ArgoCD - CloudThinker

Connect your ArgoCD instances to enable Kai (Kubernetes Engineer) to analyze deployments, manage applications, and troubleshoot GitOps workflows.

Supported Platforms

Platform	Support
Self-hosted ArgoCD	All versions
Akuity Platform	Managed ArgoCD service

Setup

Select your ArgoCD platform:

Self-hosted ArgoCD
Akuity Platform

For ArgoCD already running on your cluster.

Get Connection Details

Ensure ArgoCD is accessible. The default port is 8888.Get your host IP address:

hostname -I | awk '{print $1}'

Ensure ArgoCD CLI is installed:

brew install argocd

Generate API Token

Enable apiKey and generate token:

kubectl -n argocd patch configmap argocd-cm --type merge -p '{"data":{"accounts.admin":"apiKey, login"}}'
argocd login <host-ip>:8888 --username admin --password '<password>' --insecure
argocd account generate-token --account admin --insecure

Configure CloudThinker Connection

In CloudThinker, navigate to Connections → ArgoCD and enter:

Base URL: https://<host-ip>:8888
API Token: Token from previous step
TLS Verification: Disable
Read-only Mode: Enable

For managed ArgoCD via Akuity Platform.

Install CLI

Install ArgoCD CLI:

brew install argocd

Install Akuity CLI:

curl -sSL -o /tmp/akuity \
  "https://dl.akuity.io/akuity-cli/$(curl -sL https://dl.akuity.io/akuity-cli/stable.txt)/$(uname)/$(uname -m)/akuity"
chmod +x /tmp/akuity
sudo mv /tmp/akuity /usr/local/bin/akuity

Create Admin Account

In the Akuity Portal:

Navigate to Organization → API Keys → Click Create API Key (role: Owner)
Under your ArgoCD instance → Settings → System Accounts
Click Add Account → Name: admin
Enable both login and apiKey capabilities
Set a password

Generate API Token

argocd login <instance-id>.cd.akuity.cloud --grpc-web \
  --username admin --password '<your-password>'
argocd account generate-token --account admin --grpc-web

Configure CloudThinker Connection

In CloudThinker, navigate to Connections → ArgoCD and enter:

Base URL: https://<instance-id>.cd.akuity.cloud
API Token: Token from previous step
TLS Verification: Enable
Read-only Mode: Enable

Connection Options

Option	Description	Self-hosted	Akuity
TLS Verification	Validate server certificate	Disable	Enable
API Key Setup	Enable `apiKey` capability	Patch `argocd-cm`	Portal UI
CLI Flags	ArgoCD CLI flags	`--insecure`	`--grpc-web`

Required Permissions

The CloudThinker user needs ArgoCD RBAC permissions:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:cloudthinker-readonly, applications, get, */*, allow
    p, role:cloudthinker-readonly, applications, list, */*, allow
    p, role:cloudthinker-readonly, repositories, get, *, allow
    p, role:cloudthinker-readonly, repositories, list, *, allow
    p, role:cloudthinker-readonly, clusters, get, *, allow
    p, role:cloudthinker-readonly, clusters, list, *, allow
    g, cloudthinker-readonly, role:cloudthinker-readonly

Apply:

kubectl apply -f argocd-rbac.yaml

Agent Capabilities

Once connected, Kai can:

Capability	Description
Application Status	View sync status, health state, last sync time
Deployment Analysis	Identify out-of-sync and failed deployments
Repository Insights	Analyze Git repository state and commits
Sync Operations	Trigger manual syncs
Health Monitoring	Track application health

Example Prompts

@kai show me all out-of-sync applications in ArgoCD
@kai analyze deployment failures for the payment service
@kai sync the frontend application to latest commit
@kai check health status of all apps in production
@kai list applications with degraded health

Troubleshooting

Cannot connect to ArgoCD server

Self-hosted: Use host IP (not localhost) in Base URL
Verify port-forward: kubectl port-forward svc/argocd-server -n argocd 8888:443 --address 0.0.0.0
Check firewall rules

401 Unauthorized

Verify API token is correct
Ensure admin has login + apiKey capabilities
Self-hosted: Check argocd-cm ConfigMap patched
Akuity: Check System Account capabilities

Cannot generate API token

Check apiKey capability enabled
Run: argocd account get

TLS certificate errors

Self-hosted: Disable TLS verification
Akuity: Enable TLS verification

Security Best Practices

Read-only access - Use read-only RBAC
Token rotation - Rotate periodically
Network isolation - Restrict server access
Audit logging - Enable ArgoCD audit logs
Least privilege - Grant only get/list

Kai Agent

Kubernetes and GitOps agent

https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/kubernetes.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=7c03292954ff635a1994623a5c39971b

Kubernetes Connection

Connect clusters

​Supported Platforms

​Setup

​Connection Options

​Required Permissions

​Agent Capabilities

​Example Prompts

​Troubleshooting

​Security Best Practices

​Related