🚀 ArgoCD Production Setup: GitOps + Ingress + SSO + Admin Password (Step-by-Step)

Setting up ArgoCD in production is not just about installing it—it's about securing it, scaling it, and making it reliable.

In this CloudChef guide, you'll learn:

• How ArgoCD works (visualized)
• How to install and expose it properly
• How to retrieve the initial admin password
• How to secure it with SSO and RBAC

---

📊 GitOps Architecture (Visualized)

flowchart TD A[Git Repository] -->|Source of Truth| B[ArgoCD Controller] B -->|Sync Desired State| C[Kubernetes Cluster] C --> D[Running Applications]

👉 ArgoCD continuously ensures your cluster matches what’s defined in Git.

---

🍳 CloudChef Recipe: Production ArgoCD Setup

---

Step 1: Install ArgoCD

kubectl create namespace argocd

kubectl apply -n argocd \
-f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

---

🔑 Step 2: Get Initial ArgoCD Admin Password

After installation, ArgoCD generates a temporary admin password stored in a secret.

kubectl get secret argocd-initial-admin-secret \
-n argocd \
-o jsonpath="{.data.password}" | base64 -d

👉 Username:

admin

⚠️ Change this password immediately after login.

---

🌐 Step 3: Configure Ingress (Production Access)

Expose ArgoCD securely via ingress instead of port-forwarding.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server
  namespace: argocd
spec:
  rules:
  - host: argocd.yourdomain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              number: 443

👉 Use TLS (cert-manager + Let's Encrypt) for production.

---

🔐 Step 4: Disable Default Admin (Security)

kubectl patch configmap argocd-cm \
-n argocd \
-p '{"data":{"admin.enabled":"false"}}'

👉 Never rely on default credentials.

---

🔑 Step 5: Enable SSO (OIDC)

sequenceDiagram User->>SSO Provider: Login Request SSO Provider->>ArgoCD: Token ArgoCD->>Kubernetes: Authorization

data:
  url: https://argocd.yourdomain.com
  oidc.config: |
    name: SSO
    issuer: https://accounts.google.com
    clientID: YOUR_CLIENT_ID
    clientSecret: YOUR_SECRET
    requestedScopes: ["openid", "profile", "email"]

👉 Replace static credentials with identity-based access.

---

🛡️ Step 6: Configure RBAC

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    g, dev-team, role:readonly

👉 Enforce least privilege across teams.

---

⚙️ Step 7: Enable Auto-Sync (GitOps Mode)

spec:
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

👉 Your cluster now self-heals automatically.

---

🔐 Production Security Checklist

• ☐ TLS enabled via ingress
• ☐ SSO configured
• ☐ Admin account disabled
• ☐ RBAC enforced
• ☐ Secrets stored securely

---

⚠️ Common Production Mistakes

• ❌ Using port-forward in production
• ❌ Leaving admin account enabled
• ❌ No RBAC enforcement
• ❌ Hardcoding secrets in Git

---

🔗 Related CloudChef Guides

• Kubernetes Security Best Practices
• How to Delete Kubernetes Secrets
• Rotate Kubernetes Secrets Safely

---

🧠 CloudChef Pro Tips

• Use App-of-Apps pattern for scaling
• Separate dev/stage/prod clusters
• Combine ArgoCD with Helm/Kustomize
• Automate deployments via Git workflows

---

🚀 Final Thoughts

ArgoCD is not just a deployment tool—it’s a GitOps platform that enforces consistency and reliability.

🔥 CloudChef Tip: GitOps is not about deploying faster—it’s about deploying safer.