From 19690fded208758971b65851d7537b743f9be5b3 Mon Sep 17 00:00:00 2001 From: Travis Leeden Date: Tue, 2 Jun 2026 16:04:41 +1000 Subject: [PATCH 1/2] Added cluster annotation details --- .../docs/argo-cd/instances/aws-managed-argo-cd.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md b/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md index 2d4b18ef36..472e8f0bac 100644 --- a/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md +++ b/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md @@ -14,6 +14,10 @@ The Argo CD Gateway can be installed into an AWS EKS cluster and connect to an A AWS managed Argo CD instances differ from standard self-hosted installations in the following ways: +### Authentication + +AWS enforces a maximum lifetime of 12 hours for account tokens due to this project role authentication tokens must be used instead. The majority of the APIs that the Argo CD Gateway calls are all project scoped however if the Gateway needs to make a request to an API that is not project scoped it will choose the first available authentication token, if you would like to provide a specific token to be used for these calls you can add it to the value `gateway.argocd.projectAuthentication` using the project name `octo-gateway-unscoped` + ### External URL Standard installations connect to Argo CD using the in-cluster Kubernetes service DNS name (e.g. `argocd-server.argocd.svc.cluster.local`). AWS managed Argo CD instances are not accessible via in-cluster DNS, so the publicly accessible EKS capabilities URL must be used instead. @@ -26,13 +30,18 @@ AWS managed Argo CD instances are served with a publicly trusted TLS certificate AWS EKS Argo CD instances are exposed through a load balancer that does not support native gRPC (HTTP/2). The gateway must be configured to use gRPC-Web, which encapsulates gRPC communication over HTTP/1.1, by setting `gateway.argocd.grpcWeb="true"` or `gateway.argocd.grpcWebRootPath="/argo/api"`. +### Cluster annotation + +Project role auth tokens do not have permission to query Argo CD Cluster resources unless they are scoped to the project which means the Gateway won't be able to retrieve the default image registry annotation from the cluster resource. If you need to be able to add this annotation it can be added to the application along side the other Octopus annotations. [See the Cluster annotation doc for more details](/docs/argo-cd/annotations/cluster-annotations) + ## Installation The installation process follows the [standard process](/docs/argo-cd/instances#installing-the-octopus-argo-cd-gateway), with a few adjustments required for AWS managed Argo CD instances. 1. Replace the default value for the Argo CD service DNS name with the publicly accessible URL for the Argo CD instance, without the protocol prefix. For example: `xxxxxxxx.eks-capabilities.ap-southeast-2.amazonaws.com` 2. Uncheck the **Argo CD instance uses self-signed certificates** option -3. Copy the generated Helm command and append the following value: `--set gateway.argocd.grpcWeb="true"`, if your Argo CD instance's API is not hosted at the root path you can set the following value instead: `--set gateway.argocd.grpcWebRootPath="/argo/api"` +3. Append the following value to the generated helm command: `--set gateway.argocd.grpcWeb="true"`, if your Argo CD instance's API is not hosted at the root path you can set the following value instead: `--set gateway.argocd.grpcWebRootPath="/argo/api"` +4. Replace `--set gateway.argocd.authenticationToken` with `--set-json gateway.argocd.projectAuthentication=[{"project":"project-1","token":""},{"project":"project-2","token":""}]` The resulting Helm command will look similar to the following: @@ -48,8 +57,8 @@ helm install --atomic \ --set gateway.argocd.serverGrpcUrl="grpc://xxxxxxxx.eks-capabilities..amazonaws.com" \ --set gateway.argocd.insecure="false" \ --set gateway.argocd.plaintext="false" \ ---set gateway.argocd.authenticationToken="" \ --set gateway.argocd.grpcWeb="true" \ +--set-json gateway.argocd.projectAuthentication=[{"project":"project-1","token":""},{"project":"project-2","token":""}] \ \ oci://registry-1.docker.io/octopusdeploy/octopus-argocd-gateway-chart ``` From 723d6bf2ce8510395f5cb8ae327ae54b0392ad54 Mon Sep 17 00:00:00 2001 From: Travis Leeden Date: Wed, 3 Jun 2026 09:24:21 +1000 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Nick Josevski --- src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md b/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md index 472e8f0bac..0fec02a688 100644 --- a/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md +++ b/src/pages/docs/argo-cd/instances/aws-managed-argo-cd.md @@ -16,7 +16,7 @@ AWS managed Argo CD instances differ from standard self-hosted installations in ### Authentication -AWS enforces a maximum lifetime of 12 hours for account tokens due to this project role authentication tokens must be used instead. The majority of the APIs that the Argo CD Gateway calls are all project scoped however if the Gateway needs to make a request to an API that is not project scoped it will choose the first available authentication token, if you would like to provide a specific token to be used for these calls you can add it to the value `gateway.argocd.projectAuthentication` using the project name `octo-gateway-unscoped` +AWS enforces a maximum lifetime of 12 hours for account tokens due to this project role authentication tokens must be used instead. The majority of the APIs that the Argo CD Gateway calls are project-scoped. However, if the Gateway needs to make a request to an API that is not project-scoped it will choose the first available authentication token, if you would like to provide a specific token to be used for these calls you can add it to the value `gateway.argocd.projectAuthentication` using the project name `octo-gateway-unscoped` ### External URL @@ -32,7 +32,7 @@ AWS EKS Argo CD instances are exposed through a load balancer that does not supp ### Cluster annotation -Project role auth tokens do not have permission to query Argo CD Cluster resources unless they are scoped to the project which means the Gateway won't be able to retrieve the default image registry annotation from the cluster resource. If you need to be able to add this annotation it can be added to the application along side the other Octopus annotations. [See the Cluster annotation doc for more details](/docs/argo-cd/annotations/cluster-annotations) +Project role auth tokens do not have permission to query Argo CD Cluster resources unless they are scoped to the project. This means the Gateway won't be able to retrieve the default image registry annotation from the cluster resource. If you need to be able to add this annotation it can be added to the application along side the other Octopus annotations. [See the Cluster annotation doc for more details](/docs/argo-cd/annotations/cluster-annotations) ## Installation