Armory CD-as-as-Service Key Components

Learn about the key components that comprise Armory Continuous Deployment-as-a-Service and how they work together to orchestrate deployments. Remote Network Agent (RNA), Kubernetes permissions, networking requirements, CLI, GitHub Action.

How Armory CD-as-a-Service works

Armory CD-as-a-Service is a platform of cloud-based services that orchestrate app deployments and monitor their progress. These services have API endpoints with which users and non-cloud services interact via HTTPS or gRPC/HTTP2. The Networking section contains details of the endpoints that need to be whitelisted.

Armory CD-as-a-Service contains components that you manage: the CLI, the Remote Network Agent (RNA), and the GitHub Action (GHA). These components communicate with Armory CD-as-a-Service to deploy your apps to your existing infrastructure.

flowchart LR id0<--"REST API"-->id2 id1<--"REST API"-->id2 id2<--"gRPC/HTTP2"-->id3 subgraph outside [External Environments] id0[Armory CD-as-a-Service CLI] id1[Automation Tools
GitHub, Jenkins, GitLab, Spinnaker] end id2{Armory
CD-as-a-Service} subgraph kubernetes [Kubernetes Cluster] id3[Remote Network Agent] end classDef k8s fill:#326de6,stroke:#000000,stroke-width:1px classDef armory fill:#38b5d9,stroke:#000000,stroke-width:1px classDef ext fill:#ffffff,stroke:#000000,stroke-width:1px class kubernetes k8s class id2,id3,id0 armory class outside ext

When you start a deployment from the CLI or the GHA, Armory CD-as-a-Service forwards your deployment request to the designated RNA in your Kubernetes cluster.

You can track the status of a deployment in the Armory CD-as-a-Service UI.

Key components

Remote Network Agent (RNA)

The RNA enables Armory CD-as-a-Service to interact with your Kubernetes clusters and orchestrate deployments without direct network access to your clusters. The RNA that you install in your cluster engages in bidirectional communication with Armory CD-as-a-Service over encrypted, long-lived gRPC/HTTP2 connections. The RNA issues calls to your Kubernetes cluster based on requests from Armory CD-as-a-Service.

Once you install the RNA in your cluster, you don’t need to update it beyond security updates. Deployment logic is encapsulated in server-side services.

Kubernetes permissions for the Remote Network Agent

By default, the RNA is installed with full access to your cluster. At a minimum, the RNA needs permissions to create, edit, and delete all kind objects that you plan to deploy with CD-as-a-Service, in all namespaces to which you plan to deploy. The RNA also requires network access to any monitoring solutions or webhook APIs that you plan to forward through it. You can modify permissions, proxy configurations, custom annotations, labels, or environment variables by modifying the Helm chart’s configurable values.

Command Line Interface (CLI)

Users install the CLI locally. The CLI interacts with Armory CD-as-a-Service via REST API. To deploy an app, the user must either log in using the CLI or pass valid authorization credentials to the deploy command.

GitHub Action (GHA)

You can use the armory/cli-deploy-action to trigger a deployment from your GitHub workflow. The GitHub Action interacts with Armory CD-as-a-Service via REST API. The GHA requires a valid Client ID and Client Secret be passed to the deploy command.

Spinnaker plugin

The Armory Continuous Deployment-as-a-Service Plugin for Spinnaker™ adds new stages to your Armory CD or Spinnaker instance. When you use one of these stages to deploy an app, you can configure how to deploy the stage incrementally by setting percentage thresholds for the deployment. For example, you can deploy the new version of your app to 25% of your target cluster and then wait for a manual judgement or a configurable amount of time. This wait gives you time to assess the impact of your changes. From there, either continue the deployment to the next threshold you set or roll back the deployment.


The following network endpoints are used for communication into Armory CD-as-a-Service:

DNS Port Protocol Description 443 TLS enabled gRPC over HTTP/2
TLS version 1.2
Remote Network Agent Hub connection; Agent Hub routes deployment commands to RNAs and caches data received from them. Agent Hub does not require direct network access to the RNAs since they connect to Agent Hub through an encrypted, long-lived gRPC HTTP2 connection. Agent Hub uses this connection to send deployment commands to the RNA for execution. 443 HTTP over TLS (HTTPS)
TLS version 1.2
Armory REST API; Clients connect to these APIs to interact with Armory CD-as-a-Service. 443 HTTP over TLS (HTTPS)
TLS version 1.2
OIDC Service; The Open ID Connect (OIDC) service is used to authorize and authenticate machines and users. The RNAs, Armory Continuous Deployment (Spinnaker) plugin, and other services all authenticate against this endpoint. The service provides an identity token that can be passed to the Armory API and Agent Hub.

All network traffic is encrypted while in transit.

Encryption in transit is over HTTPS using TLS encryption. When using Armory-provided software for both the client and server, these connections are secured by TLS 1.2. Certain APIs support older TLS versions for clients that do not support 1.2.

Encryption at rest uses AES256 encryption.

What’s next

Last modified May 26, 2023: (49c4d003)