github.com/argoproj/argo-cd/v2@v2.10.5/docs/proposals/headless-argocd.md (about) 1 --- 2 title: Neat-enhancement-idea 3 authors: 4 - "@alexmt" 5 sponsors: 6 - TBD 7 reviewers: 8 - "@jessesuen" 9 - TBD 10 approvers: 11 - "@jessesuen" 12 - TBD 13 14 creation-date: 2020-05-01 15 last-updated: 2020-05-01 16 --- 17 18 # Neat Enhancement Idea 19 20 Support "disabling" multi-tenancy features by introducing Headless Argo CD. 21 22 ## Summary 23 24 There are two main group of GitOps users: 25 26 * Application developers - engineers who leverages Kubernetes to run applications. 27 * Cluster administrators - engineers who manage and support Kubernetes clusters for the organization. 28 29 Argo CD is a perfect fit for application developers thanks to its multi-tenancy features. Instead of running a separate Argo CD instance for 30 each team, it is possible to run on the instance and leverage features like SSO, RBAC, and Web user interface. However, this is not the case 31 for cluster administrators. Administrators prefer to rely on Kubernetes RBAC and view SSO and Argo CD RBAC as an obstacle and security threat. 32 SSO, RBAC, and UI/API are totally optional and can be disabled but it requires additional configuration and learning. 33 34 ## Motivation 35 36 It is proposed to introduce officially supported **Headless Argo CD** that encapsulates changes required to disable multi-tenancy features 37 and provide a seamless experience for cluster administrators (or any other user who don't need multi-tenancy). 38 39 ### Goals 40 41 The goals of "Headless Argo CD" are: 42 43 #### Provide an easy way to deploy Argo CD without API/UI 44 45 The end-user should be able to install required components using a single `kubectl apply` command without following any additional instructions. 46 47 #### Provide an easy way to use and manage Headless Argo CD 48 49 The `Headless Argo CD` should provide a simple way to view and manage Argo CD applications using CLI/UI. The access control should be enforced by 50 Kubernetes RBAC only. 51 52 #### Easy transition from Headless to non-Headless Argo CD 53 54 It is a common case when the Argo CD adopter wants to start small and then expand Argo CD to the whole organization. It should be easy 55 to "upgrade" headless to full Argo CD installation. 56 57 ### Non-Goals 58 59 #### Not modified Argo CD 60 61 The `Headless Argo CD` is not modified Argo CD. It is Argo CD distribution that missing UI/API and CLI that provides commands for Argo CD admin. 62 63 #### Not deprecating existing operational methods 64 65 The `Headless Argo CD` is not intended to deprecate any of the existing operational methods. 66 67 ## Proposal 68 69 #### Headless Installation Manifests 70 71 In order to simplify installation of Argo CD without API we need introduce `headless/install.yaml` in [manifests](../../manifests) directory. 72 The installation manifests should include only non HA controller, repo-server, Redis components, and RBAC. 73 74 #### Headless CLI 75 76 Without the API server, users won't be able to take advantage of Argo CD UI and `argocd` CLI so the user experience won't be complete. To fill that gap 77 we need to change the `argocd` CLI that and support talking directly to Kubernetes without requiring Argo CD API Server. The [argo-cd#6361](https://github.com/argoproj/argo-cd/pull/6361) 78 demonstrates required changes: 79 80 * Adds `--headless` flag to `argocd` commands 81 * If the `--headless` flag is set to true then pre-run function that starts "local" Argo CD API server and points CLI to locally running instance 82 * Finally on-demand port-forwards to Redis and repo server. 83 84 The user should be able to store `--headless` flag in config in order to avoid specifying the flag for every command. It is proposed to use `argocd login --headless` to generate 85 "headless" config. 86 87 #### Local UI 88 89 In addition to exposing CLI commands the PR introduces `argocd admin dashboard` command. The new command starts API server locally and exposes Argo CD UI locally. 90 In order to make this possible the static assets have been embedded into Argo CD binary. 91 92 ### Merge Argo CD Util 93 94 The potential users of "headless" mode will benefit from `argocd-util` commands. The experience won't be smooth since they will need to switch back and forth 95 between `argocd` and `argocd-util`. Given that we still have not finalized how users are supposed to get `argocd-util` binary (https://github.com/argoproj/argo-cd/issues/5307) 96 it is proposed to deprecate `argocd-util` and merge in into `argocd` CLI under admin subcommand: 97 98 ``` 99 argocd admin app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps 100 ``` 101 102 ### Use cases 103 104 Add a list of detailed use cases this enhancement intends to take care of. 105 106 ## Use case 1: 107 108 As an Argo CD administrator, I would like to manage cluster resources using Argo CD without exposing API/UI outside of the cluster. 109 110 ## Use case 2: 111 112 As an Argo CD administrator, I would like to use Argo CD CLI commands and user interface to manage Argo CD applications/settings using only `kubeconf` file and without Argo CD API access. 113 114 ### Security Considerations 115 116 The Headless CLI/UI disables built-in Argo CD authentication and relies only on Kubernetes RBAC. So if the user will be able to make the same change using Headless CLI as using kubectl. 117 118 ### Risks and Mitigations 119 120 TBD 121 122 ### Upgrade / Downgrade Strategy 123 124 Switching to and from Argo CD Headless does not modify any persistent data or settings. So upgrade/downgrade should be seamless by just applying the right manifest file. 125 126 ## Drawbacks 127 128 * Embedding static resources into the binary increases it's size by ~20 mb. The image size is the same. 129 130 ## Alternatives 131 132 * Re-invent GitOps Agent CLI experience and don't re-use Argo CD.