Upbound Cloud and Argo CD

~ NateReid

Update: Upbound Cloud has been retired. So the basic premise of this post is no longer relevant. I believe it still has merit for similar use case, so I’ll leave it  active.

Disclaimer: Commercial product post. Ok, disclaimer out of the way, this topic comes up a lot in my day-to-day at work and I figured it would be helpful to provide some detail here.

Upbound Cloud is Upbound’s commercial SaaS offering backed by Crossplane. Argo CD is a popular GitOps platform that benefits greatly from  Crossplane. So why don’t they work nicely together ‘out of the box’? I have a series of previous posts that cover Crossplane and Argo CD in general. In this post, I’ll cover Upbound Cloud with Argo CD.  I’ll try to keep it short and to the point.

To follow along with this post, you’ll need an Upbound Cloud control plane and an instance of Argo CD running in a separate cluster.  You can follow the directions here for an Upbound Cloud trial. In that process, you’ll find directions to download a kubeconfig for your UBC instance. This will be used in proceeding steps. To install Argo CD, refer to Argo CD project page here.

Crossplane uses the Kubernetes control plane. It has no need for container orchestration. In Upbound Cloud, many of the container orchestration ‘things’ are not implemented. Upbound Cloud only implements the components of a Kubernetes control plane required for a Crossplane platform to operate.

Argo CD has a few quirks of its own. The important one in this topic is that (by default) it expects to have ‘List’ privileges of every resource in a Kubernetes cluster its configured to sync with. This results in a no-go if you connect it to a Kubernetes control plane with privileges less than List all resources.

Ok, we have Upbound Cloud that doesn’t have a ‘traditional’ Kubernetes control plane exposed and Argo CD that requires ‘List’ privilege of every resource.

Not the end of the world. Argo CD allows us to configure it to ignore/exclude kube-apiserver resources. So we configure it to not require the resources Upbound Cloud doesn’t expose. That’s the first part of the solution. The second part is to add your Upbound Cloud cluster to Argo CD as a cluster to sync with.

For the first requirement, we configure the ‘argocd-cm’ configmap in the argocd namespace. The second step is to add your Upbound Cloud control plane to your Argo CD cluster list.

Because I’m beyond tired of WordPress destroying the formatting of YAML, I’ll redirect you to my Github org for the manifests required. You can find them here.