Use Argo

GitOps is an approach for managing a system by declaratively describing desired resources’ configurations in Git and using controllers to realize the desired state. You can use GitOps flows with managed control planes running in a Space.

Tip
For general guidance on integrating Upbound with GitOps flows, see GitOps with Control Planes.

Argo

Important

This feature is in preview and is off by default. To enable, set features.alpha.argocdPlugin.enabled=true when installing Spaces:

up space init --token-file="${SPACES_TOKEN_PATH}" "v${SPACES_VERSION}" \
  ...
  --set "features.alpha.argocdPlugin.enabled=true"

Spaces provides an optional plugin to assist with integrating a managed control plane in a Space with Argo CD. You must enable the plugin for the entire Space at Spaces install or upgrade time. The plugin’s job is to propagate the connection details of each managed control plane in a Space to Argo CD. By default, Upbound stores these connection details in a Kubernetes secret named after the control plane. To run Argo CD across multiple namespaces, Upbound recommends enabling the features.alpha.argocdPlugin.useUIDFormatForCTPSecrets flag to use a UID-based format for secret names to avoid conflicts.

On cluster Argo CD

If you are running Argo CD on the same cluster as the Space, run the following to enable the plugin:

up space init --token-file="${SPACES_TOKEN_PATH}" "v${SPACES_VERSION}" \
  --set "account=${UPBOUND_ACCOUNT}" \
  --set "features.alpha.argocdPlugin.enabled=true" \
  --set "features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true" \
  --set "features.alpha.argocdPlugin.target.secretNamespace=argocd"

helm -n upbound-system upgrade --install spaces \
  oci://xpkg.upbound.io/spaces-artifacts/spaces \
  --version "${SPACES_VERSION}" \
  --set "ingress.host=${SPACES_ROUTER_HOST}" \
  --set "account=${UPBOUND_ACCOUNT}" \
  --set "features.alpha.argocdPlugin.enabled=true" \
  --set "features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true" \
  --set "features.alpha.argocdPlugin.target.secretNamespace=argocd" \
  --wait

The important flags are:

  • features.alpha.argocdPlugin.enabled=true
  • features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true
  • features.alpha.argocdPlugin.target.secretNamespace=argocd

The first flag enables the feature and the second indicates the namespace on the cluster where you installed Argo CD.

Be sure to configure Argo after it’s installed.

External cluster Argo CD

If you are running Argo CD on an external cluster from where you installed your Space, you need to provide some extra flags:

up space init --token-file="${SPACES_TOKEN_PATH}" "v${SPACES_VERSION}" \
  --set "account=${UPBOUND_ACCOUNT}" \
  --set "features.alpha.argocdPlugin.enabled=true" \
  --set "features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true" \
  --set "features.alpha.argocdPlugin.target.secretNamespace=argocd" \
  --set "features.alpha.argocdPlugin.target.externalCluster.enabled=true" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.name=my-argo-cluster" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.key=kubeconfig"

helm -n upbound-system upgrade --install spaces \
  oci://xpkg.upbound.io/spaces-artifacts/spaces \
  --version "${SPACES_VERSION}" \
  --set "ingress.host=${SPACES_ROUTER_HOST}" \
  --set "account=${UPBOUND_ACCOUNT}" \
  --set "features.alpha.argocdPlugin.enabled=true" \
  --set "features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true" \
  --set "features.alpha.argocdPlugin.target.secretNamespace=argocd" \
  --set "features.alpha.argocdPlugin.target.externalCluster.enabled=true" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.name=my-argo-cluster" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.key=kubeconfig" \
  --wait

helm -n upbound-system upgrade --install spaces \
  oci://xpkg.upbound.io/spaces-artifacts/spaces \
  --version "${SPACES_VERSION}" \
  --set "ingress.host=${SPACES_ROUTER_HOST}" \
  --set "account=${UPBOUND_ACCOUNT}" \
  --set "features.alpha.argocdPlugin.enabled=true" \
  --set "features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true" \
  --set "features.alpha.argocdPlugin.target.secretNamespace=argocd" \
  --set "features.alpha.argocdPlugin.target.externalCluster.enabled=true" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.name=my-argo-cluster" \
  --set "features.alpha.argocdPlugin.target.externalCluster.secret.key=kubeconfig" \
  --wait

The extra flags are:

  • features.alpha.argocdPlugin.target.externalCluster.enabled=true
  • features.alpha.argocdPlugin.useUIDFormatForCTPSecrets=true
  • features.alpha.argocdPlugin.target.externalCluster.secret.name=my-argo-cluster
  • features.alpha.argocdPlugin.target.externalCluster.secret.key=kubeconfig

These flags tell the plugin (running in Spaces) where your Argo CD instance is. After you’ve done this at install-time, you also need to create a Secret on the Spaces cluster. This secret must contain a kubeconfig pointing to your Argo CD instance. The secret needs to be in the same namespace as the spaces-controller, which is upbound-system.

Once you enable the plugin and configure it, the plugin automatically propagates connection details for your managed control planes to your Argo CD instance. You can then target the managed control plane and use Argo to sync Crossplane-related objects to it.

Be sure to configure Argo after it’s installed.

Configure Argo

Argo’s default configuration causes it to try to query for resource kinds that don’t exist in managed control planes. You should configure Argo’s general configmap to include the resource group/kinds which make sense in the context of managed control planes. For example, the concept of nodes isn’t exposed in managed control planes.

To configure Argo CD, connect to the cluster where you’ve installed it and edit the configmap:

kubectl edit configmap argocd-cm -n argocd

Adjust the resource inclusions and exclusions under the data field of the configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.exclusions: |
    - apiGroups:
      - "*"
      kinds:
      - "*"
      clusters:
      - "*"    
  resource.inclusions: |
    - apiGroups:
      - "*"
      kinds:
      - Provider
      - Configuration
      clusters:
      - "*"

The preceding configuration causes Argo to exclude syncing all resource group/kinds–except Crossplane providers and configurations–for all control planes. You’re encouraged to adjust the resource.inclusions to include the types that make sense for your control plane, such as an XRD you’ve built with Crossplane. You’re also encouraged to customize the clusters pattern to selectively apply these exclusions/inclusions to control planes (for example, control-plane-prod-*).

Upbound
Crafted with love from our globally distributed team.
© 2025 Upbound, Inc.
Product
Upbound
Universal Crossplane
Marketplace
Request Demo
Partner Program
Learn
Documentation
FAQs
Company
About Us
Careers
Blog
Contact Us
More
Terms & Conditions
Privacy Policy