Managing Multi-Cluster Deployments with ArgoCD: Complete Setup Guide for Kubernetes

Introduction

Managing applications across multiple Kubernetes clusters can be challenging. Whether you're running development, staging, and production environments, or managing geographically distributed clusters, you need a consistent and reliable deployment strategy. ArgoCD, a declarative GitOps continuous delivery tool, provides an elegant solution to this problem.

In this guide, we'll explore how to set up ArgoCD in a single management cluster and use it to deploy applications across multiple Kubernetes clusters. This approach eliminates the need to install ArgoCD in every cluster, simplifying your infrastructure and reducing operational overhead.

Why Multi-Cluster ArgoCD?

The Challenge

Organizations often run multiple Kubernetes clusters for various reasons:

• Environment Separation: Development, staging, and production clusters
• Geographic Distribution: Clusters in different regions for low latency
• Compliance Requirements: Data residency regulations requiring regional clusters
• Resource Isolation: Separating workloads by team or business unit
• High Availability: Active-active or active-passive setups across data centers

Managing deployments across these clusters traditionally requires either:

• Installing separate CD tools in each cluster (expensive and complex)
• Using custom scripts (error-prone and hard to maintain)
• Manual deployments (slow and inconsistent)

The ArgoCD Solution

ArgoCD's multi-cluster capability offers significant advantages:

Centralized Management: Deploy and manage applications across all clusters from a single control plane. You get one dashboard to view the health of applications across your entire infrastructure.

Consistent GitOps Workflow: Use the same Git-based workflow for all clusters. Your Git repository remains the single source of truth, whether deploying to one cluster or ten.

Reduced Infrastructure Costs: Install ArgoCD once in a management cluster instead of maintaining separate instances. This reduces CPU, memory, and storage requirements significantly.

Simplified Operations: Fewer ArgoCD installations mean fewer upgrades, fewer security patches, and less monitoring overhead.

Disaster Recovery: If a workload cluster fails, your ArgoCD instance survives in the management cluster, making recovery easier.

RBAC and Security: Centralized access control and audit logging across all deployments. You can enforce organization-wide policies from one place.

Architecture Overview

In a multi-cluster ArgoCD setup:

1. Management Cluster: Hosts the ArgoCD installation (API server, repository server, application controller)
2. Workload Clusters: Run your applications but don't need ArgoCD installed
3. Git Repository: Stores your application manifests and serves as the source of truth
4. Communication: ArgoCD connects to workload clusters via Kubernetes API using service account tokens

Prerequisites

Before starting, ensure you have:

• Multiple Kubernetes clusters (1.19+)
• kubectl configured with access to all clusters
• helm (v3+) installed
• A wildcard TLS certificate (optional, for HTTPS)
• Administrative access to all clusters

Part 1: Setting Up ArgoCD in the Management Cluster

Step 1: Create Namespace and Prepare TLS

First, create the ArgoCD namespace in your management cluster:

kubectl create namespace argocd 

If you have a wildcard TLS certificate, copy it to the ArgoCD namespace:

kubectl create secret tls tls-ca \ --cert=tls.pem \ --key=tls.key \ - n argocd 

Step 2: Add Helm Repository

helm repo add argo https://argoproj.github.io/argo-helm helm repo update 

Step 3: Configure ArgoCD Values

Create a comprehensive values file for high availability and security: argocd-values.yaml

# argocd-values.yaml global: domain: argocd.yourdomain.com # API Server Configuration server: replicas: 3 # High availability service: type: ClusterIP ingress: enabled: true ingressClassName: nginx hosts: - argocd.yourdomain.com tls: - secretName: wildcard-tls hosts: - argocd.yourdomain.com annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/ssl-redirect: "true" resources: requests: cpu: 500m memory: 512Mi limits: cpu: 2 memory: 2Gi # Application Controller controller: replicas: 3 # High availability resources: requests: cpu: 500m memory: 512Mi limits: cpu: 2 memory: 2Gi # Repository Server repoServer: replicas: 3 # High availability resources: requests: cpu: 300m memory: 512Mi limits: cpu: 1 memory: 1Gi # Redis for caching redis: enabled: true cluster: enabled: false # Disable Dex (using admin user for simplicity) dex: enabled: false # Configuration configs: cm: admin.enabled: true url: https://argocd.yourdomain.com rbac: policy.csv: | g, system:cluster-admins, role:admin 

Step 4: Install ArgoCD

helm upgrade --install argocd argo/argo-cd \ -n argocd \ -f argocd-values.yaml 

Wait for all pods to be ready:

kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=argocd-server -n argocd --timeout=300s 

Step 5: Access ArgoCD

Get the initial admin password:

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d 

Access the UI at https://argocd.yourdomain.com and log in with:

• Username: admin
• Password: (from the command above)

Important: Change the admin password immediately after first login.

Part 2: Adding Workload Clusters

Now let's add other clusters to ArgoCD. You'll need to repeat these steps for each cluster you want to manage.

Step 1: Create ArgoCD Namespace in Workload Cluster

Please join the workload cluster using SSH or your preferred method

Create the namespace:

kubectl create namespace argocd 

Step 2: Create Service Account and RBAC

This service account allows ArgoCD to manage resources in the workload cluster:

cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: argocd-manager namespace: argocd --- apiVersion: v1 kind: Secret metadata: name: argocd-manager-token namespace: argocd annotations: kubernetes.io/service-account.name: argocd-manager type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-manager-role rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-manager-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-manager-role subjects: - kind: ServiceAccount name: argocd-manager namespace: argocd EOF 

Security Note: The above RBAC gives full cluster access. In production, you should limit permissions to specific namespaces and resources based on your security requirements.

Step 3: Extract Cluster Credentials

Retrieve the service account token, CA certificate, and API server address:

# Get the service account token TOKEN=$(kubectl get secret argocd-manager-token -n argocd -o jsonpath='{.data.token}' | base64 -d) # Try to get the cluster CA certificate from ca.crt CA_CERT=$(kubectl get secret argocd-manager-token -n argocd -o jsonpath='{.data.ca\.crt}') # Fallback to tls.crt if ca.crt is empty if [ -z "$CA_CERT" ]; then CA_CERT=$(kubectl get secret argocd-manager-token -n argocd -o jsonpath='{.data.tls\.crt}') fi # Get the API server address (adjust to your cluster's master node IP). For an example: 192.168.1.123 API_SERVER="https://YOUR_CLUSTER_MASTER_NODE_IP:6443" # Display values for verification echo "Token: $TOKEN" echo "CA Cert: $CA_CERT" echo "API Server: $API_SERVER" 

Important: The API_SERVER should be the cluster's MASTER NODE IP or VIP (if you have multiple master node) or load balancer address that ArgoCD can reach from the management cluster.

Step 4: Register Cluster in Management Cluster

Switch back to the management cluster:

Create a cluster secret in ArgoCD. Replace the placeholder values with the actual values from Step 3:

cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: cluster-dev # Use descriptive names: cluster-dev, cluster-staging, cluster-prod namespace: argocd labels: argocd.argoproj.io/secret-type: cluster type: Opaque stringData: name: dev-cluster # Display name in ArgoCD UI server: "$API_SERVER" config: | { "bearerToken": "$TOKEN", "tlsClientConfig": { "insecure": false, "caData": "$CA_CERT" } } EOF 

Step 5: Verify Cluster Registration

Check that the cluster appears in ArgoCD:

# Using kubectl kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=cluster # Or via ArgoCD CLI (if installed) argocd cluster list # Or check the UI # Navigate to Settings > Clusters in the ArgoCD web interface 

Step 6: Repeat for Additional Clusters

Repeat Steps 1-5 for each additional cluster (staging, production, etc.), using different secret names like cluster-staging, cluster-prod, etc.

Part 3: Deploying Applications

Now that your clusters are registered, you can deploy applications across them.

Example: Deploy to Specific Cluster

Create an Application manifest:

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app-dev namespace: argocd spec: project: default source: repoURL: https://github.com/your-org/your-repo targetRevision: HEAD path: apps/my-app destination: server: https://YOUR_CLUSTER_MASTER_NODE_IP:6443 # Dev cluster API server namespace: my-app syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true 

Apply it:

kubectl apply -f my-app-dev.yaml 

Best Practices

Security

1. Limit RBAC Permissions: Use namespace-scoped roles instead of cluster-admin where possible
2. Rotate Tokens: Regularly rotate service account tokens
3. Use Private Repos: Store manifests in private Git repositories with SSH keys or access tokens
4. Enable SSO: Configure Dex with your identity provider for production
5. Network Policies: Restrict network access between clusters

High Availability

1. Run Multiple Replicas: Use at least 3 replicas for ArgoCD components
2. Resource Limits: Set appropriate CPU and memory limits
3. PostgreSQL Replication: Enable database replication for persistence
4. Backup ArgoCD: Regularly backup the PostgreSQL database and cluster secrets

Operations

1. Monitor Health: Set up alerts for application sync failures
2. Use Projects: Organize applications into ArgoCD projects for better access control
3. Implement Progressive Delivery: Use Argo Rollouts for canary and blue-green deployments
4. Tag Releases: Use Git tags for production deployments instead of branches
5. Documentation: Document cluster naming conventions and deployment workflows

Scaling

1. Resource Tuning: Adjust replica counts based on the number of applications
2. Sharding: Use application controller sharding for 1000+ applications
3. Cache Optimization: Configure Redis appropriately for large deployments
4. Cluster Separation: Consider separate ArgoCD instances for dev and prod environments

Troubleshooting

Cluster Connection Issues

If ArgoCD cannot connect to a workload cluster:

# Test connectivity from management cluster kubectl run -it --rm debug --image=alpine --restart=Never -- sh apk add curl curl -k https://<cluster-api-server>:6443 

Check if the API server address is reachable from the management cluster and verify firewall rules.

Application Sync Failures

Check application status:

kubectl get application -n argocd kubectl describe application <app-name> -n argocd 

View detailed sync errors in the ArgoCD UI under the application's sync status.

Performance Issues

If ArgoCD is slow:

1. Increase replica counts
2. Add more resources to controllers
3. Enable Redis cluster mode
4. Implement application controller sharding

Conclusion

Multi-cluster ArgoCD provides a powerful, centralized approach to managing Kubernetes deployments across your entire infrastructure. By installing ArgoCD once and connecting multiple clusters, you achieve:

• Consistent deployment workflows across all environments
• Reduced operational overhead and costs
• Centralized visibility and control
• Simplified disaster recovery
• Better resource utilization

This architecture scales from small teams with a few clusters to enterprises managing hundreds of clusters across multiple regions. Start with the basic setup described in this guide, then gradually adopt advanced features like ApplicationSets, Argo Rollouts, and progressive delivery as your needs grow.

The key to success is maintaining Git as your single source of truth and leveraging ArgoCD's declarative approach to ensure your desired state matches your actual state across all clusters.

Additional Resources

• ArgoCD Official Documentation
• ApplicationSet Documentation
• GitOps Principles
• Argo Rollouts