Multi-Tenancy For Argo Workflows And Argo CD At Adobe

Multi-tenancy for Argo Workflows and Argo CD at Adobe

• Adobe's internal developer platform standardizes best practices and consolidates engineering efforts across various internal developer teams while providing a flexible CI/CD experience
• GitOps is an architectural paradigm that deploys defined state to a live state on a running system
• Argo CD is an example of GitOps tooling that supports tracking of Kubernetes manifests in Git and supports their deployment and synchronization to a namespace on a cluster
• Argo Workflows is a workflow engine that can run CI/CD pipelines on a Kubernetes cluster
• Multi-tenancy is achieved through the isolation of each component of developer CI/CD workflows and the restriction of application deployment with Argo CD AppProjects and RBAC

As Adobe onboarded more clients, they switched to using GitHub apps to register repositories due to higher rate limits and reduced client friction. They also looked into limiting individual client ability to overwhelm Argo CD resources and sharding Argo CD operators across different hub clusters to distribute the load as they scaled with more clients.

Argo Workflows and Argo CD are powerful tools, but unifying them under a multi-tenant experience is necessary to run at scale across multiple teams in any large organization. Argo Workflows and Argo CD use different approaches to RBAC and both have different security considerations and available security features. We at Ethos, the Adobe Cloud Platform, have designed an architecture to create a secure multi-tenant CI/CD experience for our developer teams. Join our talk to learn how we achieved multi-tenancy through the isolation of each component of our developer CI/CD workflows, such as building, scanning, pushing, workflow artifacts, workflow secrets, as well as the restriction of application deployment with Argo CD AppProjects and RBAC.