Using ArgoCD

Edit online

ArgoCD is a GitOps tool that enables automated continuous delivery for Kubernetes. It monitors the Git repository and automatically syncs changes to your cluster. While this section demonstrates ArgoCD as an example, other GitOps tools such as Flux, Jenkins X, or your preferred CI/CD platform can be used to achieve similar outcomes.

Git repository structure
For ArgoCD to work effectively, organize your Git repository with a clear structure: 
via-config/
├── README.md
├── production/
│   ├── values.yaml
│   └── ibmvia-autoconf.yaml
├── staging/
│   ├── values.yaml
│   └── ibmvia-autoconf.yaml
└── development/
    ├── values.yaml
    └── ibmvia-autoconf.yaml
ArgoCD application setup
To set up ArgoCD:
  1. Create an ArgoCD application manifest: 
    # argocd-application.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: ivia-production
  namespace: argocd
spec:
  project: default
  
  source:
    # Git repository containing your configuration
    repoURL: https://github.com/your-org/ivia-config.git
    targetRevision: main
    path: production
    
    # Helm-specific configuration
    helm:
      # Reference to values file in the repository
      valueFiles:
        - values.yaml
      
      # Set the autoconf content from file
      fileParameters:
        - name: autoconf.content
          path: ibmvia-autoconf.yaml
      
      # Additional parameters (optional)
      parameters:
        - name: global.namespace
          value: ivia-production
  
  destination:
    server: https://kubernetes.default.svc
    namespace: ivia-production
  
  syncPolicy:
    # Automated sync configuration
    automated:
      prune: true      # Remove resources not in Git
      selfHeal: true   # Automatically sync when cluster state drifts
      allowEmpty: false
    
    # Sync options
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground
      - PruneLast=true
    
    # Retry configuration
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  2. Deploy the application: 
    kubectl apply -f argocd-application.yaml
Automated sync
If syncPolicy.automated is enabled, ArgoCD performs the following actions:
  1. Monitors Git repository: ArgoCD checks the Git repository every 3 minutes. The poll time is configurable.
  2. Detects drift: It compares the git state with the current state in the cluster.
  3. Auto-sync: It automatically applies changes on detecting any differences.
  4. Self-heal: Reverts any manual changes in the cluster to match the Git-defined state.
To view the sync status, execute the following command: 
# Using ArgoCD CLI
argocd app get ivia-production

# Using kubectl
kubectl get application ivia-production -n argocd -o yaml
Manual Sync

For greater control, disable automated sync and sync manually as needed.

To disable automated sync, execute the following command: 
syncPolicy:
  automated: null  # Disable automated sync
To trigger manual sync, execute the following command: 
# Using ArgoCD CLI
argocd app sync ivia-production

# Using ArgoCD UI
# Navigate to the application and click "Sync"

# Using kubectl
kubectl patch application ivia-production -n argocd \
  --type merge \
  --patch '{"operation": {"initiatedBy": {"username": "admin"}, "sync": {}}}'
ArgoCD Best Practices
  1. Use Git branches: Maintain separate branches for different environments such as development, staging, and production.
  2. Enable notifications: Configure Slack or email notifications to track sync events.
  3. Health checks: ArgoCD automatically monitors the health of managed resources.
  4. Rollbacks: Perform easy rollbacks by reverting the changes in Git.
  5. Role-based access control (RBAC): Configure ArgoCD RBAC to manage user permissions for syncing application.

Deployment example

This example demonstrates a WebSEAL reverse proxy deployment with external LDAP integration. The configuration uses IBM Security Verify Directory (ISVD) as the external LDAP server and includes certificate management via cert-manager.

The main two configuration files are:
  • values.yaml: 
    # IBM Confidential
# PID 5725-V89 5725-V90 5737-F02
#
# Copyright IBM Corp. 2026, 2026

# Global settings
global:
  namespace: "ivia-autoconf"

# Auto-configuration file content
autoconf:
  content: ""

# Service account configuration
serviceAccount:
  create: true
  name: ivia
  annotations: {}

# Certificate management configuration
certificates:
  # Enable cert-manager certificate generation
  enabled: true
  # Issuer configuration
  issuer:
    create: true
    name: ivia-selfsigned-issuer
    kind: Issuer
  # Certificate duration and renewal settings
  duration: 8760h  # 1 year
  renewBefore: 720h  # 30 days before expiry
  # PKCS12 passwords for cert-manager keystore output
  pkcs12Passwords:
    config:
      secretName: ivia-passwords
      secretKey: config_pkcs12_password
    runtime:
      secretName: ivia-passwords
      secretKey: runtime_pkcs12_password
    wrp:
      secretName: ivia-passwords
      secretKey: wrp_pkcs12_password

# Administrator password secret configuration
adminPassword:
  secretName: ivia-passwords
  secretKey: cfgsvc

# Configuration service CA certificate
configCaCertificate:
  verify: true
  secretName: ivia-config-certificate-secret
  key: ca.crt

# Configuration container settings
config:
  image:
    repository: icr.io/ivia/ivia-config
    tag: "11.0.3.0"
    pullPolicy: Always
  loggingFormat: basic
  probes:
    liveness:
      initialDelaySeconds: 5
      periodSeconds: 10
      timeoutSeconds: 1
      failureThreshold: 3
    readiness:
      initialDelaySeconds: 5
      periodSeconds: 10
      timeoutSeconds: 1
      failureThreshold: 3
    startup:
      initialDelaySeconds: 30
      periodSeconds: 10
      timeoutSeconds: 1
      failureThreshold: 30
  resources: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

# Web Reverse Proxy container settings
wrp:
  replicaCount: 1
  image:
    repository: icr.io/ivia/ivia-wrp
    tag: "11.0.3.0"
    pullPolicy: Always
  loggingFormat: basic
  probes:
    liveness:
      initialDelaySeconds: 0
      periodSeconds: 10
      timeoutSeconds: 3
      failureThreshold: 3
    readiness:
      initialDelaySeconds: 0
      periodSeconds: 10
      timeoutSeconds: 3
      failureThreshold: 3
    startup:
      initialDelaySeconds: 60
      periodSeconds: 10
      timeoutSeconds: 20
      failureThreshold: 30
  service:
    type: ClusterIP
    port: 443
    nodePort: ""
  ingress:
    enabled: false
    className: ""
    annotations: {}
    hosts:
      - host: ivia-wrp.example.com
        paths:
          - path: /
            pathType: Prefix
    tls: []
  resources: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

# Runtime container settings (disabled for this example)
runtime:
  enabled: false
  • ibmvia-autoconf.yaml: 
    # IBM Confidential
# PID 5725-V89 5725-V90 5737-F02
#
# Copyright IBM Corp. 2026, 2026

version: 1
container:
  ssl_certificates:
  - name: pdsrv
    personal_certificates:
    - p12_file: !secret:tofile ivia-wrp-certificate-secret:keystore.p12
      secret: !secret ivia-passwords:wrp_pkcs12_password
      name: server
  - name: isvd
    signer_certificates:
    - !secret:tofile ivia-isvd-certificate-secret:ca.crt
  activation:
    webseal: !secret ivia-passwords:webseal_activation
  lmi_certificate:
    p12: !secret:tofile ivia-config-certificate-secret:keystore.p12
    password: !secret ivia-passwords:config_pkcs12_password
webseal:
  runtime:
    policy_server: "ldap"
    user_registry: "ldap"
    ldap:
      host: "ivia-isvd"
      port: 636
      dn: "cn=root"
      dn_password: !secret ivia-passwords:isvd_admin
      key_file: "isvd"
    override_config: True
    domain: "Default"
    admin_user: "sec_master"
    admin_password: !secret ivia-passwords:runtime_admin
    admin_cert_lifetime: 1460
    ssl_compliance: "fips"
  reverse_proxy:
  - name: "default"
    host: "sample.wrp.ibm.com"
    http:
      enabled: "no"
    https:
      enabled: "yes"
      port: "9443"
    domain: "Default"
    ldap:
      ssl: "yes"
      port: 636
      key_file: "isvd"
    stanza_configuration:
    - stanza: "ssl"
      entry_id: "webseal-cert-keyfile-label"
      value: "server"
      operation: "update"
The key configuration notes are:
  • certificates.enabled: true: Enables the use of cert-manager for automatic certificate generation.
  • onfigCaCertificate.verify: true: Enables verification of the CA certificate.
  • External LDAP: Configured to use IBM Security Verify Directory (ISVD) as the user registry.
  • SSL certificates: Multiple certificate keystores are configured for different components.
  • version: 1: Indicates the configuration version; increment this value when secrets change.
  • Image tags: 11.0.3.0: Specifies the container images sourced from icr.io/ivia.
  • runtime.enabled: false: Indicates that the runtime service is not deployed in this configuration.
Deployment steps
You must deploy an external LDAP server such as ISVD before the deployment. To deploy Verify Identity Access:
  1. Create a new namespace: 
    kubectl create namespace ivia-autoconf
  2. Create the required secrets: 
    kubectl create secret generic ivia-passwords \
  --namespace ivia-autoconf \
  --from-literal=cfgsvc=Passw0rd \
  --from-literal=config_pkcs12_password=Passw0rd \
  --from-literal=wrp_pkcs12_password=Passw0rd \
  --from-literal=runtime_admin=Passw0rd \
  --from-literal=isvd_admin=Passw0rd \
  --from-literal=webseal_activation=<activation-code>
  3. Install the cert-manager: 
    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

# Wait for cert-manager to be ready
kubectl wait --for=condition=Available --timeout=300s \
  deployment/cert-manager -n cert-manager
  4. Deploy with Helm chart: 
    helm install ivia-deployment oci://icr.io/ivia/ivia-autoconf-helm \
  --version 11.0.3.0 \
  --namespace ivia-autoconf \
  --values values.yaml \
  --set-file autoconf.content=ibmvia-autoconf.yaml
  5. Verify the deployment: 
    # Check all pods
kubectl get pods -n ivia-autoconf

# Expected output:
# NAME                           READY   STATUS    RESTARTS   AGE
# ivia-config-xxxxxxxxxx-xxxxx   1/1     Running   0          2m
# ivia-isvd-xxxxxxxxxx-xxxxx     1/1     Running   0          5m
# ivia-wrp-xxxxxxxxxx-xxxxx      1/1     Running   0          2m

# Check certificates were generated
kubectl get certificate -n ivia-autoconf

# Check services
kubectl get svc -n ivia-autoconf

# View WRP logs to verify LDAP connection
kubectl logs -n ivia-autoconf -l app=ivia-wrp -f

# Access the WRP (port-forward for testing)
kubectl port-forward -n ivia-autoconf svc/ivia-wrp 9443:443

# Open browser to https://localhost:9443
  6. Update the configuration: 
    # Example: Update LDAP connection settings
vim ibmvia-autoconf.yaml

# Increment version number (important!)
# Change: version: 2
# To:     version: 3

# Upgrade deployment
helm upgrade ivia-deployment oci://icr.io/ivia/ivia-autoconf-helm \
  --namespace ivia-autoconf \
  --values values.yaml \
  --set-file autoconf.content=ibmvia-autoconf.yaml

# Watch pods restart with new configuration
kubectl get pods -n ivia-autoconf -w
  7. To cleanup after the deployment: 
    # Uninstall Helm release
helm uninstall ivia-deployment -n ivia-autoconf

# Delete namespace (removes all resources)
kubectl delete namespace ivia-autoconf