Manage Oracle Cloud Infrastructure Kubernetes Engine Clusters in ArgoCD using Workload Identity

Introduction

ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. At the time this tutorial was written, ArgoCD does not have Oracle Cloud Infrastructure Command Line Interface (OCI CLI) capabilities required to generate the access token for Oracle Cloud Infrastructure Kubernetes Engine (OKE), hence a custom ArgoCD image is required.

Note: The base ArgoCD image that was used for the custom image is quay.io/argoproj/argocd:v3.1.1.

Objectives

• Create a custom ArgoCD image containing OCI CLI.

• Install ArgoCD on enhanced OKE cluster using the custom image.

• Add an OKE cluster to ArgoCD cluster list using execProviderConfig.

• Deploy an app on the target OKE cluster from ArgoCD.

Prerequisites

• Install Podman or Docker and the argocd CLI.

• OKE enhanced cluster to install ArgoCD.

  Note: You can only use workload identity for enhanced clusters.

• OKE cluster to be managed by ArgoCD.

• Auth token for your OCI user (from the OCI Console, go to your user profile and click Auth tokens), it can take up to 5 mins to activate.

• Permission for your OCI user to create repos in OCI Container Registry.

  Allow group <your_group> to manage repos in tenancy

• Permission for ArgoCD to manage OKE clusters.

  allow any-user to manage all-resources in compartment <compartment_ocid> where all { request.principal.type='workload', request.principal.cluster_id = '<cluster_ocid>', request.principal.namespace = 'argocd', request.principal.service_account = 'argocd-application-controller' }

  Note: This policy is too open, but you can make it as restrictive as you want.

  • Replace in the policy:
    • compartment_ocid: This should be the compartment OCID that contains the clusters you want to manage with ArgoCD.
    • cluster_ocid: This should be the cluster OCID from where you want to manage other clusters. The one that has ArgoCD.

Task 1: Push the ArgoCD Custom Image to OCI Container Registry

Note: You can use Podman or docker.

1. Create a Dockerfile containing:

   FROM quay.io/argoproj/argocd:v3.1.1
   
   USER root
   
   
   RUN apt-get update; \
       apt-get install -y --no-install-recommends python3-venv; \
       python3 -m venv /opt/oci; \
       /opt/oci/bin/pip install --no-cache-dir --upgrade pip; \
       /opt/oci/bin/pip install --no-cache-dir "oci-cli==3.65.0"; \
       ln -s /opt/oci/bin/oci /usr/local/bin/oci; \
       apt-get clean; \
       rm -rf /var/lib/apt/lists/*
   
   USER 999

2. Run the following command inside the folder containing the ‘Dockerfile’.

   podman build --platform linux/amd64 -t argocd-oci:01 .

   Note: The dot (.) at the end of the command is for current directory, where the Dockerfile is located.

3. Run the following command.

   podman tag argocd-oci:01 ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01

4. Run the following command.

   podman login ocir.**your_region**.oci.oraclecloud.com

   • User is :
     • If identity domain is used: your_tenancy_namespace/OracleIdentityCloudService/your_email.
     • If default domain is used: your_tenancy_namespace/your_email.
   • Password is your OCI auth token.

5. Run the following command.

   podman push ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01

Task 2: Install ArgoCD Using the Custom Image

1. Download and install ArgoCD manifest from here: argo-cd/manifests/install.yaml.

2. Edit file to replace the ArgoCD image to our custom image.

   • Change from image: quay.io/argoproj/argocd
   • To image: ocir.**your_region**.oci.oraclecloud.com/**your_tenancy_namespace**/**your_repository_name**/argocd-oci:01

3. Run the following command to create argocd namespace.

   kubectl create namespace argocd

4. Run the following command to deploy argocd.

   kubectl apply -f install.yaml -n argocd

Task 3: Add a Cluster to ArgoCD Cluster List

1. Start ArgoCD.

   Note: You can use an OCI Load Balancer to expose ArgoCD. For this example port-forward will be used instead. Use an additional terminal only for port forwarding.

   1. In your second terminal, run the following command.

      kubectl port-forward service/argocd-server -n argocd 63265:80

      Note: Do not close this terminal, switch to your previous one as this is used to keep ArgoCD up.

   2. Get the ArgoCD admin password using the following command.

      kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

   3. Log in (user is admin, password is the one from previous command) using the following command.

      argocd login 127.0.0.1:63265

2. Download and edit the file named add_cluster.yaml from here: add_cluster.yaml:

   Note: This example is using insecure TLS, it can be changed.

   • cluster_name: Name of the cluster that will appear in ArgoCD cluster list.
   • cluster_api_endpoint: The endpoint of the cluster you want to add to ArgoCD cluster list.
   • cluster_ocid: The OCID of the cluster you want to add to ArgoCD cluster list.
   • region: The region where the cluster resides.

3. Apply the file to add the cluster in the ArgoCD cluster list using the following command.

   kubectl apply -f add_cluster.yaml

4. Check to see if the cluster was added to ArgoCD cluster list using the following command.

   argocd cluster list

Task 4: Test by Deploying an App from ArgoCD to the Cluster

1. Download and edit the file named deploy_example.yaml from here: deploy_example.yaml.

   • cluster_name: Name of the cluster you want to deploy the app.

2. Apply the file to deploy a simple app to target cluster using the following command.

   kubectl apply -f deploy-example.yaml

3. Check to see if the app was deployed successfully using the following commands.

   argocd app list
   argocd app sync guestbook

Acknowledgments

• Author - Gabriel Feodorov (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Manage Oracle Cloud Infrastructure Kubernetes Engine Clusters in Argo CD using Workload Identity

G34960-02

Copyright ©2025,2026,

Oracle and/or its affiliates.