stolostron · jc-berger · Nov 3, 2025 · Nov 5, 2025 · Nov 13, 2025 · Nov 13, 2025
diff --git a/gitops/gitops_addon_with_argocd.adoc b/gitops/gitops_addon_with_argocd.adoc
@@ -0,0 +1,180 @@
+[#enable-gitops-addon-with-argocd]
+= Enabling {gitops} add-on with _ArgoCD_ agent
+
+Enable the {gitops-short} add-on for `Advanced` pull model with the `ArgoCD` agent to get detailed statuses on the health of your hub clusters, and to simplify your cluster management processes. To enable a GitOps add-on with the `ArgoCD` agent, complete the following sections: 
+
+* <<prerequisites, Prerequisites>>
+* <<enable-argocd-agent, Enabling the _ArgoCD_ agent>>
+* <<verify-installation, Verifying the installation>>
+* <<additional-resources, Additional resources>> 
+
+[#prerequisites]
+== Prerequisites 
+
+* {acm-short} hub cluster installed
+* Managed clusters registered with {acm-short}
+* OpenShift GitOps operator installed on the hub cluster
+* A `Placement` resource to select target managed clusters
+* `ManagedClusterSet` bound to the target namespace
+* OpenShift GitOps operator subscription configured with the `ArgoCD` agent environment 
+* The `ArgoCD` custom resource configured for the `Agent` mode
+
+[#configure-subscriptions-resources]
+== Configuring subscriptions and resources 
+
+To enable the `ArgoCD` agent, you must configure the {gitops-short} operator subscription and the `ArgoCD` custom resource. To configure the necessary subscriptions and resources, complete the following steps:
+
+
+. On the hub cluster only, modify the OpenShift GitOps operator subscription to include the required environment variables:
+
++
+[source,bash]
+----
+oc edit subscription gitops-operator -n openshift-gitops-operator
+----
+
+. Add the following environment variables under `spec.config.env`:
+
++
+[source,yaml]
+----
+spec:
+  config:
+    env:
+    - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
+      value: openshift-gitops
+    - name: ARGOCD_PRINCIPAL_TLS_SERVER_ALLOW_GENERATE
+      value: "false"
+    - name: ARGOCD_PRINCIPAL_REDIS_SERVER_ADDRESS
+      value: openshift-gitops-redis:6379
+----
+
+. Replace the existing `ArgoCD` custom resource with the compatible `Agent` mode configuration:
+
++
+[source,yaml]
+----
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: openshift-gitops
+  namespace: openshift-gitops
+spec:
+  controller:
+    enabled: false
+  argoCDAgent:
+    principal:
+      allowedNamespaces:
+      - '*'
+      auth: mtls:CN=system:open-cluster-management:cluster:([^:]+):addon:gitops-addon:agent:gitops-addon-agent
+      enabled: true
+----
+
+* *Note:* On the hub cluster only, this configuration disables the traditional `ArgoCD` controller and enables the agent principal with mutual TLS authentication.
+
+[#enable-argocd-agent]
+== Enabling _ArgoCD_ agent 
+
+Create a `GitOpsCluster` resource to manage the `ArgoCD` agent add-on deployment. its controller automatically creates the following resources for each managed cluster selected by the `Placement`
+
+The `GitOpsCluster` controller performs the following operations:
+
+* Create and automated PKI management 
+* Creates `ArgoCD` cluster secrets configured for agent mode
+* Deploys the Argo CD Agent on each selected managed cluster
+
+To enable the advanced pull model Argo CD Agent architecture, complete the following steps:
+
+. Create a `GitOpsCluster resource with the `ArgoCD` agent enabled by inputting the following YAML sample: 
+
++
+[source,yaml]
+----
+apiVersion: apps.open-cluster-management.io/v1beta1
+kind: GitOpsCluster
+metadata:
+  name: gitops-agent-clusters
+  namespace: openshift-gitops
+spec:
+  argoServer:
+    argoNamespace: openshift-gitops
+  placementRef:
+    kind: Placement
+    apiVersion: cluster.open-cluster-management.io/v1beta1
+    name: production-clusters
+    namespace: openshift-gitops
+  gitopsAddon:
+    enabled: true
+    argoCDAgent:
+      enabled: true
+----
+
+[#verify-installation]
+== Verifying the installation 
+
+After the `ArgoCD` agent is successfully deployed, verify the advanced `Pull Model` workflow is completed by creating an application on the hub cluster and confirming it works on the managed cluster. 
+
+To verify the necessary installations and resources for successful deployment, complete the following steps:
+
+. Check the `GitOpsCluster` status for specific `Agent` conditions by running the following command:
+
++
+[source,bash]
+----
+oc get gitopscluster gitops-agent-clusters -n openshift-gitops -o jsonpath='{.status.conditions}' | jq
+----
+
+. Confirm that you see the following condition types in the status:
+
++
+* `ArgoCDAgentPrereqsReady` - Agent prerequisites are set up
+* `CertificatesReady` - TLS certificates are signed
+* `ManifestWorksApplied` - CA certificates propagated to managed clusters
+
+. On the hub cluster, create an `ArgoCD` application resource in the managed cluster namespace by inputting the following YAML file: 
+
++
+[source,yaml]
+----
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: guestbook
+  namespace: <managed cluster name>
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://<principal-external-ip:port>?agentName=<managed cluster name>
+    namespace: guestbook
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+----
+
+. On the managed cluster, verify that the application resources are deployed by running the following command:
+
++
+[source,bash]
+----
+oc get all -n guestbook
+----
+
+. On the hub cluster, verify the application status is reflected back to you by running the following command:
+
++
+[source,bash]
+----
+oc get application guestbook -n <managed cluster name>
+----
+
+. Confirm that the status shows  `Synced` when the application is successfully deployed.
+
+[#additional-resources]
+== Additional resources 
+
+Continue learning about the {gitops-short} add-on by completing xref:../gitops/gitops_manage_addon.adoc#manage-gitops-addon[Managing the {gitops} add-on].
diff --git a/gitops/gitops_addon_without_argocd.adoc b/gitops/gitops_addon_without_argocd.adoc
@@ -0,0 +1,99 @@
+[#enable-gitops-addon-without-argocd]
+= Enabling {gitops} add-on without the _ArgoCD_ agent
+
+The `Basic` pull model does not include the `ArgoCD` agent, so it gives you a simpler setup for your hub cluster management and only gives you the necessary statuses of the health of your hub clusters. 
+
+To enable a GitOps add-on without the `ArgoCD` agent, complete the following sections: 
+
+* <<prerequisites, Prerequisites>>
+* <<create-gitopscluster-resource, Creating a _GitOpsCluster_ resource>>
+* <<verify-installation, Verifying the installation>>
+* <<additional-resources, Additional resources>> 
+
+[#prerequisites]
+== Prerequisites 
+
+* {acm-short} hub cluster installed
+* Managed clusters registered with {acm-short}
+* OpenShift GitOps operator installed on the hub cluster
+* A `Placement` resource to select target managed clusters
+* `ManagedClusterSet` bound to the target namespace
+
+[#create-gitopscluster-resource]
+== Creating a `GitOpsCluster` resource
+
+To enable basic pull model, create a `GitOpsCluster` resource, its controller automatically creates the following resources for each managed cluster selected by the `Placement` policy: 
+
+* `AddOnDeploymentConfig` resource in the managed cluster namespace
+* `ManagedClusterAddOn` resource in the managed cluster namespace
+
+The {gitops} add-on deploys to each selected managed cluster and installs the following resources:
+
+* OpenShift GitOps operator in the `openshift-gitops-operator` namespace
+* ArgoCD instance in the  `openshift-gitops` namespace
+
+To create a `GitOpsCluster` resource, complete the following steps:
+
+. On your hub cluster, create a `GitOpsCluster` resource to enable the {gitops} add-on:
+
++
+[source,yaml]
+----
+apiVersion: apps.open-cluster-management.io/v1beta1
+kind: GitOpsCluster
+metadata:
+  name: gitops-clusters
+  namespace: openshift-gitops
+spec:
+  argoServer:
+    argoNamespace: openshift-gitops
+  placementRef:
+    kind: Placement
+    apiVersion: cluster.open-cluster-management.io/v1beta1
+    name: all-openshift-clusters
+    namespace: openshift-gitops
+  gitopsAddon:
+    enabled: true
+----
+
+[#verify-installation]
+== Verifying the installation 
+
+To verify the necessary installations and resources for successful deployment, complete the following steps:
+
+. Verify that the `GitOpsCluster` resource has a status for successful deployment by running the following command:  
+
++
+[source,bash]
+----
+oc get gitopscluster gitops-clusters -n openshift-gitops -o yaml
+----
+
+. Verify that  the GitOps add-on controller is working by running the following command: 
+
++
+[source,bash]
+----
+oc get pods -n open-cluster-management-agent-addon
+----
+
+. Verify the OpenShift GitOps operator is working by running the following command: 
+
++
+[source,bash]
+----
+oc get pods -n openshift-gitops-operator
+----
+
+. Verify the Argo CD instance is working by running the following command:
+
++
+[source,bash]
+----
+oc get pods -n openshift-gitops
+----
+
+[#additional-resources]
+== Additional resources 
+
+Continue learning about the {gitops-short} add-on by completing xref:../gitops/gitops_manage_addon.adoc#manage-gitops-addon[Managing the {gitops} add-on].