# # To enable Argo CD perform deployments to a remote cluster, you will have to perform the following steps: # 1. create a service account in the remote cluster # 2. grant the requisite set of permissions to the service account using a Role/RoleBinding or ClusterRole/ClusterRoleBinding # 3. create secret in the remote cluster which generates a long-lived API token for the service account # # Using the API token and CA certificate for the service account in remote cluster, you have to create a Secret in the management cluster where Argo CD is installed. # This Secret allows Argo CD to perform operations against the remote cluster using the credentials of the service accout in that cluster # Argo CD provides a simple one-step command to execute all of the above as documented here: # https://argo-cd.readthedocs.io/en/stable/getting_started/#5-register-a-cluster-to-deploy-apps-to-optional # However, creating these artifacts explicitly allows to automate the provisioning of these artifacts in the management/remote cluster when the remote cluster is created usig GitOps/Crossplane # --- apiVersion: v1 kind: ServiceAccount metadata: name: argocd-manager namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-manager-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: argocd-manager namespace: kube-system --- # # Staring from K8s 1.24, when a service account is created, it does not automatically create a Secret which contains an API token for the service token. # In order to obtain a long-lived API token for a ServiceAccount, you create a new Secret with a special annotation, "kubernetes.io/service-account.name" # The Secret type is set to "kubernetes.io/service-account-token" # When this Secret is created, it will be populated with the "data" section that contains the field "ca.crt", "namespace", and "token" # apiVersion: v1 kind: Secret metadata: name: argocd-manager namespace: kube-system annotations: kubernetes.io/service-account.name: argocd-manager type: kubernetes.io/service-account-token