From 72226f46771d473927f226b3708330dd9833fbd6 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:39:36 +1000 Subject: [PATCH 01/26] feat: update Argo CD Gateway installation instructions and add Terraform bootstrap guide --- .../instances/automated-installation.md | 37 +- .../argo-cd/instances/terraform-bootstrap.md | 456 ++++++++++++++++++ 2 files changed, 476 insertions(+), 17 deletions(-) create mode 100644 src/pages/docs/argo-cd/instances/terraform-bootstrap.md diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index e7f64c73ec..da22660fe4 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -122,25 +122,28 @@ project: default source: repoURL: registry-1.docker.io/octopusdeploy chart: octopus-argocd-gateway-chart - targetRevision: 1.3.0 + targetRevision: 1.18.0 helm: - parameters: - - name: registration.octopus.name - value: - - name: registration.octopus.serverAccessToken - value: API-XXXXXXXXXXXXXXXX - - name: registration.octopus.serverApiUrl - value: https://your-instance.octopus.app - - name: registration.octopus.spaceId - value: Spaces-1 - - name: gateway.argocd.authenticationToken - value: >- - - - name: gateway.argocd.serverGrpcUrl - value: grpc://argocd-server.argocd.svc.cluster.local" - - name: gateway.octopus.serverGrpcUrl - value: grpc://your-instance.octopus.app:8443 + valuesObject: + registration: + octopus: + name: + serverApiUrl: https://your-instance.octopus.app + serverAccessTokenSecretName: octopus-server-access-token + serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN + spaceId: Spaces-1 + gateway: + octopus: + serverGrpcUrl: grpc://your-instance.octopus.app:8443 + argocd: + serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local + authenticationTokenSecretName: argocd-auth-token + authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN + autoUpdate: + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled: false destination: server: https://kubernetes.default.svc namespace: octopus-argo-gateway-your-namespace ``` +the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md new file mode 100644 index 0000000000..191605ab3f --- /dev/null +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -0,0 +1,456 @@ +--- +layout: src/layouts/Default.astro +pubDate: 2025-09-15 +modDate: 2026-01-20 +title: Terraform Bootstrap +description: How to bootstrap Argo CD + Argo CD Gateway using Gerraform +navOrder: 10 +hideInThisSectionHeader: true +--- + +When provisioning a new cluster, it is possible to install Argo CD along with the Argo CD Gateway using terraform. In order to do that, you need to create an Argo CD token, and inject it to the Argo CD Gateway installation. + +Here is a simplified example to make this happen: + + +| File | Purpose | +|-|-| +| [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | +| [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | +| [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | +| [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | +| [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | +| [outputs.tf](#outputs) | Useful one-liners and resource references | +| [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | + + +```yaml +# providers.yaml +terraform { + required_version = ">= 1.5.0" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.27" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.13" + } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } + time = { + source = "hashicorp/time" + version = "~> 0.11" + } + } +} + +provider "kubernetes" { + config_path = var.kubeconfig_path + config_context = var.kube_context +} + +provider "helm" { + kubernetes { + config_path = var.kubeconfig_path + config_context = var.kube_context + } +} +``` + + +```yaml +# variables.yaml +# ─── Kubernetes ─────────────────────────────────────────────────────────────── + +variable "kubeconfig_path" { + description = "Path to the kubeconfig file." + type = string + default = "~/.kube/config" +} + +variable "kube_context" { + description = "Kubernetes context to use. Defaults to the current context." + type = string + default = null +} + +# ─── Argo CD ────────────────────────────────────────────────────────────────── + +variable "argocd_namespace" { + description = "Namespace to install Argo CD into." + type = string + default = "argocd" +} + +variable "argocd_chart_version" { + description = "Argo CD Helm chart version (from https://argoproj.github.io/argo-helm)." + type = string + default = "9.4.6" +} + + +variable "argocd_web_ui_url" { + description = "Argo CD Web UI URL used for gateway registration (e.g. https://argocd.example.com)." + type = string +} + +variable "argocd_insecure" { + description = "Skip TLS verification on the gRPC connection from the gateway to Argo CD." + type = bool + default = false +} + +# ─── Octopus Deploy ─────────────────────────────────────────────────────────── + +variable "octopus_api_url" { + description = "Octopus Deploy HTTP API URL used for registration (e.g. https://my-instance.octopus.app)." + type = string +} + +variable "octopus_grpc_url" { + description = "Octopus Deploy gRPC URL including port (e.g. my-instance.octopus.app:443)." + type = string +} + +variable "octopus_api_key" { + description = "Octopus Deploy API key used to register the gateway." + type = string + sensitive = true +} + +variable "octopus_space_id" { + description = "Octopus Deploy Space ID the gateway registers into." + type = string + default = "Spaces-1" +} + +variable "octopus_environments" { + description = "List of Octopus Deploy environment slugs or IDs to associate with the gateway." + type = list(string) + default = [] +} + +variable "octopus_grpc_plaintext" { + description = "Disable TLS on the Octopus gRPC connection. Only for development/local setups." + type = bool + default = false +} + +# ─── Gateway ────────────────────────────────────────────────────────────────── + +variable "gateway_namespace" { + description = "Namespace to install the Octopus Argo CD Gateway into." + type = string + default = "octopus-argocd-gateway" +} + +variable "gateway_name" { + description = "Display name for the gateway within Octopus Deploy." + type = string +} + +variable "gateway_chart_version" { + description = "Octopus Argo CD Gateway Helm chart version." + type = string + default = "1.18.0" +} +``` + + +```yaml +# argocd.yaml +locals { + # Derived from the Helm release name and namespace — no user input required. + # The argo-cd chart names its server service as "-server". + argocd_grpc_url = "${helm_release.argocd.name}-server.${var.argocd_namespace}.svc.cluster.local:443" +} + +resource "kubernetes_namespace" "argocd" { + metadata { + name = var.argocd_namespace + } +} + +# Install Argo CD via the official Helm chart. +# The accounts.admin config enables API key generation for the admin account, +# which is required for the token generation step in argocd-token.tf. +resource "helm_release" "argocd" { + name = "argocd" + repository = null + chart = "oci://ghcr.io/argoproj/argo-helm/argo-cd" + version = var.argocd_chart_version + namespace = kubernetes_namespace.argocd.metadata[0].name + + values = [ + yamlencode({ + configs = { + cm = { + # Allow the admin account to generate API keys and log in interactively. + "accounts.admin" = "apiKey,login" + } + rbac = { + "policy.default" = "role:readonly" + "policy.csv" = "g, admin, role:admin" + } + } + }) + ] + + # Wait until all Argo CD pods are healthy before continuing. + timeout = 600 + wait = true +} + +# Give the Argo CD server a moment to fully initialise its API +# (the rollout-status check alone isn't always sufficient). +resource "time_sleep" "wait_for_argocd" { + depends_on = [helm_release.argocd] + create_duration = "30s" +} +``` + + +```yaml +# argocd-token.yaml +locals { + # Name of the Kubernetes secret that will hold the generated Argo CD token. + # The secret is created in the gateway namespace so the gateway pod can mount it. + argocd_token_secret_name = "argocd-gateway-token" +} + +# Use a null_resource + local-exec to: +# 1. Wait for the Argo CD server deployment to be fully ready. +# 2. Port-forward the Argo CD server locally. +# 3. Log in with the argocd CLI using the auto-generated admin password. +# 4. Generate an API key for the admin account. +# 5. Store that key in a Kubernetes secret in the gateway namespace. +# +# Prerequisites (must be available on the machine running `terraform apply`): +# - kubectl (configured to reach the target cluster) +# - argocd (https://argo-cd.readthedocs.io/en/stable/cli_installation/) +# - nc / netcat +resource "null_resource" "argocd_token" { + depends_on = [ + time_sleep.wait_for_argocd, + kubernetes_namespace.gateway, + ] + + # Re-run whenever Argo CD is reinstalled or the gateway namespace changes. + triggers = { + argocd_release_id = helm_release.argocd.id + gateway_namespace = var.gateway_namespace + } + + provisioner "local-exec" { + interpreter = ["bash", "-c"] + command = <<-EOT + set -euo pipefail + + echo ">>> Waiting for argocd-server deployment to be ready..." + kubectl rollout status deployment/argocd-server \ + --namespace "${var.argocd_namespace}" \ + --timeout=300s + + echo ">>> Fetching initial admin password..." + ARGOCD_PASSWORD=$(kubectl get secret argocd-initial-admin-secret \ + --namespace "${var.argocd_namespace}" \ + -o jsonpath='{.data.password}' | base64 --decode) + + echo ">>> Starting port-forward on localhost:18080 -> argocd-server:443..." + # Use port 18080 to avoid conflicts with any local service on 8080. + kubectl port-forward svc/argocd-server \ + --namespace "${var.argocd_namespace}" \ + 18080:443 & + PF_PID=$! + trap 'echo ">>> Cleaning up port-forward (PID $PF_PID)"; kill "$PF_PID" 2>/dev/null || true' EXIT + + echo ">>> Waiting for port-forward to become available..." + for i in $(seq 1 20); do + if nc -z localhost 18080 2>/dev/null; then + echo " Ready after $i attempt(s)." + break + fi + echo " Attempt $i/20 — retrying in 3s..." + sleep 3 + done + + echo ">>> Logging in to Argo CD..." + argocd login localhost:18080 \ + --username admin \ + --password "$ARGOCD_PASSWORD" \ + --insecure \ + --grpc-web + + echo ">>> Generating API token for the admin account..." + ARGOCD_TOKEN=$(argocd account generate-token \ + --account admin \ + --insecure \ + --grpc-web) + + echo ">>> Storing token in Kubernetes secret '${local.argocd_token_secret_name}' (namespace: ${var.gateway_namespace})..." + kubectl create secret generic "${local.argocd_token_secret_name}" \ + --namespace "${var.gateway_namespace}" \ + --from-literal=ARGOCD_AUTH_TOKEN="$ARGOCD_TOKEN" \ + --dry-run=client -o yaml | kubectl apply -f - + + echo ">>> Done. Argo CD API token is ready." + EOT + } +} +``` + + +```yaml +# gateway.yaml +resource "kubernetes_namespace" "gateway" { + metadata { + name = var.gateway_namespace + } +} + +# Store the Octopus API key as a Kubernetes secret so it is never passed +# as a plain-text Helm value. The chart reads it via serverAccessTokenSecretName. +resource "kubernetes_secret" "octopus_api_key" { + metadata { + name = "octopus-server-access-token" + namespace = kubernetes_namespace.gateway.metadata[0].name + } + + data = { + OCTOPUS_SERVER_ACCESS_TOKEN = var.octopus_api_key + } + + type = "Opaque" +} + +# Install the Octopus Argo CD Gateway. +# The chart is referenced from the published GitHub Pages Helm repository. +# Both the Argo CD token and the Octopus API key are supplied via existing +# Kubernetes secrets rather than inline values to avoid storing credentials +# in Terraform state or Helm release history. +resource "helm_release" "gateway" { + name = "octopus-argocd-gateway" + repository = null + chart = "oci://registry-1.docker.io/octopusdeploy/octopus-argocd-gateway-chart" + version = var.gateway_chart_version + namespace = kubernetes_namespace.gateway.metadata[0].name + + depends_on = [ + # The Argo CD token secret must exist before the gateway pod starts. + null_resource.argocd_token, + kubernetes_secret.octopus_api_key, + ] + + values = [ + yamlencode({ + gateway = { + argocd = { + # gRPC URL derived automatically from the Argo CD Helm release. + serverGrpcUrl = local.argocd_grpc_url + # Skip TLS verification if Argo CD is using a self-signed cert. + insecure = var.argocd_insecure + # Reference the secret created by null_resource.argocd_token. + # The chart looks for the key ARGOCD_AUTH_TOKEN inside this secret. + authenticationTokenSecretName = local.argocd_token_secret_name + authenticationTokenSecretKey = "ARGOCD_AUTH_TOKEN" + } + octopus = { + serverGrpcUrl = var.octopus_grpc_url + plaintext = var.octopus_grpc_plaintext + } + } + + registration = { + octopus = { + name = var.gateway_name + serverApiUrl = var.octopus_api_url + spaceId = var.octopus_space_id + environments = var.octopus_environments + + # Reference the Octopus API key secret created above. + serverAccessTokenSecretName = kubernetes_secret.octopus_api_key.metadata[0].name + serverAccessTokenSecretKey = "OCTOPUS_SERVER_ACCESS_TOKEN" + } + argocd = { + webUiUrl = var.argocd_web_ui_url + } + } + }) + ] + + timeout = 300 + wait = true +} +``` + + +```yaml +# outputs.yaml +output "argocd_namespace" { + description = "Namespace where Argo CD is installed." + value = kubernetes_namespace.argocd.metadata[0].name +} + +output "gateway_namespace" { + description = "Namespace where the Octopus Argo CD Gateway is installed." + value = kubernetes_namespace.gateway.metadata[0].name +} + +output "argocd_token_secret" { + description = "Kubernetes secret (namespace/name) that holds the generated Argo CD API token." + value = "${var.gateway_namespace}/${local.argocd_token_secret_name}" +} + +output "get_argocd_admin_password" { + description = "One-liner to retrieve the Argo CD initial admin password." + value = "kubectl get secret argocd-initial-admin-secret -n ${var.argocd_namespace} -o jsonpath='{.data.password}' | base64 --decode && echo" +} + +output "get_argocd_token" { + description = "One-liner to view the stored Argo CD API token." + value = "kubectl get secret ${local.argocd_token_secret_name} -n ${var.gateway_namespace} -o jsonpath='{.data.ARGOCD_AUTH_TOKEN}' | base64 --decode && echo" +} +``` + + +```yaml +# terraform.tfvars.example +# Copy this file to terraform.tfvars and fill in the values. +# Never commit terraform.tfvars to source control — it contains secrets. + +# ─── Kubernetes ─────────────────────────────────────────────────────────────── +kubeconfig_path = "~/.kube/config" +kube_context = "my-cluster-context" # omit to use the current context + +# ─── Argo CD ────────────────────────────────────────────────────────────────── +argocd_namespace = "argocd" +argocd_chart_version = "9.4.6" + +# External Web UI URL — used during Octopus registration for the Argo CD link. +argocd_web_ui_url = "https://argocd.example.com" + +# Set to true if Argo CD uses a self-signed certificate. +argocd_insecure = false + +# ─── Octopus Deploy ─────────────────────────────────────────────────────────── +octopus_api_url = "https://my-instance.octopus.app" +octopus_grpc_url = "my-instance.octopus.app:443" +octopus_api_key = "API-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # sensitive +octopus_space_id = "Spaces-1" + +# List of environment slugs or IDs to associate with this gateway. +octopus_environments = ["production", "staging"] + +# Set to true only when Octopus runs without TLS on its gRPC port (dev only). +octopus_grpc_plaintext = false + +# ─── Gateway ────────────────────────────────────────────────────────────────── +gateway_namespace = "octopus-argocd-gateway" +gateway_name = "my-argocd-gateway" +gateway_chart_version = "1.18.0" +``` From f6d8dc6a2b90ddf6068e502fbc40df335c8d8745 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:54:34 +1000 Subject: [PATCH 02/26] fixed lint errors --- .../docs/argo-cd/instances/automated-installation.md | 1 + .../docs/argo-cd/instances/terraform-bootstrap.md | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index da22660fe4..a573da8ecf 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -146,4 +146,5 @@ destination: server: https://kubernetes.default.svc namespace: octopus-argo-gateway-your-namespace ``` + the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 191605ab3f..ad595582d0 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -12,9 +12,8 @@ When provisioning a new cluster, it is possible to install Argo CD along with th Here is a simplified example to make this happen: - -| File | Purpose | -|-|-| +| File | Purpose | +| - | - | | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | | [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | @@ -24,6 +23,7 @@ Here is a simplified example to make this happen: | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | + ```yaml # providers.yaml terraform { @@ -63,6 +63,7 @@ provider "helm" { ``` + ```yaml # variables.yaml # ─── Kubernetes ─────────────────────────────────────────────────────────────── @@ -162,6 +163,7 @@ variable "gateway_chart_version" { ``` + ```yaml # argocd.yaml locals { @@ -215,6 +217,7 @@ resource "time_sleep" "wait_for_argocd" { ``` + ```yaml # argocd-token.yaml locals { @@ -305,6 +308,7 @@ resource "null_resource" "argocd_token" { ``` + ```yaml # gateway.yaml resource "kubernetes_namespace" "gateway" { @@ -389,6 +393,7 @@ resource "helm_release" "gateway" { ``` + ```yaml # outputs.yaml output "argocd_namespace" { From 5250c923c3e64c0c961a50d5860825a32e495c57 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 16:55:03 +1000 Subject: [PATCH 03/26] fixed spelling --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ad595582d0..09ffcb60f3 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -3,7 +3,7 @@ layout: src/layouts/Default.astro pubDate: 2025-09-15 modDate: 2026-01-20 title: Terraform Bootstrap -description: How to bootstrap Argo CD + Argo CD Gateway using Gerraform +description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 hideInThisSectionHeader: true --- From caaf0cb9dbf70b2accb7b8366ea375f04fb1edb7 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 17:00:57 +1000 Subject: [PATCH 04/26] fixed lint --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 09ffcb60f3..3fbb7d6555 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -423,6 +423,7 @@ output "get_argocd_token" { ``` + ```yaml # terraform.tfvars.example # Copy this file to terraform.tfvars and fill in the values. From 956467e4a3620c7c4a25fdda41baabc6f98de945 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:03 +0200 Subject: [PATCH 05/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 3fbb7d6555..cf18064f3f 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,6 +1,6 @@ --- layout: src/layouts/Default.astro -pubDate: 2025-09-15 +pubDate: 2026-03-02 modDate: 2026-01-20 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform From 45df8a4d1117fdc855cef293e600e826152f9e70 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:11 +0200 Subject: [PATCH 06/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index cf18064f3f..461a6dcff5 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2026-03-02 -modDate: 2026-01-20 +modDate: 2026-03-02 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 From d581dcf90eb6f26641f9c490ee29d4c75e65e53e Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:17 +0200 Subject: [PATCH 07/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 461a6dcff5..e3cc1fe91b 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -5,7 +5,6 @@ modDate: 2026-03-02 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 -hideInThisSectionHeader: true --- When provisioning a new cluster, it is possible to install Argo CD along with the Argo CD Gateway using terraform. In order to do that, you need to create an Argo CD token, and inject it to the Argo CD Gateway installation. From 0bf6fc5e7112c506539dece9f63adb1bee07a2ff Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:26 +0200 Subject: [PATCH 08/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index e3cc1fe91b..8179117025 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -21,7 +21,7 @@ Here is a simplified example to make this happen: | [outputs.tf](#outputs) | Useful one-liners and resource references | | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | - +## Providers ```yaml # providers.yaml From 0f5f7e0e9bfe4c03790ee11319b8bd438b336275 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:04:33 +0200 Subject: [PATCH 09/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 8179117025..10a1fdf67c 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -61,7 +61,7 @@ provider "helm" { } ``` - +## Variables ```yaml # variables.yaml From 3f2a60e5be87adb028c33ebba55099bcd0adb242 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:07 +0200 Subject: [PATCH 10/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 10a1fdf67c..2b383e2057 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -161,7 +161,7 @@ variable "gateway_chart_version" { } ``` - +## Argo CD ```yaml # argocd.yaml From e32d7571d62d1bfd168255cd87c2b54a9f44525f Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:17 +0200 Subject: [PATCH 11/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 2b383e2057..ea5639e549 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -15,7 +15,7 @@ Here is a simplified example to make this happen: | - | - | | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | -| [argocd.tf](#argocd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | +| [argocd.tf](#argo-cd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | | [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | | [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | | [outputs.tf](#outputs) | Useful one-liners and resource references | From 6435517635fc4544c30edc091fc783d0d7c239e7 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:25 +0200 Subject: [PATCH 12/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ea5639e549..34d6409430 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -16,7 +16,7 @@ Here is a simplified example to make this happen: | [providers.tf](#providers) | Terraform + kubernetes, helm, null, time providers | | [variables.tf](#variables) | All inputs — kubeconfig, Argo CD URLs, Octopus credentials, gateway config | | [argocd.tf](#argo-cd) | Installs Argo CD via Helm; enables apiKey,login on the admin account | -| [argocd-token.tf](#argocd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | +| [argocd-token.tf](#argo-cd-token) | Generates the Argo CD API key via the CLI and stores it in a k8s secret | | [gateway.tf](#gateway) | Creates Octopus API key secret; installs the gateway Helm chart | | [outputs.tf](#outputs) | Useful one-liners and resource references | | [terraform.tfvars.example](#terraform-tfvars) | Copy → terraform.tfvars and fill in | From e7ebdeca119c61ed3ccf63ea48c6bee3364ce29e Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:32 +0200 Subject: [PATCH 13/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 34d6409430..8bcacfd2d7 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -215,7 +215,7 @@ resource "time_sleep" "wait_for_argocd" { } ``` - +## Argo CD Token ```yaml # argocd-token.yaml From 6fb881dc76654a1d917c97fa48f153876c8cc104 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:40 +0200 Subject: [PATCH 14/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 8bcacfd2d7..6e1d075b94 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -306,7 +306,7 @@ resource "null_resource" "argocd_token" { } ``` - +## Gateway ```yaml # gateway.yaml From db6f4fbb5a48726fe569b77990b12f25784ec4f9 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:06:58 +0200 Subject: [PATCH 15/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 6e1d075b94..966bf36d04 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -391,7 +391,7 @@ resource "helm_release" "gateway" { } ``` - +## Outputs ```yaml # outputs.yaml From e03a9f8e060e17e6cbb17e566e17eeac0ed82492 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 10:07:47 +0200 Subject: [PATCH 16/26] Update src/pages/docs/argo-cd/instances/terraform-bootstrap.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 966bf36d04..c8a4f6e642 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -421,7 +421,7 @@ output "get_argocd_token" { } ``` - +## Terraform tfvars ```yaml # terraform.tfvars.example From 55bf20913f02d41d130263e0ae804c800e346df1 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 2 Mar 2026 18:19:36 +1000 Subject: [PATCH 17/26] finxed lint --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index c8a4f6e642..962baa4fd3 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -391,7 +391,7 @@ resource "helm_release" "gateway" { } ``` -## Outputs +## Outputs ```yaml # outputs.yaml From 0ccccc385bb7cd17e428553e83c07924a7de88ec Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 09:39:00 +1000 Subject: [PATCH 18/26] fix: update automated installation instructions for Argo CD Gateway - Update modification date to March 3, 2026. - Revise installation steps to include namespace creation and token generation. - Provide detailed YAML configuration for Argo CD application. --- .../instances/automated-installation.md | 83 ++++++++++++------- 1 file changed, 53 insertions(+), 30 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index a573da8ecf..76a2a09917 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2025-09-15 -modDate: 2026-01-20 +modDate: 2026-03-03 title: Automated Installation description: Install Argo CD instances via scripting or IAC navOrder: 10 @@ -117,34 +117,57 @@ The Octopus-Argo Gateway's helm chart can be installed via an Argo CD Applicatio The application YAML required to install the helm chart is as follows (replacing values as per previous examples): -```yaml -project: default -source: - repoURL: registry-1.docker.io/octopusdeploy - chart: octopus-argocd-gateway-chart - targetRevision: 1.18.0 - helm: - valuesObject: - registration: - octopus: - name: - serverApiUrl: https://your-instance.octopus.app - serverAccessTokenSecretName: octopus-server-access-token - serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN - spaceId: Spaces-1 - gateway: - octopus: - serverGrpcUrl: grpc://your-instance.octopus.app:8443 - argocd: - serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local - authenticationTokenSecretName: argocd-auth-token - authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN - autoUpdate: - # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state - enabled: false -destination: - server: https://kubernetes.default.svc - namespace: octopus-argo-gateway-your-namespace -``` +1. Create the namespace + + ```shell + kubectl create ns octopus-argo-gateway-your-namespace + ``` +2. Generate Argo CD Authentication Token + 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide + 2.2. Save the token in a secret + + ```shell + kubectl create secret generic argocd-auth-token -n octopus-argo-gateway-your-namespace --from-literal=ARGOCD_AUTH_TOKEN= + ``` + +3. Generate Octopus Deploy Api-Key + 3.1. Follow the instreuctions on the [How to Create an API Key](/docs/octopus-rest-api/how-to-create-an-api-key) guide + 3.2. Save the token in a secret + + ```shell + kubectl create secret generic octopus-server-access-token -n octopus-argo-gateway-your-namespace --from-literal=OCTOPUS_SERVER_ACCESS_TOKEN= + ``` + +4. Apply the Argo CD application (or commit this manifest to your git-ops repository already synced by Argo CD) + + ```yaml + project: default + source: + repoURL: registry-1.docker.io/octopusdeploy + chart: octopus-argocd-gateway-chart + targetRevision: 1.18.0 + helm: + valuesObject: + registration: + octopus: + name: + serverApiUrl: https://your-instance.octopus.app + serverAccessTokenSecretName: octopus-server-access-token + serverAccessTokenSecretKey: OCTOPUS_SERVER_ACCESS_TOKEN + spaceId: Spaces-1 + gateway: + octopus: + serverGrpcUrl: grpc://your-instance.octopus.app:8443 + argocd: + serverGrpcUrl: grpc://argocd-server.argocd.svc.cluster.local + authenticationTokenSecretName: argocd-auth-token + authenticationTokenSecretKey: ARGOCD_AUTH_TOKEN + autoUpdate: + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled: false + destination: + server: https://kubernetes.default.svc + namespace: octopus-argo-gateway-your-namespace + ``` the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. From 09203cb015d146e522f8c37401f7f255bfe32b5c Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:09:09 +1000 Subject: [PATCH 19/26] fix: update RBAC policy for Octopus user to include sync permissions --- src/pages/docs/argo-cd/instances/argo-user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/argo-user.md b/src/pages/docs/argo-cd/instances/argo-user.md index 866e6c9e61..9d6be53e0d 100644 --- a/src/pages/docs/argo-cd/instances/argo-user.md +++ b/src/pages/docs/argo-cd/instances/argo-user.md @@ -62,7 +62,7 @@ With the user created, an RBAC policy must be created allowing the new user to a The RBAC policies are stored within the `argocd-rbac-cm` configmap. -The following shows an Octopus user which has read only access to all applications, cluster and log data. +The following shows an Octopus user which has read only access to all applications, cluster and log data, and sync permissions for applications. ```yaml apiVersion: v1 From b0678bbeca2b1918f00f6da9b2fc0841fb5c6ad9 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:09:16 +1000 Subject: [PATCH 20/26] fix: update Argo CD installation to use dedicated Octopus service account Create a dedicated "octopus" service account with API key capability and necessary permissions for Octopus Deploy. This change ensures that the admin account retains login-only access, allowing the bootstrap script to generate the octopus token without interactive login requirements. --- .../argo-cd/instances/terraform-bootstrap.md | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 962baa4fd3..0ddb1c2eb5 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -178,8 +178,9 @@ resource "kubernetes_namespace" "argocd" { } # Install Argo CD via the official Helm chart. -# The accounts.admin config enables API key generation for the admin account, -# which is required for the token generation step in argocd-token.tf. +# Creates a dedicated "octopus" service account with apiKey capability and the +# permissions required by Octopus Deploy (applications, clusters, logs). +# Admin retains login-only access so the bootstrap script can generate the octopus token. resource "helm_release" "argocd" { name = "argocd" repository = null @@ -191,12 +192,18 @@ resource "helm_release" "argocd" { yamlencode({ configs = { cm = { - # Allow the admin account to generate API keys and log in interactively. - "accounts.admin" = "apiKey,login" + # Dedicated service account for Octopus Deploy — API key only, no interactive login. + "accounts.octopus" = "apiKey" } rbac = { "policy.default" = "role:readonly" - "policy.csv" = "g, admin, role:admin" + "policy.csv" = <<-EOT + g, admin, role:admin + p, octopus, applications, get, *, allow + p, octopus, applications, sync, *, allow + p, octopus, clusters, get, *, allow + p, octopus, logs, get, */*, allow + EOT } } }) @@ -229,7 +236,7 @@ locals { # 1. Wait for the Argo CD server deployment to be fully ready. # 2. Port-forward the Argo CD server locally. # 3. Log in with the argocd CLI using the auto-generated admin password. -# 4. Generate an API key for the admin account. +# 4. Generate an API key for the octopus account. # 5. Store that key in a Kubernetes secret in the gateway namespace. # # Prerequisites (must be available on the machine running `terraform apply`): @@ -288,9 +295,9 @@ resource "null_resource" "argocd_token" { --insecure \ --grpc-web - echo ">>> Generating API token for the admin account..." + echo ">>> Generating API token for the octopus account..." ARGOCD_TOKEN=$(argocd account generate-token \ - --account admin \ + --account octopus \ --insecure \ --grpc-web) From 389d6bc65359dbe5f6a0139fcdb41799f466b964 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:11:59 +1000 Subject: [PATCH 21/26] removed comment --- src/pages/docs/argo-cd/instances/automated-installation.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 76a2a09917..97ffb80348 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -169,5 +169,3 @@ The application YAML required to install the helm chart is as follows (replacing server: https://kubernetes.default.svc namespace: octopus-argo-gateway-your-namespace ``` - -the `serverAccessTokenSecretName/Key` and `authenticationTokenSecretName/Key` should match the Secret names and keys that contain the respective tokens, and those secret need to exist in the cluster. From 7990fd1ddd320c8c71d1576b84b778171b089dbb Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:43:17 +1000 Subject: [PATCH 22/26] feat: deploy Octopus Argo CD Gateway as an Argo CD Application Add a new resource to deploy the Octopus Argo CD Gateway using Argo CD's application management, allowing Argo CD to manage the Helm lifecycle. This change ensures better integration and management of the gateway installation process. --- .../argo-cd/instances/terraform-bootstrap.md | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 0ddb1c2eb5..ce0c686090 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -338,6 +338,122 @@ resource "kubernetes_secret" "octopus_api_key" { type = "Opaque" } +# Deploy the Octopus Argo CD Gateway as an Argo CD Application so that Argo CD +# owns the Helm lifecycle (sync, self-heal, pruning) rather than Terraform/Helm. +# +# NOTE: the argoproj.io/v1alpha1 CRD must already be present when Terraform plans +# this resource. If you are bootstrapping from scratch, run: +# terraform apply -target=helm_release.argocd -target=time_sleep.wait_for_argocd +# before running a full `terraform apply`. +resource "kubernetes_manifest" "gateway_application" { + depends_on = [ + time_sleep.wait_for_argocd, + null_resource.argocd_token, + kubernetes_namespace.gateway, + kubernetes_secret.octopus_api_key, + ] + + manifest = { + apiVersion = "argoproj.io/v1alpha1" + kind = "Application" + metadata = { + name = "octopus-argocd-gateway" + namespace = var.argocd_namespace + } + spec = { + project = "default" + + source = { + # OCI chart: repoURL is the registry path, chart is the image name. + repoURL = "registry-1.docker.io/octopusdeploy" + chart = "octopus-argocd-gateway-chart" + targetRevision = var.gateway_chart_version + + helm = { + valuesObject = { + gateway = { + argocd = { + # gRPC URL derived automatically from the Argo CD Helm release. + serverGrpcUrl = local.argocd_grpc_url + # Skip TLS verification if Argo CD is using a self-signed cert. + insecure = var.argocd_insecure + # Reference the secret created by null_resource.argocd_token. + authenticationTokenSecretName = local.argocd_token_secret_name + authenticationTokenSecretKey = "ARGOCD_AUTH_TOKEN" + } + octopus = { + serverGrpcUrl = var.octopus_grpc_url + plaintext = var.octopus_grpc_plaintext + } + } + + registration = { + octopus = { + name = var.gateway_name + serverApiUrl = var.octopus_api_url + spaceId = var.octopus_space_id + environments = var.octopus_environments + # Reference the Octopus API key secret created above. + serverAccessTokenSecretName = "octopus-server-access-token" + serverAccessTokenSecretKey = "OCTOPUS_SERVER_ACCESS_TOKEN" + } + argocd = { + webUiUrl = var.argocd_web_ui_url + } + } + + autoUpdate = { + # should be disabled, otherwise the auto-update job will keep trying to update the instance, while argo cd syncs it back to original state + enabled = false + } + } + } + } + + destination = { + server = "https://kubernetes.default.svc" + namespace = var.gateway_namespace + } + + syncPolicy = { + automated = { + prune = true + selfHeal = true + } + syncOptions = ["CreateNamespace=false"] + } + } + } +} +``` + +:::div{.hint} +**Note** +In order to deploy the Argo CD Gateway using helm directly, you can re-use the helm provider: + +```yaml +# gateway.yaml +resource "kubernetes_namespace" "gateway" { + metadata { + name = var.gateway_namespace + } +} + +# Store the Octopus API key as a Kubernetes secret so it is never passed +# as a plain-text Helm value. The chart reads it via serverAccessTokenSecretName. +resource "kubernetes_secret" "octopus_api_key" { + metadata { + name = "octopus-server-access-token" + namespace = kubernetes_namespace.gateway.metadata[0].name + } + + data = { + OCTOPUS_SERVER_ACCESS_TOKEN = var.octopus_api_key + } + + type = "Opaque" +} + # Install the Octopus Argo CD Gateway. # The chart is referenced from the published GitHub Pages Helm repository. # Both the Argo CD token and the Octopus API key are supplied via existing @@ -398,6 +514,8 @@ resource "helm_release" "gateway" { } ``` +::: + ## Outputs ```yaml @@ -466,3 +584,4 @@ gateway_namespace = "octopus-argocd-gateway" gateway_name = "my-argocd-gateway" gateway_chart_version = "1.18.0" ``` + From e5b2583029f1150dda108dc99e2e02737cb85723 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 10:53:26 +1000 Subject: [PATCH 23/26] fixed lint --- src/pages/docs/argo-cd/instances/automated-installation.md | 1 + src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 97ffb80348..f3af70bfa1 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -122,6 +122,7 @@ The application YAML required to install the helm chart is as follows (replacing ```shell kubectl create ns octopus-argo-gateway-your-namespace ``` + 2. Generate Argo CD Authentication Token 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide 2.2. Save the token in a secret diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index ce0c686090..44288e0299 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -584,4 +584,3 @@ gateway_namespace = "octopus-argocd-gateway" gateway_name = "my-argocd-gateway" gateway_chart_version = "1.18.0" ``` - From 8c763f3fac0086a477b70ef9dae3695b8501be45 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 11:33:11 +1000 Subject: [PATCH 24/26] fixed broken link --- src/pages/docs/argo-cd/instances/automated-installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index f3af70bfa1..5a2d7148bc 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -124,7 +124,7 @@ The application YAML required to install the helm chart is as follows (replacing ``` 2. Generate Argo CD Authentication Token - 2.1. Follow the instructions on the [Argo CD Authentication](argo-user) guide + 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user.md) guide 2.2. Save the token in a secret ```shell From 0481e4b5e862103f5e056ead12a9631f5e1717bf Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 11:34:50 +1000 Subject: [PATCH 25/26] fixed broken link --- src/pages/docs/argo-cd/instances/automated-installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/argo-cd/instances/automated-installation.md b/src/pages/docs/argo-cd/instances/automated-installation.md index 5a2d7148bc..957e98a713 100644 --- a/src/pages/docs/argo-cd/instances/automated-installation.md +++ b/src/pages/docs/argo-cd/instances/automated-installation.md @@ -124,7 +124,7 @@ The application YAML required to install the helm chart is as follows (replacing ``` 2. Generate Argo CD Authentication Token - 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user.md) guide + 2.1. Follow the instructions on the [Argo CD Authentication](/docs/argo-cd/instances/argo-user) guide 2.2. Save the token in a secret ```shell From 71e954d17bf33f978402df65734e84bc832fcd32 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 3 Mar 2026 18:45:12 +1000 Subject: [PATCH 26/26] fix: update modification dates in documentation for consistency Updated the modification dates in 'argo-user.md' and 'terraform-bootstrap.md' to ensure they reflect the correct timeline. This improves clarity and accuracy in the documentation. --- src/pages/docs/argo-cd/instances/terraform-bootstrap.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md index 44288e0299..9ff8fde0de 100644 --- a/src/pages/docs/argo-cd/instances/terraform-bootstrap.md +++ b/src/pages/docs/argo-cd/instances/terraform-bootstrap.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro -pubDate: 2026-03-02 -modDate: 2026-03-02 +pubDate: 2026-03-03 +modDate: 2026-03-03 title: Terraform Bootstrap description: How to bootstrap Argo CD + Argo CD Gateway using Terraform navOrder: 10 @@ -569,7 +569,7 @@ argocd_insecure = false # ─── Octopus Deploy ─────────────────────────────────────────────────────────── octopus_api_url = "https://my-instance.octopus.app" -octopus_grpc_url = "my-instance.octopus.app:443" +octopus_grpc_url = "my-instance.octopus.app:8443" octopus_api_key = "API-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # sensitive octopus_space_id = "Spaces-1"