure Key Vault.
   • Example application manifest (eg. busybox.yaml) located in your Github repository (or any public repository you are using):

     apiVersion: apps/v1
     kind: Deployment
     metadata:
       name: busybox-secrets-store-deployment
       namespace: workloads
     spec:
       replicas: 1
       selector:
         matchLabels:
           app: busybox-secrets-store
       template:
         metadata:
           labels:
             app: busybox-secrets-store
         spec:
           containers:
           - name: busybox
             image: registry.k8s.io/e2e-test-images/busybox:1.29-4
             command: ["sleep", "300"]
             volumeMounts:
             - name: secrets-store01-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
             resources:
               requests:
                 memory: "64Mi"
                 cpu: "250m"
               limits:
                 memory: "128Mi"
                 cpu: "500m"
             securityContext:
               allowPrivilegeEscalation: false
               runAsNonRoot: true
               readOnlyRootFilesystem: true
               runAsUser: 65533
             livenessProbe:
               exec:
                 command:
                 - cat
                 - /mnt/secrets-store/secret1
               initialDelaySeconds: 30
               periodSeconds: 10
             readinessProbe:
               exec:
                 command:
                 - cat
                 - /mnt/secrets-store/secret1
               initialDelaySeconds: 5
               periodSeconds: 10
           volumes:
           - name: secrets-store01-inline
             csi:
               driver: secrets-store.csi.k8s.io
               readOnly: true
               volumeAttributes:
                 secretProviderClass: "azure-kvname-user-msi" # Change this to reflect your secretProviderClass name if you deviated from the walkthrough
     

2. Prepare the ArgoCD manifest:

   • Create an application manifest file (e.g., app.yaml). Here is a example ArgoCD application that deploys the application manifest above. Copy and run the following code in your terminal:

     kubectl apply -f - <<EOF
     apiVersion: argoproj.io/v1alpha1
     kind: Application
     metadata:
       name: busybox-deployment
       namespace: argocd
     spec:
       project: default
       source:
         repoURL: https://github.com/amestofortytwo/sampleapps.git
         path: amesto42/sample/
         targetRevision: HEAD
       destination:
         server: https://kubernetes.default.svc
         namespace: workloads  # Change to match your workload namespace
       syncPolicy:
         automated:
           prune: false
           selfHeal: true
         syncOptions:
           - CreateNamespace=true
   EOF
   

   Info

   This is just a sample deployment. While it will work if you deploy this, it is deploying a busybox image which will fail eventually. You should try deploying your own environment specific workloads instead.

   The example is just to gain an understanding of how the deployment process works in your new platform.

3. Verify deployment:

   • You now have two options.

     1. Check the ArgoCD UI in your browser by using the external IP from the argocd-server service. The application tile should be visible in the Applications section. Click the application tile if you want to inspect the application and its components further.

     2. Use kubectl to interact with ArgoCD through your terminal/CLI and list the applications in your cluster. You can run the following command to achieve this:

        kubectl get applications --namespace argocd

     Note

     You can fetch the External IP of the ArgoCD server by running the following command:

     kubectl get svc argocd-server -n argocd -o=jsonpath='{.status.loadBalancer.ingress[0].ip}'

4. Verify workload content

   • As a final step and to verify that the secret you uploaded in the Azure Key vault has been mounted correctly inside your workload in a secure manner. Run the following commands:

     kubectl exec busybox-secrets-store-deployment -- ls /mnt/secrets-store/

     kubectl exec busybox-secrets-store-deployment -- cat /mnt/secrets-store/secret1

Conclusion

Your application is now deployed using Argo CD, with secrets securely managed by Azure Key Vault and code hosted in a GitOps way on GitHub.