Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Manage Oracle Cloud Infrastructure Kubernetes Engine Clusters in Argo CD using Workload Identity

Introduction

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. At the time this tutorial was written, Argo CD does not have Oracle Cloud Infrastructure Command Line Interface (OCI CLI) capabilities required to generate the access token for Oracle Cloud Infrastructure Kubernetes Engine (OKE), hence a custom Argo CD image is required.

Note: The base Argo CD image that was used for the custom image is quay.io/argoproj/argocd:v2.14.9.

Objectives

• Create a custom Argo CD image containing OCI CLI.

• Install Argo CD on enhanced OKE cluster using a custom image.

• Add a basic OKE cluster to Argo CD cluster list using execProviderConfig.

• Deploy an app on the basic cluster from Argo CD.

Prerequisites

• Install Podman or Docker and the argocd CLI.

• OKE enhanced cluster to install Argo CD.

  Note: You can only use workload identity for enhanced clusters.

• OKE cluster to be managed by Argo CD.

• Auth token for your OCI user (from the OCI Console, go to your user profile and click Auth tokens), it can take up to 5 mins to activate.

• Permission for your OCI user to create repos in OCI Container Registry.

  Allow group <your_group> to manage repos in tenancy
  

• Permission for Argo CD to manage OKE clusters.

  allow any-user to manage all-resources in compartment <compartment_ocid> where all { request.principal.type='workload', request.principal.cluster_id = '<cluster_ocid>', request.principal.namespace = 'argocd', request.principal.service_account = 'argocd-application-controller' }
  

  Note: This policy is too open, but you can make it as restrictive as you want.

  • Replacements in the policy:
    • compartment_ocid: This should be the compartment OCID that contains the clusters you want to manage with Argo CD.
    • cluster_ocid: This should be the cluster OCID from where you want to manage other clusters. The one that has Argo CD.
    • request.principal.namespace: This is the namespace where Argo CD is deployed.
    • request.principal.service_account: This is the service account for Argo CD application controller (the one in charge for cluster authentication).

Task 1: Push the Argo CD Custom Image to OCI Container Registry

Note: You can use Podman or docker.

1. Download the file named Dockerfile from here: Dockerfile.

2. Run the following command.

   podman build --platform linux/amd64 -t argocd-oci:01 .
   

   Note: The dot (.) at the end of the command is for current directory, where the Dockerfile is located.

3. Run the following command.

   podman tag argocd-oci:01 ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01
   

4. Run the following command.

   podman login ocir.**your_region**.oci.oraclecloud.com
   

   • User is :
     • If identity domain is used: your_tenancy_namespace/OracleIdentityCloudService/your_email.
     • If default domain is used: your_tenancy_namespace/your_email.
   • Password is your OCI auth token.

5. Run the following command.

   podman push ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01
   

Task 2: Install Argo CD Using the Custom Image

Note: Update only the image for argocd-application-controller as this is responsible for cluster authentication.

1. Download and install Argo CD manifest from here: argo-cd/manifests/install.yaml.

2. Edit file to change the image for argocd-application-controller.

   • Change from image: quay.io/argoproj/argocd:latest
   • To image: ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01

3. Run the following command to create argocd namespace.

   kubectl create namespace argocd
   

4. Run the following command to deploy argocd.

   kubectl apply -f install.yaml -n argocd
   

Task 3: Add a Cluster to Argo CD Cluster List

1. Start Argo CD.

   Note: You can use an OCI Load Balancer to expose Argo CD. For this example port-forward will be used instead. For this you need an additional terminal only for port forwarding.

   1. In your second terminal, run the following command.

      kubectl port-forward service/argocd-server -n argocd 63265:80
      

      Note: Do not close this terminal, switch to your previous one as this is used to keep Argo CD up.

   2. Get the Argo CD admin password using the following command.

      kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
      

   3. Log in (user is admin, password is the one from previous command) using the following command.

      argocd login 127.0.0.1:63265
      

2. Download and edit the file named add_cluster.yaml from here: add_cluster.yaml:

   Note: This example is using insecure TLS, it can be changed.

   • cluster_name: Name of the cluster that will appear in Argo CD cluster list.
   • cluster_api_endpoint: The endpoint of the cluster you want to add to Argo CD cluster list.
   • cluster_ocid: The OCID of the cluster you want to add to Argo CD cluster list.
   • region: The region where the cluster resides.

3. Apply the file to add the cluster in the Argo CD cluster list using the following command.

   kubectl apply -f add_cluster.yaml
   

4. Check to see if the cluster was added to Argo CD cluster list using the following command.

   argocd cluster list
   

Task 4: Test by Deploying an App from Argo CD to the Cluster

1. Download and edit the file named deploy_example.yaml from here: deploy_example.yaml.

   • cluster_name: Name of the cluster you want to deploy the app.

2. Apply the file to deploy a simple app to target cluster using the following command.

   kubectl apply -f deploy-example.yaml
   

3. Check to see if the app was deployed successfully using the following commands.

   argocd app list
   argocd app sync guestbook
   

Acknowledgments

• Author - Gabriel Feodorov (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Manage Oracle Cloud Infrastructure Kubernetes Engine Clusters in Argo CD using Workload Identity

G34960-01

Copyright ©2025, Oracle and/or its affiliates.