Argo CD auto roll back manually changes or changes which are not committed through GitHub - unix1998/technical_notes GitHub Wiki

Argo CD can be configured to automatically detect and rollback or reject manual changes that are not done through the Git repository. This is a feature of Argo CD's "self-healing" capabilities. To achieve this, you need to set up an Argo CD application with automated synchronization and enable self-healing. Here’s how you can do it:

Steps to Set Up Argo CD to Reject or Rollback Manual Changes

  1. Install Argo CD on OpenShift:

    • Follow the Argo CD installation guide for OpenShift or Kubernetes to install Argo CD on your cluster.

  2. Create an Argo CD Application:

    • Create an Argo CD application that points to your Git repository and contains the desired state of your Kubernetes resources.

  3. Enable Automated Sync and Self-Healing:

    • Configure the Argo CD application to enable automated synchronization and self-healing. This ensures that Argo CD will automatically synchronize the desired state from the Git repository and revert any manual changes.

Example Argo CD Application Manifest

Here’s an example of how to define an Argo CD application with automated sync and self-healing enabled:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://github.com/my-org/my-repo.git'
    targetRevision: HEAD
    path: 'path/to/manifests'
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: my-namespace
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Explanation

  • automated: Enables automated synchronization.
    • prune: Removes resources that are no longer defined in the Git repository.
    • selfHeal: Automatically reverts any manual changes that are not done through the Git repository.
  • syncOptions: Additional synchronization options (e.g., CreateNamespace=true).

How It Works

  1. Automated Sync:
    • When changes are pushed to the Git repository, Argo CD automatically synchronizes the cluster state with the repository.
  2. Self-Healing:
    • Argo CD continuously monitors the cluster state.
    • If someone manually applies changes (e.g., oc apply -f service.yaml) that differ from the desired state defined in the Git repository, Argo CD detects this discrepancy.
    • With selfHeal: true, Argo CD will automatically revert the manual changes to match the desired state from the Git repository.

Preventing Manual Changes

To further enforce policies and prevent manual changes, you can implement the following strategies:

  1. RBAC Policies:

    • Use Kubernetes Role-Based Access Control (RBAC) to restrict who can apply changes manually. Limit permissions to only allow automated systems (like Argo CD) to make changes.

  2. Admission Controllers:

    • Use Kubernetes admission controllers to enforce policies. For example, Open Policy Agent (OPA) Gatekeeper can be used to enforce policies that prevent manual changes.

Example RBAC Restriction

Here’s an example of an RBAC policy that restricts manual changes:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: argo-cd-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Conclusion

By enabling automated sync and self-healing in Argo CD, you can ensure that the cluster state remains consistent with the Git repository, automatically reverting any manual changes. Additionally, implementing RBAC policies and admission controllers can further enforce this desired state and prevent unauthorized manual changes. This setup helps maintain a GitOps workflow, where the Git repository is the single source of truth for your cluster configuration.