Skip to content

Usage Basics

See the ArgoCD Reference for the full list of properties and defaults to configure the Argo CD cluster.

The following example shows the most minimal valid manifest to create a new Argo CD cluster with the default configuration.

kind: ArgoCD
  name: example-argocd
    example: basic
spec: {}


Create a new Argo CD cluster in the argocd namespace using the provided basic example.

kubectl create -n argocd -f examples/argocd-basic.yaml

There will be several Argo CD resources created that should be familiar to anyone who has deployed Argo CD.

kubectl get cm,secret,deploy -n argocd

Some unrelated items have been removed for clarity.

NAME                                  DATA   AGE
configmap/argocd-cm                   14     2m9s
configmap/argocd-rbac-cm              3      2m9s
configmap/argocd-ssh-known-hosts-cm   1      2m9s
configmap/argocd-tls-certs-cm         0      2m9s

NAME                                                   TYPE                                  DATA   AGE
secret/argocd-secret                                   Opaque                                5      2m9s
secret/example-argocd-ca                                          2      2m9s
secret/example-argocd-cluster                          Opaque                                1      2m9s
secret/example-argocd-tls                                         2      2m9s

NAME                                                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/example-argocd-application-controller   1/1     1            1           2m8s
deployment.apps/example-argocd-dex-server               1/1     1            1           2m8s
deployment.apps/example-argocd-redis                    1/1     1            1           2m8s
deployment.apps/example-argocd-repo-server              1/1     1            1           2m8s
deployment.apps/example-argocd-server                   1/1     1            1           2m8s


There are several ConfigMaps that are used by Argo CD. The argocd-server component reads and writes to these ConfigMaps based on user interaction with the web UI or via the argocd CLI. It is worth noting that the name argocd-cm is hard-coded, thus limiting us to one Argo CD cluster per namespace to avoid conflicts.

NAME                                  DATA   AGE
configmap/argocd-cm                   14     33s
configmap/argocd-rbac-cm              3      33s
configmap/argocd-ssh-known-hosts-cm   1      33s
configmap/argocd-tls-certs-cm         0      33s

The operator will create these ConfigMaps for the cluster and set the initial values based on properties on the ArgoCD custom resource.


There is a Secret that is used by Argo CD named argocd-secret. The argocd-server component reads this secret to obtain the admin password for authentication. NOTE: Upon initial deployment, the initial password for the admin user is stored in the argocd-cluster secret instead.

This Secret is managed by the operator and should not be changed directly.

NAME                                               TYPE                                  DATA   AGE
secret/argocd-secret                               Opaque                                5      33s

Several other Secrets are also managed by the operator.

NAME                                               TYPE                                  DATA   AGE
secret/example-argocd-ca                                      2      33s
secret/example-argocd-cluster                      Opaque                                1      33s
secret/example-argocd-tls                                     2      33s

The cluster Secret contains the admin password for authenticating with Argo CD.

apiVersion: v1
  admin.password: ...
kind: Secret
  labels: example-argocd-cluster argocd
    example: basic
  name: example-argocd-cluster
  namespace: argocd
type: Opaque

The operator will watch for changes to the admin.password value. When a change is made the password is synchronized to Argo CD automatically.

Fetch the admin password from the cluster Secret.

kubectl -n argocd get secret example-argocd-cluster -o jsonpath='{.data.admin\.password}' | base64 -d

To change the admin password you'll need to modify the cluster secret like this:

$ kubectl -n argocd patch secret example-argocd-cluster \
  -p '{"stringData": {
    "admin.password": "newpassword2021"


There are several Deployments that are managed by the operator for the different components that make up an Argo CD cluster.

NAME                                                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/example-argocd-application-controller   1/1     1            1           2m8s
deployment.apps/example-argocd-dex-server               1/1     1            1           2m8s
deployment.apps/example-argocd-redis                    1/1     1            1           2m8s
deployment.apps/example-argocd-repo-server              1/1     1            1           2m8s
deployment.apps/example-argocd-server                   1/1     1            1           2m8s

The deployments are exposed via Services that can be used to access the Argo CD cluster.


The ArgoCD Server component should be available via a Service.

kubectl get svc -n argocd
NAME                            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
example-argocd-dex-server       ClusterIP    <none>        5556/TCP,5557/TCP   2m28s
example-argocd-metrics          ClusterIP    <none>        8082/TCP            2m28s
example-argocd-redis            ClusterIP    <none>        6379/TCP            2m28s
example-argocd-repo-server      ClusterIP    <none>        8081/TCP,8084/TCP   2m28s
example-argocd-server           ClusterIP   <none>        80/TCP,443/TCP      2m28s
example-argocd-server-metrics   ClusterIP   <none>        8083/TCP            2m28s
argocd-operator-metrics         ClusterIP    <none>        8383/TCP,8686/TCP   23m

Server API & UI

The Argo CD server component exposes the API and UI. The operator creates a Service to expose this component and can be accessed through the various methods available in Kubernetes.

Follow the ArgoCD Getting Started Guide to create a new application from the UI.

Local Machine

In the most simple case, the Service port can be forwarded to the local machine.

kubectl -n argocd port-forward service/example-argocd-server 8443:443

The server UI should be available at https://localhost:8443/.


See the ingress documentation for steps to enable and use the Ingress support provided by the operator.

OpenShift Route

See the routes documentation for steps to configure the Route support provided by the operator.

Default Permissions provided to Argo CD instance

By default Argo CD instance is provided the following permissions

  • Argo CD instance is provided with ADMIN privileges for the namespace it is installed in. For instance, if an Argo CD instance is deployed in foo namespace, it will have ADMIN privileges to manage resources for that namespace.

  • Argo CD is provided the following cluster scoped permissions because Argo CD requires cluster-wide read privileges on resources to function properly. (Please see RBAC section for more details.)

kind: Role
  labels: <argocd-instance-name> <argocd-instance-name> argocd
  name: <argocd-instance-name>-argocd-application-controller
  namespace: <argocd-instance-namespace>
- apiGroups:
  - '*'
  - '*'
  - '*'

Cluster Scoped Instance

The Argo CD instance created above can also be used to manage the cluster scoped resources by adding the namespace of the Argo CD instance to the ARGOCD_CLUSTER_CONFIG_NAMESPACES environment variable of subscription resource as shown below.

kind: Subscription
  name: argocd-operator
      value: <list of namespaces of cluster-scoped Argo CD instances>
  channel: alpha
  name: argocd-operator
  source: argocd-catalog
  sourceNamespace: olm

In-built permissions for cluster configuration

Argo CD is granted the following permissions using a cluster role when it is configured as cluster-scoped instance. Argo CD is not granted cluster-admin.

Please note that these permissions are in addition to the admin privileges that Argo CD has to the namespace in which it is installed.

kind: ClusterRole
  name: <argocd-instance-name>-<namespace>-argocd-application-controller
  labels: <argocd-instance-namespace> <argocd-instance-namespace> argocd
  - verbs:
      - '*'
      - '*'
      - '*'

Additional permissions

Users can extend the permissions granted to Argo CD application controller by creating cluster roles with additional permissions and then a new cluster role binding to associate them to the service account.

For example, user can extend the permissions for an Argo CD instance to be able to list the secrets for all namespaces by creating the below resources.

Cluster Role

kind: ClusterRole
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secrets-cluster-role
- apiGroups: [""] #specifies core api groups
  resources: ["secrets"]
  verbs: ["*"]

Cluster Role Binding

# This cluster role binding allows Service Account to read secrets in any namespace.
kind: ClusterRoleBinding
  name: read-secrets-global
  kind: ClusterRole
  name: secrets-cluster-role # Name of cluster role to be referenced
- kind: ServiceAccount
  name: <argocd-instance-service-account-name>
  namespace: <argocd-instance-namespace>