[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for Kubernetes](../../index.md) > [Step-by-step guides](../index.md) > Installing applications from Cloud Marketplace > Installing Argo CD

# Installing Argo CD


[Argo CD](https://argo-cd.readthedocs.io) is a declarative GitOps tool for continuous delivery to Kubernetes.

## Getting started {#before-you-begin}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. [Make sure](../connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../../vpc/operations/security-group-add-rule.md).

    {% note warning %}
    
    The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
    
    {% endnote %}

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../connect/index.md#kubectl-connect).

## Installation from Yandex Cloud Marketplace {#marketplace-install}

1. In the [management console](https://console.yandex.cloud), select a folder.
1. Navigate to **Managed Service for&nbsp;Kubernetes**.
1. Click the name of your cluster and select the ![image](../../../_assets/console-icons/shopping-cart.svg) **Marketplace** tab.
1. Under **Application available for installation**, select [Argo CD](https://yandex.cloud/en/marketplace/products/yc/argo-cd) and click **Go to install**.
1. Configure the application:
   * **Namespace**: Create a new [namespace](../../concepts/index.md#namespace), e.g., `argo-cd-space`. If you leave the default namespace, Argo CD may work incorrectly.
   * **Application name**: Specify the application name.
1. Click **Install**.
1. Wait for the application status to change to `Deployed`.

## Installation using a Helm chart {#helm-install}

1. [Install Helm](https://helm.sh/docs/intro/install/) v3.8.0 or higher.
1. To install a [Helm chart](https://helm.sh/docs/topics/charts/) with Argo CD, run this command:

   ```bash
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/argo/chart/argo-cd \
     --version 7.3.11-2 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     argo-cd ./argo-cd/
   ```

   {% note info %}
   
   If you are using a Helm version below 3.8.0, add the `export HELM_EXPERIMENTAL_OCI=1 && \` string at the beginning of the command to enable [Open Container Initiative](https://opencontainers.org/) (OCI) support in the Helm client.
   
   {% endnote %}

   If you set `namespace` to the default namespace, Argo CD may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., `argo-cd-space`.

## Access to the application {#application-access}

You can open Argo CD via [localhost](#open-via-localhost), using a [dedicated IP address](#go-to-static-address) through a [Yandex Network Load Balancer](../../../network-load-balancer/index.md), or using a [URL](#open-via-alb) through an L7 [Yandex Application Load Balancer](../../../application-load-balancer/index.md). The first method is easier to configure and does not involve additional costs for load balancers. However, the application is only available through `localhost` as long as port redirection is active and load balancers provide continuous access to Argo CD.

Before you set up access to Argo CD, get the `admin` password:

```bash
kubectl --namespace <namespace> get secret argocd-initial-admin-secret \
  --output jsonpath="{.data.password}" | base64 -d
```

You will need the password to get authenticated in Argo CD.

### Opening the application via localhost {#open-via-localhost}

1. Configure Argo CD port redirection to your local computer:

   ```bash
   kubectl port-forward service/<application_name>-argocd-server \
     --namespace <namespace> 8080:443
   ```

   In the command, specify the application name you set during installation.

1. Go to `https://localhost:8080` and log in with the administrator credentials.

### Opening the application through a dedicated IP address via Network Load Balancer {#go-to-static-address}

1. Save the following specification for creating a `LoadBalancer` type service to a file named `load-balancer.yaml`. This will create you a [Network Load Balancer](../../../network-load-balancer/index.md):

   ```yaml
   apiVersion: v1
   kind: Service
   metadata:
     name: argocd-load-balancer
     namespace: <namespace>
   spec:
     type: LoadBalancer
     ports:
     - port: 443
       name: load-balancer-port-ssl
       targetPort: 8080
     # Selector Kubernetes label used in the Deployment object named <application_name>-argocd-server.
     selector:
       app.kubernetes.io/name: argocd-server
   ```

   In the specification, enter the namespace where you installed Argo CD.

   The specification giving no IP address, the load balancer will get a dynamic public IP address. You can add a field named `spec.loadBalancerIP` and specify a [pre-reserved](../../../vpc/operations/get-static-ip.md) static IP address in it.

   For details on the specification, see [this reference](../../nlb-ref/service.md).

1. Apply the specification and create a network load balancer:

   ```bash
   kubectl apply -f load-balancer.yaml --namespace <namespace>
   ```

1. Get the IP address of the network load balancer you created:

   {% list tabs group=instructions %}

   * Management console {#console}

      1. In the [management console](https://console.yandex.cloud), select the folder the Managed Service for Kubernetes cluster is deployed in.
      1. Navigate to **Network Load Balancer**.

         The **Load balancers** section shows a network load balancer with the `k8s` prefix in its name and the unique Kubernetes cluster ID in its description.

      1. Copy the **IP address** field value for the load balancer of interest.

   {% endlist %}

1. Go to `https://<load_balancer_IP_address>` and log in with the administrator credentials.

### Opening the application using a URL through an Application Load Balancer {#open-via-alb}

1. [Register a public domain zone and delegate your domain](../../../dns/operations/zone-create-public.md).

1. If you already have a certificate for the domain zone, [add its details](../../../certificate-manager/operations/import/cert-create.md) to [Yandex Certificate Manager](../../../certificate-manager/index.md). If not, issue a new Let's Encrypt® certificate and [add](../../../certificate-manager/operations/managed/cert-create.md) it to Certificate Manager.

1. Get the certificate ID:
   
     ```bash
     yc certificate-manager certificate list
     ```
   
     Result:
   
     ```text
     +----------------------+-----------+----------------+---------------------+----------+--------+
     |          ID          |   NAME    |    DOMAINS     |      NOT AFTER      |   TYPE   | STATUS |
     +----------------------+-----------+----------------+---------------------+----------+--------+
     | fpq8diorouhp******** | cert-test |    test.ru     | 2022-01-06 17:19:37 | IMPORTED | ISSUED |
     +----------------------+-----------+----------------+---------------------+----------+--------+
     ```

1. [Configure](../../../application-load-balancer/tools/k8s-ingress-controller/security-groups.md) the security groups required for an L7 Application Load Balancer.

1. [Install the Application Load Balancer ingress controller](alb-ingress-controller.md).

   {% note tip %}
   
   We recommend using the new [Yandex Cloud Gwin](../../../application-load-balancer/tools/gwin/index.md) controller instead of an ALB Ingress controller and Gateway API.
   
   {% endnote %}

1. While you need a `NodePort` service to work with an L7 Application Load Balancer, Argo CD runs a server with a `ClusterIP` service. Change the service type:

   1. Open the file with the `Service` object description:

      ```bash
      kubectl -n <namespace> edit svc <application_name>-argocd-server
      ```

   1. Replace the `type` value with `NodePort`:

        ```yaml
        spec:
          ... 
          type: NodePort
          ...
        ```

1. The L7 Application Load Balancer removes TLS encryption from inbound traffic. To avoid infinite redirection, disable HTTP to HTTPS redirection for Argo CD:

   1. Open the `argocd-cmd-params-cm` configuration file:

      ```bash
      kubectl -n <namespace> edit configmap argocd-cmd-params-cm
      ```

   1. Replace the `server.insecure` value with `true`:

      ```yaml
      data:
        ...
        server.insecure: "true"
        ...
      ```

1. Create a file named `ingress.yaml` and specify the settings for your L7 Application Load Balancer in it:

    ```yaml
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: argocd-ingress
      namespace: argo-cd-space
      annotations:
        ingress.alb.yc.io/subnets: <load_balancer_subnet_ID>
        ingress.alb.yc.io/security-groups: <load_balancer_security_group_ID>
        ingress.alb.yc.io/external-ipv4-address: auto
        ingress.alb.yc.io/group-name: my-ingress-group
    spec:
      tls:
        - hosts:
            - <domain_name>
          secretName: yc-certmgr-cert-id-<TLS_certificate_ID>
      rules:
        - host: <domain_name>
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: argo-cd-argocd-server
                    port:
                      number: 80
    ```

    To learn more about these settings, see [Configuring an L7 Yandex Application Load Balancer using an ingress controller](../../tutorials/alb-ingress-controller.md#create-ingress-and-apps).

1. In the `ingress.yaml` file directory, run this command:

    ```bash
    kubectl apply -f ingress.yaml
    ```

    This will create an `Ingress` resource. The ALB Ingress Controller will use its configuration to automatically deploy your L7 Application Load Balancer.

1. Make sure you created the L7 load balancer by running this command:

    ```bash
    kubectl get ingress argocd-ingress
    ```

    View the command output. If you created the L7 load balancer, its IP address should appear in the `ADDRESS` field:

    ```bash
    NAME            CLASS   HOSTS           ADDRESS        PORTS    AGE
    argocd-ingress  <none>  <domain_name>  51.250.**.***  80, 443  15h
    ```    

1. [Add an A record](../../../dns/operations/resource-record-create.md) to your domain zone. In the **Data** field, specify the public IP address of your L7 Application Load Balancer.

1. Open `https://<domain_name>` in your browser and log in with the administrator credentials.

   {% note info %}
   
   If you cannot access the resource at the specified URL, [make sure](../connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../../vpc/operations/security-group-add-rule.md).
   
   {% endnote %}

## Use cases {#examples}

* [Integration with Argo CD](../../tutorials/marketplace/argo-cd.md)

## See also {#see-also}

* [Argo CD documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/)