From ae38ce79ed5d9d8c7ee8cff108d188e2eca03773 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:39:36 +1000 Subject: [PATCH 01/32] feat: update Argo CD Gateway installation instructions and add Terraform bootstrap guide --- .../instances/automated-installation.md | 37 +- .../argo-cd/instances/terraform-bootstrap.md | 456 ++++++++++++++++++ 2 files changed, 476 insertions(+), 17 deletions(-) create mode 100644 src/pages/docs/argo-cd/instances/terraform-bootstrap.md diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 8a137e42a6..bf01af45a4 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -124,25 +124,28 @@ project: default source: repoURL: registry-1.docker.io/octopusdeploy chart: octopus-argocd-gateway-chart - targetRevision: + targetRevision: 1.23.0 helm: - parameters: - - name: registration.octopus.name - value: - - name: registration.octopus.serverAccessToken - value: API-XXXXXXXXXXXXXXXX - - name: registration.octopus.serverApiUrl - value: https://your-instance.octopus.app - - name: registration.octopus.spaceId - value: Spaces-1 - - name: gateway.argocd.authenticationToken - value: >- - - - name: gateway.argocd.serverGrpcUrl - value: grpc://argocd-server.argocd.svc.cluster.local" - - name: gateway.octopus.serverGrpcUrl - value: grpc://your-instance.octopus.app:8443 + valuesObject: + registration: + octopus: + name: + serverApiUrl: https://your-instance.octopus.app + serverAccessTokenSecretName: octopus-server-access-token + serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN + spaceId: Spaces-1 + gateway: + octopus: + serverGrpcUrl: grpc://your-instance.octopus.app:8443 + argocd: + serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local + authenticationTokenSecretName: argocd-auth-token + authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN + autoUpdate: + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled: false destination: server: https://kubernetes.default.svc namespace: octopus-argo-gateway-your-namespace ``` +the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md new file mode 100644 index 0000000000..191605ab3f --- /dev/null +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -0,0 +1,456 @@ +--- +layout: src/layouts/Default.astro +pubDate: 2025-09-15 +modDate: 2026-01-20 +title: Terraform Bootstrap +description: How to bootstrap Argo CD + Argo CD Gateway using Gerraform +navOrder: 10 +hideInThisSectionHeader: true +--- + +When provisioning a new cluster, it is possible to install Argo CD along with the Argo CD Gateway using terraform. In order to do that, you need to create an Argo CD token, and inject it to the Argo CD Gateway installation. + +Here is a simplified example to make this happen: + + +| File | Purpose | +|-|-| +| [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | +| [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | +| [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | +| [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | +| [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | +| [outputs.tf](#outputs) | Useful one-liners and resource references | +| [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | + + +```yaml +# providers.yaml +terraform { + required_version = ">= 1.5.0" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.27" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.13" + } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } + time = { + source = "hashicorp/time" + version = "~> 0.11" + } + } +} + +provider "kubernetes" { + config_path = var.kubeconfig_path + config_context = var.kube_context +} + +provider "helm" { + kubernetes { + config_path = var.kubeconfig_path + config_context = var.kube_context + } +} +``` + + +```yaml +# variables.yaml +# ─── Kubernetes ─────────────────────────────────────────────────────────────── + +variable "kubeconfig_path" { + description = "Path to the kubeconfig file." + type = string + default = "~/.kube/config" +} + +variable "kube_context" { + description = "Kubernetes context to use. Defaults to the current context." + type = string + default = null +} + +# ─── Argo CD ────────────────────────────────────────────────────────────────── + +variable "argocd_namespace" { + description = "Namespace to install Argo CD into." + type = string + default = "argocd" +} + +variable "argocd_chart_version" { + description = "Argo CD Helm chart version (from https://argoproj.github.io/argo-helm)." + type = string + default = "9.4.6" +} + + +variable "argocd_web_ui_url" { + description = "Argo CD Web UI URL used for gateway registration (e.g. https://argocd.example.com)." + type = string +} + +variable "argocd_insecure" { + description = "Skip TLS verification on the gRPC connection from the gateway to Argo CD." + type = bool + default = false +} + +# ─── Octopus Deploy ─────────────────────────────────────────────────────────── + +variable "octopus_api_url" { + description = "Octopus Deploy HTTP API URL used for registration (e.g. https://my-instance.octopus.app)." + type = string +} + +variable "octopus_grpc_url" { + description = "Octopus Deploy gRPC URL including port (e.g. my-instance.octopus.app:443)." + type = string +} + +variable "octopus_api_key" { + description = "Octopus Deploy API key used to register the gateway." + type = string + sensitive = true +} + +variable "octopus_space_id" { + description = "Octopus Deploy Space ID the gateway registers into." + type = string + default = "Spaces-1" +} + +variable "octopus_environments" { + description = "List of Octopus Deploy environment slugs or IDs to associate with the gateway." + type = list(string) + default = [] +} + +variable "octopus_grpc_plaintext" { + description = "Disable TLS on the Octopus gRPC connection. Only for development/local setups." + type = bool + default = false +} + +# ─── Gateway ────────────────────────────────────────────────────────────────── + +variable "gateway_namespace" { + description = "Namespace to install the Octopus Argo CD Gateway into." + type = string + default = "octopus-argocd-gateway" +} + +variable "gateway_name" { + description = "Display name for the gateway within Octopus Deploy." + type = string +} + +variable "gateway_chart_version" { + description = "Octopus Argo CD Gateway Helm chart version." + type = string + default = "1.18.0" +} +``` + + +```yaml +# argocd.yaml +locals { + # Derived from the Helm release name and namespace — no user input required. + # The argo-cd chart names its server service as "-server". + argocd_grpc_url = "${helm_release.argocd.name}-server.${var.argocd_namespace}.svc.cluster.local:443" +} + +resource "kubernetes_namespace" "argocd" { + metadata { + name = var.argocd_namespace + } +} + +# Install Argo CD via the official Helm chart. +# The accounts.admin config enables API key generation for the admin account, +# which is required for the token generation step in argocd-token.tf. +resource "helm_release" "argocd" { + name = "argocd" + repository = null + chart = "oci://ghcr.io/argoproj/argo-helm/argo-cd" + version = var.argocd_chart_version + namespace = kubernetes_namespace.argocd.metadata[0].name + + values = [ + yamlencode({ + configs = { + cm = { + # Allow the admin account to generate API keys and log in interactively. + "accounts.admin" = "apiKey,login" + } + rbac = { + "policy.default" = "role:readonly" + "policy.csv" = "g, admin, role:admin" + } + } + }) + ] + + # Wait until all Argo CD pods are healthy before continuing. + timeout = 600 + wait = true +} + +# Give the Argo CD server a moment to fully initialise its API +# (the rollout-status check alone isn't always sufficient). +resource "time_sleep" "wait_for_argocd" { + depends_on = [helm_release.argocd] + create_duration = "30s" +} +``` + + +```yaml +# argocd-token.yaml +locals { + # Name of the Kubernetes secret that will hold the generated Argo CD token. + # The secret is created in the gateway namespace so the gateway pod can mount it. + argocd_token_secret_name = "argocd-gateway-token" +} + +# Use a null_resource + local-exec to: +# 1. Wait for the Argo CD server deployment to be fully ready. +# 2. Port-forward the Argo CD server locally. +# 3. Log in with the argocd CLI using the auto-generated admin password. +# 4. Generate an API key for the admin account. +# 5. Store that key in a Kubernetes secret in the gateway namespace. +# +# Prerequisites (must be available on the machine running `terraform apply`): +# - kubectl (configured to reach the target cluster) +# - argocd (https://argo-cd.readthedocs.io/en/stable/cli_installation/) +# - nc / netcat +resource "null_resource" "argocd_token" { + depends_on = [ + time_sleep.wait_for_argocd, + kubernetes_namespace.gateway, + ] + + # Re-run whenever Argo CD is reinstalled or the gateway namespace changes. + triggers = { + argocd_release_id = helm_release.argocd.id + gateway_namespace = var.gateway_namespace + } + + provisioner "local-exec" { + interpreter = ["bash", "-c"] + command = <<-EOT + set -euo pipefail + + echo ">>> Waiting for argocd-server deployment to be ready..." + kubectl rollout status deployment/argocd-server \ + --namespace "${var.argocd_namespace}" \ + --timeout=300s + + echo ">>> Fetching initial admin password..." + ARGOCD_PASSWORD=$(kubectl get secret argocd-initial-admin-secret \ + --namespace "${var.argocd_namespace}" \ + -o jsonpath='{.data.password}' | base64 --decode) + + echo ">>> Starting port-forward on localhost:18080 -> argocd-server:443..." + # Use port 18080 to avoid conflicts with any local service on 8080. + kubectl port-forward svc/argocd-server \ + --namespace "${var.argocd_namespace}" \ + 18080:443 & + PF_PID=$! + trap 'echo ">>> Cleaning up port-forward (PID $PF_PID)"; kill "$PF_PID" 2>/dev/null || true' EXIT + + echo ">>> Waiting for port-forward to become available..." + for i in $(seq 1 20); do + if nc -z localhost 18080 2>/dev/null; then + echo " Ready after $i attempt(s)." + break + fi + echo " Attempt $i/20 — retrying in 3s..." + sleep 3 + done + + echo ">>> Logging in to Argo CD..." + argocd login localhost:18080 \ + --username admin \ + --password "$ARGOCD_PASSWORD" \ + --insecure \ + --grpc-web + + echo ">>> Generating API token for the admin account..." + ARGOCD_TOKEN=$(argocd account generate-token \ + --account admin \ + --insecure \ + --grpc-web) + + echo ">>> Storing token in Kubernetes secret '${local.argocd_token_secret_name}' (namespace: ${var.gateway_namespace})..." + kubectl create secret generic "${local.argocd_token_secret_name}" \ + --namespace "${var.gateway_namespace}" \ + --from-literal=ARGOCD_AUTH_TOKEN="$ARGOCD_TOKEN" \ + --dry-run=client -o yaml | kubectl apply -f - + + echo ">>> Done. Argo CD API token is ready." + EOT + } +} +``` + + +```yaml +# gateway.yaml +resource "kubernetes_namespace" "gateway" { + metadata { + name = var.gateway_namespace + } +} + +# Store the Octopus API key as a Kubernetes secret so it is never passed +# as a plain-text Helm value. The chart reads it via serverAccessTokenSecretName. +resource "kubernetes_secret" "octopus_api_key" { + metadata { + name = "octopus-server-access-token" + namespace = kubernetes_namespace.gateway.metadata[0].name + } + + data = { + OCTOPUS_SERVER_ACCESS_TOKEN = var.octopus_api_key + } + + type = "Opaque" +} + +# Install the Octopus Argo CD Gateway. +# The chart is referenced from the published GitHub Pages Helm repository. +# Both the Argo CD token and the Octopus API key are supplied via existing +# Kubernetes secrets rather than inline values to avoid storing credentials +# in Terraform state or Helm release history. +resource "helm_release" "gateway" { + name = "octopus-argocd-gateway" + repository = null + chart = "oci://registry-1.docker.io/octopusdeploy/octopus-argocd-gateway-chart" + version = var.gateway_chart_version + namespace = kubernetes_namespace.gateway.metadata[0].name + + depends_on = [ + # The Argo CD token secret must exist before the gateway pod starts. + null_resource.argocd_token, + kubernetes_secret.octopus_api_key, + ] + + values = [ + yamlencode({ + gateway = { + argocd = { + # gRPC URL derived automatically from the Argo CD Helm release. + serverGrpcUrl = local.argocd_grpc_url + # Skip TLS verification if Argo CD is using a self-signed cert. + insecure = var.argocd_insecure + # Reference the secret created by null_resource.argocd_token. + # The chart looks for the key ARGOCD_AUTH_TOKEN inside this secret. + authenticationTokenSecretName = local.argocd_token_secret_name + authenticationTokenSecretKey = "ARGOCD_AUTH_TOKEN" + } + octopus = { + serverGrpcUrl = var.octopus_grpc_url + plaintext = var.octopus_grpc_plaintext + } + } + + registration = { + octopus = { + name = var.gateway_name + serverApiUrl = var.octopus_api_url + spaceId = var.octopus_space_id + environments = var.octopus_environments + + # Reference the Octopus API key secret created above. + serverAccessTokenSecretName = kubernetes_secret.octopus_api_key.metadata[0].name + serverAccessTokenSecretKey = "OCTOPUS_SERVER_ACCESS_TOKEN" + } + argocd = { + webUiUrl = var.argocd_web_ui_url + } + } + }) + ] + + timeout = 300 + wait = true +} +``` + + +```yaml +# outputs.yaml +output "argocd_namespace" { + description = "Namespace where Argo CD is installed." + value = kubernetes_namespace.argocd.metadata[0].name +} + +output "gateway_namespace" { + description = "Namespace where the Octopus Argo CD Gateway is installed." + value = kubernetes_namespace.gateway.metadata[0].name +} + +output "argocd_token_secret" { + description = "Kubernetes secret (namespace/name) that holds the generated Argo CD API token." + value = "${var.gateway_namespace}/${local.argocd_token_secret_name}" +} + +output "get_argocd_admin_password" { + description = "One-liner to retrieve the Argo CD initial admin password." + value = "kubectl get secret argocd-initial-admin-secret -n ${var.argocd_namespace} -o jsonpath='{.data.password}' | base64 --decode && echo" +} + +output "get_argocd_token" { + description = "One-liner to view the stored Argo CD API token." + value = "kubectl get secret ${local.argocd_token_secret_name} -n ${var.gateway_namespace} -o jsonpath='{.data.ARGOCD_AUTH_TOKEN}' | base64 --decode && echo" +} +``` + + +```yaml +# terraform.tfvars.example +# Copy this file to terraform.tfvars and fill in the values. +# Never commit terraform.tfvars to source control — it contains secrets. + +# ─── Kubernetes ─────────────────────────────────────────────────────────────── +kubeconfig_path = "~/.kube/config" +kube_context = "my-cluster-context" # omit to use the current context + +# ─── Argo CD ────────────────────────────────────────────────────────────────── +argocd_namespace = "argocd" +argocd_chart_version = "9.4.6" + +# External Web UI URL — used during Octopus registration for the Argo CD link. +argocd_web_ui_url = "https://argocd.example.com" + +# Set to true if Argo CD uses a self-signed certificate. +argocd_insecure = false + +# ─── Octopus Deploy ─────────────────────────────────────────────────────────── +octopus_api_url = "https://my-instance.octopus.app" +octopus_grpc_url = "my-instance.octopus.app:443" +octopus_api_key = "API-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # sensitive +octopus_space_id = "Spaces-1" + +# List of environment slugs or IDs to associate with this gateway. +octopus_environments = ["production", "staging"] + +# Set to true only when Octopus runs without TLS on its gRPC port (dev only). +octopus_grpc_plaintext = false + +# ─── Gateway ────────────────────────────────────────────────────────────────── +gateway_namespace = "octopus-argocd-gateway" +gateway_name = "my-argocd-gateway" +gateway_chart_version = "1.18.0" +``` From 2acb55c3c03a01c931168ca850e2a7ddcbe8e848 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:54:34 +1000 Subject: [PATCH 02/32] fixed lint errors --- .../docs/argo-cd/instances/automated-installation.md | 1 + .../docs/argo-cd/instances/terraform-bootstrap.md | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index bf01af45a4..baefb34572 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -148,4 +148,5 @@ destination: server: https://kubernetes.default.svc namespace: octopus-argo-gateway-your-namespace ``` + the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 191605ab3f..ad595582d0 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -12,9 +12,8 @@ When provisioning a new cluster, it is possible to install Argo CD along with th Here is a simplified example to make this happen: - -| File | Purpose | -|-|-| +| File | Purpose | +| - | - | | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | | [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | @@ -24,6 +23,7 @@ Here is a simplified example to make this happen: | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | + ```yaml # providers.yaml terraform { @@ -63,6 +63,7 @@ provider "helm" { ``` + ```yaml # variables.yaml # ─── Kubernetes ─────────────────────────────────────────────────────────────── @@ -162,6 +163,7 @@ variable "gateway_chart_version" { ``` + ```yaml # argocd.yaml locals { @@ -215,6 +217,7 @@ resource "time_sleep" "wait_for_argocd" { ``` + ```yaml # argocd-token.yaml locals { @@ -305,6 +308,7 @@ resource "null_resource" "argocd_token" { ``` + ```yaml # gateway.yaml resource "kubernetes_namespace" "gateway" { @@ -389,6 +393,7 @@ resource "helm_release" "gateway" { ``` + ```yaml # outputs.yaml output "argocd_namespace" { From 42bca96dbd62c5bb48744306415c395e660d52d7 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:55:03 +1000 Subject: [PATCH 03/32] fixed spelling --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ad595582d0..09ffcb60f3 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -3,7 +3,7 @@ layout: src/layouts/Default.astro pubDate: 2025-09-15 modDate: 2026-01-20 title: Terraform Bootstrap -description: How to bootstrap Argo CD + Argo CD Gateway using Gerraform +description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 hideInThisSectionHeader: true --- From 834b1711c4504e367ea6879dcee1a7e8d36aa143 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 17:00:57 +1000 Subject: [PATCH 04/32] fixed lint --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 09ffcb60f3..3fbb7d6555 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -423,6 +423,7 @@ output "get_argocd_token" { ``` + ```yaml # terraform.tfvars.example # Copy this file to terraform.tfvars and fill in the values. From 1fdbafe85cc129183c5f4a02bd804a1d56ed0df9 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:03 +0200 Subject: [PATCH 05/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 3fbb7d6555..cf18064f3f 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,6 +1,6 @@ --- layout: src/layouts/Default.astro -pubDate: 2025-09-15 +pubDate: 2026-03-02 modDate: 2026-01-20 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform From 61f13994ec1b3544abb7501100fe7b8e54b36e91 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:11 +0200 Subject: [PATCH 06/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index cf18064f3f..461a6dcff5 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2026-03-02 -modDate: 2026-01-20 +modDate: 2026-03-02 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 From 50c465ba94966f2d8695875038259277503c101d Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:17 +0200 Subject: [PATCH 07/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 461a6dcff5..e3cc1fe91b 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -5,7 +5,6 @@ modDate: 2026-03-02 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 -hideInThisSectionHeader: true --- When provisioning a new cluster, it is possible to install Argo CD along with the Argo CD Gateway using terraform. In order to do that, you need to create an Argo CD token, and inject it to the Argo CD Gateway installation. From b2c50dd7482e068c0563778575ff7fb132a33486 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:26 +0200 Subject: [PATCH 08/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index e3cc1fe91b..8179117025 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -21,7 +21,7 @@ Here is a simplified example to make this happen: | [outputs.tf](#outputs) | Useful one-liners and resource references | | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | - +## Providers ```yaml # providers.yaml From 831463f078b1eba8d43c0b6fe68e390ff240e62c Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:33 +0200 Subject: [PATCH 09/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 8179117025..10a1fdf67c 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -61,7 +61,7 @@ provider "helm" { } ``` - +## Variables ```yaml # variables.yaml From a63609ca7ad6f4d613914e392170fafd49f67dc4 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:07 +0200 Subject: [PATCH 10/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 10a1fdf67c..2b383e2057 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -161,7 +161,7 @@ variable "gateway_chart_version" { } ``` - +## Argo CD ```yaml # argocd.yaml From 3776adc32869bec03aed6d7ed1563a0469df2ebd Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:17 +0200 Subject: [PATCH 11/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 2b383e2057..ea5639e549 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -15,7 +15,7 @@ Here is a simplified example to make this happen: | - | - | | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | -| [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | +| [argocd.tf](#argo-cd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | | [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | | [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | | [outputs.tf](#outputs) | Useful one-liners and resource references | From 060470c5f25bd0588da5b79004f6246dcc1c6ef6 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:25 +0200 Subject: [PATCH 12/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ea5639e549..34d6409430 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -16,7 +16,7 @@ Here is a simplified example to make this happen: | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | | [argocd.tf](#argo-cd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | -| [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | +| [argocd-token.tf](#argo-cd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | | [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | | [outputs.tf](#outputs) | Useful one-liners and resource references | | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | From 4c1cb64e2d130583dc7ff74e788e0217280aa68c Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:32 +0200 Subject: [PATCH 13/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 34d6409430..8bcacfd2d7 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -215,7 +215,7 @@ resource "time_sleep" "wait_for_argocd" { } ``` - +## Argo CD Token ```yaml # argocd-token.yaml From 0fa650a64ade84bc9a49fe0adb0b7e156bee489c Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:40 +0200 Subject: [PATCH 14/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 8bcacfd2d7..6e1d075b94 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -306,7 +306,7 @@ resource "null_resource" "argocd_token" { } ``` - +## Gateway ```yaml # gateway.yaml From 06aa3365d46e51370df2bca5db412057c125fdbe Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:58 +0200 Subject: [PATCH 15/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 6e1d075b94..966bf36d04 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -391,7 +391,7 @@ resource "helm_release" "gateway" { } ``` - +## Outputs ```yaml # outputs.yaml From 9ff226f5f720c27068ea81e3c90af1e5c656a7eb Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:07:47 +0200 Subject: [PATCH 16/32] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 966bf36d04..c8a4f6e642 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -421,7 +421,7 @@ output "get_argocd_token" { } ``` - +## Terraform tfvars ```yaml # terraform.tfvars.example From 03a691e54f8c1fb4cbf649a2879c797d5f6916d6 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 18:19:36 +1000 Subject: [PATCH 17/32] finxed lint --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index c8a4f6e642..962baa4fd3 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -391,7 +391,7 @@ resource "helm_release" "gateway" { } ``` -## Outputs +## Outputs ```yaml # outputs.yaml From 99e2383342fe2a053e0646d8089afd694ec23882 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 09:39:00 +1000 Subject: [PATCH 18/32] fix: update automated installation instructions for Argo CD Gateway - Update modification date to March 3, 2026. - Revise installation steps to include namespace creation and token generation. - Provide detailed YAML configuration for Argo CD application. --- .../instances/automated-installation.md | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index baefb34572..3a2dde620b 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2025-09-15 -modDate: 2026-01-20 +modDate: 2026-03-03 title: Automated Installation description: Install Argo CD instances via scripting or IAC navOrder: 10 @@ -117,7 +117,28 @@ The Octopus-Argo Gateway's helm chart can be installed via an Argo CD Applicatio The application YAML required to install the helm chart is as follows (replacing values as per previous examples): -Update `targetRevision` to the most recent tag found on [dockerhub](https://hub.docker.com/r/octopusdeploy/octopus-argocd-gateway-chart) +1. Create the namespace + + ```shell + kubectl create ns octopus-argo-gateway-your-namespace + ``` +2. Generate Argo CD Authentication Token + 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide + 2.2. Save the token in a secret + + ```shell + kubectl create secret generic argocd-auth-token -n octopus-argo-gateway-your-namespace --from-literal=ARGOCD_AUTH_TOKEN= + ``` + +3. Generate Octopus Deploy Api-Key + 3.1. Follow the instreuctions on the [How to Create an API Key](/docs/octopus-rest-api/how-to-create-an-api-key) guide + 3.2. Save the token in a secret + + ```shell + kubectl create secret generic octopus-server-access-token -n octopus-argo-gateway-your-namespace --from-literal=OCTOPUS_SERVER_ACCESS_TOKEN= + ``` + +4. Apply the Argo CD application (or commit this manifest to your git-ops repository already synced by Argo CD) ```yaml project: default From bfce240dd6ca1e07854d06af86d7f5efc786e7a3 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:09:09 +1000 Subject: [PATCH 19/32] fix: update RBAC policy for Octopus user to include sync permissions --- src/pages/docs/argo-cd/instances/argo-user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/argo-user.md b/src/pages/docs/argo-cd/instances/argo-user.md index 866e6c9e61..9d6be53e0d 100644 --- a/src/pages/docs/argo-cd/instances/argo-user.md +++ b/src/pages/docs/argo-cd/instances/argo-user.md @@ -62,7 +62,7 @@ With the user created, an RBAC policy must be created allowing the new user to a The RBAC policies are stored within the `argocd-rbac-cm` configmap. -The following shows an Octopus user which has read only access to all applications, cluster and log data. +The following shows an Octopus user which has read only access to all applications, cluster and log data, and sync permissions for applications. ```yaml apiVersion: v1 From 243f1d9b92a0bd7ca35ace6f4cbff12f2903b227 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:09:16 +1000 Subject: [PATCH 20/32] fix: update Argo CD installation to use dedicated Octopus service account Create a dedicated "octopus" service account with API key capability and necessary permissions for Octopus Deploy. This change ensures that the admin account retains login-only access, allowing the bootstrap script to generate the octopus token without interactive login requirements. --- .../argo-cd/instances/terraform-bootstrap.md | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 962baa4fd3..0ddb1c2eb5 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -178,8 +178,9 @@ resource "kubernetes_namespace" "argocd" { } # Install Argo CD via the official Helm chart. -# The accounts.admin config enables API key generation for the admin account, -# which is required for the token generation step in argocd-token.tf. +# Creates a dedicated "octopus" service account with apiKey capability and the +# permissions required by Octopus Deploy (applications, clusters, logs). +# Admin retains login-only access so the bootstrap script can generate the octopus token. resource "helm_release" "argocd" { name = "argocd" repository = null @@ -191,12 +192,18 @@ resource "helm_release" "argocd" { yamlencode({ configs = { cm = { - # Allow the admin account to generate API keys and log in interactively. - "accounts.admin" = "apiKey,login" + # Dedicated service account for Octopus Deploy — API key only, no interactive login. + "accounts.octopus" = "apiKey" } rbac = { "policy.default" = "role:readonly" - "policy.csv" = "g, admin, role:admin" + "policy.csv" = <<-EOT + g, admin, role:admin + p, octopus, applications, get, *, allow + p, octopus, applications, sync, *, allow + p, octopus, clusters, get, *, allow + p, octopus, logs, get, */*, allow + EOT } } }) @@ -229,7 +236,7 @@ locals { # 1. Wait for the Argo CD server deployment to be fully ready. # 2. Port-forward the Argo CD server locally. # 3. Log in with the argocd CLI using the auto-generated admin password. -# 4. Generate an API key for the admin account. +# 4. Generate an API key for the octopus account. # 5. Store that key in a Kubernetes secret in the gateway namespace. # # Prerequisites (must be available on the machine running `terraform apply`): @@ -288,9 +295,9 @@ resource "null_resource" "argocd_token" { --insecure \ --grpc-web - echo ">>> Generating API token for the admin account..." + echo ">>> Generating API token for the octopus account..." ARGOCD_TOKEN=$(argocd account generate-token \ - --account admin \ + --account octopus \ --insecure \ --grpc-web) From 5fd75ba7398aa8ecdc54373e57003251f53a80aa Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:11:59 +1000 Subject: [PATCH 21/32] removed comment --- .../instances/automated-installation.md | 60 +++++++++---------- 1 file changed, 29 insertions(+), 31 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 3a2dde620b..909a97bc8c 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -140,34 +140,32 @@ The application YAML required to install the helm chart is as follows (replacing 4. Apply the Argo CD application (or commit this manifest to your git-ops repository already synced by Argo CD) -```yaml -project: default -source: - repoURL: registry-1.docker.io/octopusdeploy - chart: octopus-argocd-gateway-chart - targetRevision: 1.23.0 - helm: - valuesObject: - registration: - octopus: - name: - serverApiUrl: https://your-instance.octopus.app - serverAccessTokenSecretName: octopus-server-access-token - serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN - spaceId: Spaces-1 - gateway: - octopus: - serverGrpcUrl: grpc://your-instance.octopus.app:8443 - argocd: - serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local - authenticationTokenSecretName: argocd-auth-token - authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN - autoUpdate: - # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state - enabled: false -destination: - server: https://kubernetes.default.svc - namespace: octopus-argo-gateway-your-namespace -``` - -the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. + ```yaml + project: default + source: + repoURL: registry-1.docker.io/octopusdeploy + chart: octopus-argocd-gateway-chart + targetRevision: 1.23.0 + helm: + valuesObject: + registration: + octopus: + name: + serverApiUrl: https://your-instance.octopus.app + serverAccessTokenSecretName: octopus-server-access-token + serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN + spaceId: Spaces-1 + gateway: + octopus: + serverGrpcUrl: grpc://your-instance.octopus.app:8443 + argocd: + serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local + authenticationTokenSecretName: argocd-auth-token + authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN + autoUpdate: + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled: false + destination: + server: https://kubernetes.default.svc + namespace: octopus-argo-gateway-your-namespace + ``` From aba0a89fea6c29b8f262a8a52362b5546a6414a8 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:43:17 +1000 Subject: [PATCH 22/32] feat: deploy Octopus Argo CD Gateway as an Argo CD Application Add a new resource to deploy the Octopus Argo CD Gateway using Argo CD's application management, allowing Argo CD to manage the Helm lifecycle. This change ensures better integration and management of the gateway installation process. --- .../argo-cd/instances/terraform-bootstrap.md | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 0ddb1c2eb5..ce0c686090 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -338,6 +338,122 @@ resource "kubernetes_secret" "octopus_api_key" { type = "Opaque" } +# Deploy the Octopus Argo CD Gateway as an Argo CD Application so that Argo CD +# owns the Helm lifecycle (sync, self-heal, pruning) rather than Terraform/Helm. +# +# NOTE: the argoproj.io/v1alpha1 CRD must already be present when Terraform plans +# this resource. If you are bootstrapping from scratch, run: +# terraform apply -target=helm_release.argocd -target=time_sleep.wait_for_argocd +# before running a full `terraform apply`. +resource "kubernetes_manifest" "gateway_application" { + depends_on = [ + time_sleep.wait_for_argocd, + null_resource.argocd_token, + kubernetes_namespace.gateway, + kubernetes_secret.octopus_api_key, + ] + + manifest = { + apiVersion = "argoproj.io/v1alpha1" + kind = "Application" + metadata = { + name = "octopus-argocd-gateway" + namespace = var.argocd_namespace + } + spec = { + project = "default" + + source = { + # OCI chart: repoURL is the registry path, chart is the image name. + repoURL = "registry-1.docker.io/octopusdeploy" + chart = "octopus-argocd-gateway-chart" + targetRevision = var.gateway_chart_version + + helm = { + valuesObject = { + gateway = { + argocd = { + # gRPC URL derived automatically from the Argo CD Helm release. + serverGrpcUrl = local.argocd_grpc_url + # Skip TLS verification if Argo CD is using a self-signed cert. + insecure = var.argocd_insecure + # Reference the secret created by null_resource.argocd_token. + authenticationTokenSecretName = local.argocd_token_secret_name + authenticationTokenSecretKey = "ARGOCD_AUTH_TOKEN" + } + octopus = { + serverGrpcUrl = var.octopus_grpc_url + plaintext = var.octopus_grpc_plaintext + } + } + + registration = { + octopus = { + name = var.gateway_name + serverApiUrl = var.octopus_api_url + spaceId = var.octopus_space_id + environments = var.octopus_environments + # Reference the Octopus API key secret created above. + serverAccessTokenSecretName = "octopus-server-access-token" + serverAccessTokenSecretKey = "OCTOPUS_SERVER_ACCESS_TOKEN" + } + argocd = { + webUiUrl = var.argocd_web_ui_url + } + } + + autoUpdate = { + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled = false + } + } + } + } + + destination = { + server = "https://kubernetes.default.svc" + namespace = var.gateway_namespace + } + + syncPolicy = { + automated = { + prune = true + selfHeal = true + } + syncOptions = ["CreateNamespace=false"] + } + } + } +} +``` + +:::div{.hint} +**Note** +In order to deploy the Argo CD Gateway using helm directly, you can re-use the helm provider: + +```yaml +# gateway.yaml +resource "kubernetes_namespace" "gateway" { + metadata { + name = var.gateway_namespace + } +} + +# Store the Octopus API key as a Kubernetes secret so it is never passed +# as a plain-text Helm value. The chart reads it via serverAccessTokenSecretName. +resource "kubernetes_secret" "octopus_api_key" { + metadata { + name = "octopus-server-access-token" + namespace = kubernetes_namespace.gateway.metadata[0].name + } + + data = { + OCTOPUS_SERVER_ACCESS_TOKEN = var.octopus_api_key + } + + type = "Opaque" +} + # Install the Octopus Argo CD Gateway. # The chart is referenced from the published GitHub Pages Helm repository. # Both the Argo CD token and the Octopus API key are supplied via existing @@ -398,6 +514,8 @@ resource "helm_release" "gateway" { } ``` +::: + ## Outputs ```yaml @@ -466,3 +584,4 @@ gateway_namespace = "octopus-argocd-gateway" gateway_name = "my-argocd-gateway" gateway_chart_version = "1.18.0" ``` + From d03e920bb8d7ef3667bcd1821d8f936e9e5f4442 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:53:26 +1000 Subject: [PATCH 23/32] fixed lint --- src/pages/docs/argo-cd/instances/automated-installation.md | 1 + src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 909a97bc8c..0b4879faf7 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -122,6 +122,7 @@ The application YAML required to install the helm chart is as follows (replacing ```shell kubectl create ns octopus-argo-gateway-your-namespace ``` + 2. Generate Argo CD Authentication Token 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide 2.2. Save the token in a secret diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ce0c686090..44288e0299 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -584,4 +584,3 @@ gateway_namespace = "octopus-argocd-gateway" gateway_name = "my-argocd-gateway" gateway_chart_version = "1.18.0" ``` - From 46c153276eac1f43527c16ebcb104a4371dc29b2 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 11:33:11 +1000 Subject: [PATCH 24/32] fixed broken link --- src/pages/docs/argo-cd/instances/automated-installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 0b4879faf7..8b350e110a 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -124,7 +124,7 @@ The application YAML required to install the helm chart is as follows (replacing ``` 2. Generate Argo CD Authentication Token - 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide + 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user.md) guide 2.2. Save the token in a secret ```shell From ffc6d018c9a932ae49a32067852c4d80e4e2cd44 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 11:34:50 +1000 Subject: [PATCH 25/32] fixed broken link --- src/pages/docs/argo-cd/instances/automated-installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 8b350e110a..0317c83181 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -124,7 +124,7 @@ The application YAML required to install the helm chart is as follows (replacing ``` 2. Generate Argo CD Authentication Token - 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user.md) guide + 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user) guide 2.2. Save the token in a secret ```shell From b4c661f2bac96e5215833d20c0f800d0dc53b483 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 18:45:12 +1000 Subject: [PATCH 26/32] fix: update modification dates in documentation for consistency Updated the modification dates in 'argo-user.md' and 'terraform-bootstrap.md' to ensure they reflect the correct timeline. This improves clarity and accuracy in the documentation. --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 44288e0299..9ff8fde0de 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro -pubDate: 2026-03-02 -modDate: 2026-03-02 +pubDate: 2026-03-03 +modDate: 2026-03-03 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 @@ -569,7 +569,7 @@ argocd_insecure = false # ─── Octopus Deploy ─────────────────────────────────────────────────────────── octopus_api_url = "https://my-instance.octopus.app" -octopus_grpc_url = "my-instance.octopus.app:443" +octopus_grpc_url = "my-instance.octopus.app:8443" octopus_api_key = "API-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # sensitive octopus_space_id = "Spaces-1" From b459bb5a6f553ed700ca71caa9844d84352b5951 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Thu, 26 Mar 2026 16:56:15 +0200 Subject: [PATCH 27/32] updated dates --- src/pages/docs/argo-cd/instances/argo-user.md | 2 +- src/pages/docs/argo-cd/instances/automated-installation.md | 2 +- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/argo-user.md b/src/pages/docs/argo-cd/instances/argo-user.md index 9d6be53e0d..ea70eff19d 100644 --- a/src/pages/docs/argo-cd/instances/argo-user.md +++ b/src/pages/docs/argo-cd/instances/argo-user.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2025-09-15 -modDate: 2026-03-09 +modDate: 2026-03-26 title: Argo CD Authentication description: Limiting Octopus's access in Argo CD navOrder: 10 diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 0317c83181..602299e0e7 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2025-09-15 -modDate: 2026-03-03 +modDate: 2026-03-26 title: Automated Installation description: Install Argo CD instances via scripting or IAC navOrder: 10 diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 9ff8fde0de..50d61eba67 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro -pubDate: 2026-03-03 -modDate: 2026-03-03 +pubDate: 2026-03-26 +modDate: 2026-03-26 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 From c385e4a32f690b42ec609eeb6a476ae32d20836f Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Thu, 26 Mar 2026 16:58:29 +0200 Subject: [PATCH 28/32] fixed terraform example chart_version --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 50d61eba67..d1b17f0baa 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -582,5 +582,5 @@ octopus_grpc_plaintext = false # ─── Gateway ────────────────────────────────────────────────────────────────── gateway_namespace = "octopus-argocd-gateway" gateway_name = "my-argocd-gateway" -gateway_chart_version = "1.18.0" +gateway_chart_version = "1.23.0" ``` From 735354c38106a9fb0c4bd2618112292b0c08c047 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Thu, 26 Mar 2026 18:25:33 +0200 Subject: [PATCH 29/32] fix: rename example files from .yaml to .tf for consistency --- .../docs/argo-cd/instances/terraform-bootstrap.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index d1b17f0baa..7367000897 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -24,7 +24,7 @@ Here is a simplified example to make this happen: ## Providers ```yaml -# providers.yaml +# providers.tf terraform { required_version = ">= 1.5.0" @@ -64,7 +64,7 @@ provider "helm" { ## Variables ```yaml -# variables.yaml +# variables.tf # ─── Kubernetes ─────────────────────────────────────────────────────────────── variable "kubeconfig_path" { @@ -164,7 +164,7 @@ variable "gateway_chart_version" { ## Argo CD ```yaml -# argocd.yaml +# argocd.tf locals { # Derived from the Helm release name and namespace — no user input required. # The argo-cd chart names its server service as "-server". @@ -225,7 +225,7 @@ resource "time_sleep" "wait_for_argocd" { ## Argo CD Token ```yaml -# argocd-token.yaml +# argocd-token.tf locals { # Name of the Kubernetes secret that will hold the generated Argo CD token. # The secret is created in the gateway namespace so the gateway pod can mount it. @@ -316,7 +316,7 @@ resource "null_resource" "argocd_token" { ## Gateway ```yaml -# gateway.yaml +# gateway.tf resource "kubernetes_namespace" "gateway" { metadata { name = var.gateway_namespace @@ -432,7 +432,7 @@ resource "kubernetes_manifest" "gateway_application" { In order to deploy the Argo CD Gateway using helm directly, you can re-use the helm provider: ```yaml -# gateway.yaml +# gateway.tf resource "kubernetes_namespace" "gateway" { metadata { name = var.gateway_namespace @@ -519,7 +519,7 @@ resource "helm_release" "gateway" { ## Outputs ```yaml -# outputs.yaml +# outputs.tf output "argocd_namespace" { description = "Namespace where Argo CD is installed." value = kubernetes_namespace.argocd.metadata[0].name From 7d2e865bf5b8f6b1ab9d25af709297e00152ac69 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 30 Mar 2026 16:11:54 +0300 Subject: [PATCH 30/32] fix: update Argo CD installation instructions and remove unused variables Clarify the process for installing Argo CD and the Argo CD Gateway by specifying the provisioning of required token secrets. Remove unnecessary variables related to the gateway name and chart version to streamline the configuration. --- .../argo-cd/instances/terraform-bootstrap.md | 105 +----------------- 1 file changed, 4 insertions(+), 101 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 7367000897..0f77f2aac5 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -7,7 +7,7 @@ description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 --- -When provisioning a new cluster, it is possible to install Argo CD along with the Argo CD Gateway using terraform. In order to do that, you need to create an Argo CD token, and inject it to the Argo CD Gateway installation. +When provisioning a new cluster, it is possible to install Argo CD while provisioning the required token secrets for the upcoming Argo CD Gateway installation. Once Argo CD is installed, the Argo CD Gateway can be installed using an Argo CD Application as described [here](/docs/argo-cd/instances/automatic-installation). Another approach would be to install the Argo CD Gateway as part of the terraform chart, as described under the Note [here](#gateway). Here is a simplified example to make this happen: @@ -17,7 +17,7 @@ Here is a simplified example to make this happen: | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | | [argocd.tf](#argo-cd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | | [argocd-token.tf](#argo-cd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | -| [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | +| [gateway.tf](#gateway) | Creates Octopus API key secret; optionally installs the gateway Helm chart | | [outputs.tf](#outputs) | Useful one-liners and resource references | | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | @@ -148,17 +148,6 @@ variable "gateway_namespace" { type = string default = "octopus-argocd-gateway" } - -variable "gateway_name" { - description = "Display name for the gateway within Octopus Deploy." - type = string -} - -variable "gateway_chart_version" { - description = "Octopus Argo CD Gateway Helm chart version." - type = string - default = "1.18.0" -} ``` ## Argo CD @@ -337,94 +326,6 @@ resource "kubernetes_secret" "octopus_api_key" { type = "Opaque" } - -# Deploy the Octopus Argo CD Gateway as an Argo CD Application so that Argo CD -# owns the Helm lifecycle (sync, self-heal, pruning) rather than Terraform/Helm. -# -# NOTE: the argoproj.io/v1alpha1 CRD must already be present when Terraform plans -# this resource. If you are bootstrapping from scratch, run: -# terraform apply -target=helm_release.argocd -target=time_sleep.wait_for_argocd -# before running a full `terraform apply`. -resource "kubernetes_manifest" "gateway_application" { - depends_on = [ - time_sleep.wait_for_argocd, - null_resource.argocd_token, - kubernetes_namespace.gateway, - kubernetes_secret.octopus_api_key, - ] - - manifest = { - apiVersion = "argoproj.io/v1alpha1" - kind = "Application" - metadata = { - name = "octopus-argocd-gateway" - namespace = var.argocd_namespace - } - spec = { - project = "default" - - source = { - # OCI chart: repoURL is the registry path, chart is the image name. - repoURL = "registry-1.docker.io/octopusdeploy" - chart = "octopus-argocd-gateway-chart" - targetRevision = var.gateway_chart_version - - helm = { - valuesObject = { - gateway = { - argocd = { - # gRPC URL derived automatically from the Argo CD Helm release. - serverGrpcUrl = local.argocd_grpc_url - # Skip TLS verification if Argo CD is using a self-signed cert. - insecure = var.argocd_insecure - # Reference the secret created by null_resource.argocd_token. - authenticationTokenSecretName = local.argocd_token_secret_name - authenticationTokenSecretKey = "ARGOCD_AUTH_TOKEN" - } - octopus = { - serverGrpcUrl = var.octopus_grpc_url - plaintext = var.octopus_grpc_plaintext - } - } - - registration = { - octopus = { - name = var.gateway_name - serverApiUrl = var.octopus_api_url - spaceId = var.octopus_space_id - environments = var.octopus_environments - # Reference the Octopus API key secret created above. - serverAccessTokenSecretName = "octopus-server-access-token" - serverAccessTokenSecretKey = "OCTOPUS_SERVER_ACCESS_TOKEN" - } - argocd = { - webUiUrl = var.argocd_web_ui_url - } - } - - autoUpdate = { - # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state - enabled = false - } - } - } - } - - destination = { - server = "https://kubernetes.default.svc" - namespace = var.gateway_namespace - } - - syncPolicy = { - automated = { - prune = true - selfHeal = true - } - syncOptions = ["CreateNamespace=false"] - } - } - } -} ``` :::div{.hint} @@ -581,6 +482,8 @@ octopus_grpc_plaintext = false # ─── Gateway ────────────────────────────────────────────────────────────────── gateway_namespace = "octopus-argocd-gateway" + +# only used if deploying the octopus-argocd-gateway using the helm-provider gateway_name = "my-argocd-gateway" gateway_chart_version = "1.23.0" ``` From 43449238a0c389c73c1e782e622c0ee61c146531 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 30 Mar 2026 18:11:12 +0300 Subject: [PATCH 31/32] fixed lint --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 0f77f2aac5..91735eb6a8 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -7,7 +7,7 @@ description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 --- -When provisioning a new cluster, it is possible to install Argo CD while provisioning the required token secrets for the upcoming Argo CD Gateway installation. Once Argo CD is installed, the Argo CD Gateway can be installed using an Argo CD Application as described [here](/docs/argo-cd/instances/automatic-installation). Another approach would be to install the Argo CD Gateway as part of the terraform chart, as described under the Note [here](#gateway). +When provisioning a new cluster, it is possible to install Argo CD while provisioning the required token secrets for the upcoming Argo CD Gateway installation. Once Argo CD is installed, the Argo CD Gateway can be installed using an Argo CD Application as described in [Automated Installation](/docs/argo-cd/instances/automatic-installation). Another approach would be to install the Argo CD Gateway as part of the terraform chart, as described under the [Note](#gateway). Here is a simplified example to make this happen: From 29add3501d3f5e97e406a50b3e8b4d0317b83815 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 30 Mar 2026 19:05:07 +0300 Subject: [PATCH 32/32] fixed broken link --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 91735eb6a8..97f9c8027b 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -7,7 +7,7 @@ description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 --- -When provisioning a new cluster, it is possible to install Argo CD while provisioning the required token secrets for the upcoming Argo CD Gateway installation. Once Argo CD is installed, the Argo CD Gateway can be installed using an Argo CD Application as described in [Automated Installation](/docs/argo-cd/instances/automatic-installation). Another approach would be to install the Argo CD Gateway as part of the terraform chart, as described under the [Note](#gateway). +When provisioning a new cluster, it is possible to install Argo CD while provisioning the required token secrets for the upcoming Argo CD Gateway installation. Once Argo CD is installed, the Argo CD Gateway can be installed using an Argo CD Application as described in [Automated Installation](/docs/argo-cd/instances/automated-installation). Another approach would be to install the Argo CD Gateway as part of the terraform chart, as described under the [Note](#gateway). Here is a simplified example to make this happen: