Automated Deployment of Argo CD on AKS with TLS and Entra ID SSO

This repository provides a set of scripts and Kubernetes manifests to fully automate the deployment of a production-ready Argo CD instance on Azure Kubernetes Service (AKS).

The goal is to solve the complex challenge of securing Argo CD in a corporate environment by integrating it with a centralized identity provider, eliminating secrets, and automating HTTPS. This setup ensures that all GitOps access is controlled, audited, and seamless for users.

Key Features:

• 🔒 Production-Grade Security: Deploys a hardened AKS cluster with local admin accounts disabled and administration managed via a dedicated Microsoft Entra ID group.
• 🔑 Secret-less SSO: Configures Single Sign-On with Microsoft Entra ID using the modern Workload Identity Federation, eliminating the need for client secrets or certificates.
• 📜 Automated TLS: Uses NGINX and Cert-Manager to automatically provision and renew a valid TLS certificate from Let's Encrypt for your Argo CD instance.
• ⚙️ Fully Automated: The entire process, from provisioning Azure infrastructure to configuring Argo CD, is handled by a series of easy-to-run shell scripts.
• 👥 Pre-configured RBAC: Sets up admin and read-only groups in Entra ID and maps them to the corresponding roles in Argo CD.
• ✨ Seamless User Experience: Pre-grants admin consent to the Entra ID application, so users have a smooth, no-prompt login experience from both the UI and the CLI.
• 🧹 Clean Uninstall: Includes a script to cleanly destroy all created Azure and Kubernetes resources.

Technology Stack: Azure AKS | Microsoft Entra ID | Argo CD | NGINX Ingress | Cert-Manager | Helm | Bash

The final setup includes:

• An AKS cluster with Workload Identity enabled.
• NGINX Ingress Controller for traffic management.
• Cert-Manager for automated TLS certificates via Let's Encrypt.
• Argo CD configured for secret-less Single Sign-On (SSO) with Microsoft Entra ID.

Repository Structure

.
├── README.md               # This file
├── LICENSE                 # Project license
├── env.sh.example          # Template for environment variables
├── env.sh                  # Your configuration file (created from template)
├── scripts/
│   ├── 01-infra-setup.sh   # Provisions Azure infrastructure (AKS, Entra ID)
│   ├── 02-k8s-core-setup.sh  # Installs Kubernetes components (Ingress, Cert-Manager, Argo CD)
│   ├── 03-argocd-config.sh   # Patches Argo CD ConfigMaps (Ingress, OIDC, RBAC)
│   └── uninstall.sh          # Destroys all created resources
└── manifests/
    ├── argocd-cm.yaml.tpl          # Template for Argo CD ConfigMap data
    ├── argocd-ingress.yaml.tpl     # Template for Argo CD Ingress
    ├── argocd-rbac-cm.yaml.tpl     # Template for Argo CD RBAC ConfigMap data
    └── letsencrypt-issuer.yaml.tpl # Template for Cert-Manager ClusterIssuer

Prerequisites

1. Azure CLI: You must be logged in (az login). If you don't have it installed, use the platform-appropriate instructions below. After installation run az login.

   • macOS (Homebrew):

     brew update
     brew install azure-cli
     az version

   • Linux (Debian/Ubuntu):

     curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
     az version

2. kubectl: The Kubernetes command-line tool. You can install kubectl directly, or install it via the Azure CLI helper which ensures the client matches your AKS version.

   • macOS (Homebrew):

     brew install kubectl
     kubectl version --client

   • Linux (Debian/Ubuntu) via Azure CLI:

     sudo az aks install-cli

3. Helm: The Kubernetes package manager.

   • macOS (Homebrew):

     brew install helm
     helm version

   • Linux (Debian/Ubuntu):

     curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sudo bash
     helm version

4. envsubst: A command-line utility for substituting environment variables. It's available in the gettext package.

   • On macOS (via Homebrew): brew install gettext
   • On Debian/Ubuntu: sudo apt-get update && sudo apt-get install gettext-base

5. Custom Domain: You need a domain name for which you can configure DNS records.

Deployment Instructions

The deployment is broken down into three simple steps.

Step 1: Configure Your Environment

First, you must define your environment settings.

1. Make a copy of the environment variable template:
   cp env.sh.example env.sh

2. Open the env.sh file in a text editor and replace all placeholder values with your specific configuration. Do not change the variable names.

Step 2: Run the Deployment Scripts

Execute the scripts in sequential order.

1. Provision Azure Infrastructure: This script creates the AKS cluster and all necessary Entra ID objects. This step can take 10-15 minutes to complete.
   bash ./scripts/01-infra-setup.sh

2. Install Kubernetes Components: This script uses Helm to install NGINX, Cert-Manager, and applies the Argo CD installation manifests.
   bash ./scripts/02-k8s-core-setup.sh

   After this script finishes, you will be prompted to create a DNS 'A' record. You must complete this manual DNS step before proceeding.

3. Configure Argo CD: This final script creates the Ingress for Argo CD, safely patches the existing Argo CD ConfigMaps with OIDC and RBAC settings, and restarts the server.
   bash ./scripts/03-argocd-config.sh

After the final script completes successfully, your secure Argo CD instance will be available at the FQDN you configured.

Post-Deployment

• Log in to the UI: Navigate to https://$ARGOCD_FQDN in your browser.
• Log in via CLI: Run argocd login $ARGOCD_FQDN --sso --sso-launch-browser=false.
• Disable Local Admin: Once you have verified SSO is working, you can run the final command from 03-argocd-config.sh to disable the local admin user.

kubectl patch cm argocd-cm -n ${ARGOCD_NAMESPACE} -p '{\"data\":{\"admin.enabled\":\"false\"}}' && kubectl rollout restart deployment argocd-server -n ${ARGOCD_NAMESPACE}

Cleanup

To destroy all resources created by these scripts (including the AKS cluster and Entra ID app registration), run the uninstall.sh script.

1. Run the uninstall script:
   bash ./scripts/uninstall.sh