Open-Source Wikis

/

Argo CD

/

Applications

/

argocd-server (API server)

argoproj/argo-cd

argocd-server (API server)

argocd-server is the Argo CD API server. It exposes gRPC, gRPC-Web, REST (via gRPC-Gateway), and serves the React UI from the same process.

Purpose

  • Authenticate users (local accounts, OIDC via Dex, JWT bearer tokens).
  • Authorize requests against Casbin RBAC plus Kubernetes RBAC.
  • Provide gRPC + REST APIs for managing Applications, ApplicationSets, Projects, Repos, Clusters, Accounts, Settings, GPG keys, certificates, and more.
  • Stream logs and pod terminals via WebSockets.
  • Receive Git/registry webhooks and push Application refreshes.
  • Serve the embedded UI on the same listener.

Where it lives

Path Purpose
cmd/argocd-server/commands/argocd_server.go Cobra NewCommand() for the binary; flag parsing and bootstrap.
server/server.go Top-level Server type, request handling, listener setup. ~66 KB.
server/<group>/ One subdirectory per gRPC service group (account, application, applicationset, badge, cluster, project, repository, repocreds, session, settings, version, certificate, gpgkey, notification, deeplinks, extension, logout, metrics, broadcast).
server/server_test.go Server-level tests including auth and routing.
pkg/apiclient/ Auto-generated Go gRPC clients used by the CLI and external integrations.

Service surface

Each subdirectory under server/ is one gRPC service. The proto files are colocated with the implementation, e.g. server/application/application.proto. The major services:

Service group What it covers
application/ The largest API. CRUD on Applications, sync/refresh, manifests, resource tree, logs, terminals (terminal.go, websocket.go).
applicationset/ ApplicationSet CRUD.
project/ AppProject CRUD, project roles, JWT tokens (in cmd/argocd/commands/project_role.go), windows.
repository/, repocreds/, certificate/, gpgkey/ Source registration and credentials.
cluster/ Registered destination clusters.
account/, session/, logout/ Login, password change, JWT tokens.
settings/ Read-only access to the rendered Argo CD settings.
notification/ Self-service notifications subscriptions.
version/ Build/version info.
badge/ The colored sync/health badge SVGs (see server/badge/badge.go).
extension/ The UI extensions proxy (server/extension/extension.go).
deeplinks/ Resource deep-link generation.
broadcast/ Server-Sent Events fan-out for app updates.
metrics/ The Prometheus metrics endpoint (separate listener).
rbacpolicy/ The Casbin RBAC enforcer integration.

How requests flow

graph LR
    Client[CLI / UI / external] --> TLS[TLS Listener]
    TLS --> Mux[gRPC + gRPC-Web + REST mux]
    Mux --> Auth[JWT/Cookie auth - util/session, util/jwt]
    Auth --> RBAC[Casbin RBAC - util/rbac, server/rbacpolicy]
    RBAC --> Service[gRPC service handler]
    Service --> Cache[(Redis cache - util/cache)]
    Service --> K8s[(Kubernetes API)]
    Service --> RepoServer[(repo server)]
    Service --> AppCtrl[(via cache/state from controller)]

Authentication paths:

  • Bearer token / cookie — JWTs signed with the server's secret. See util/jwt/ and util/session/.
  • OIDC / SSO — Dex (running as argocd-dex) brokers external IdPs. Code in util/oidc/oidc.go handles flows; templates in util/oidc/templates.go.
  • Project tokens — JWTs scoped to a project role (see cmd/argocd/commands/project_role.go).
  • Anonymous — controlled by argocd-cm's users.anonymous.enabled.

Authorization is layered:

  1. The HTTP layer extracts the user from the bearer/cookie.
  2. server/rbacpolicy/ evaluates the Casbin policy from argocd-rbac-cm.
  3. The Application service additionally consults the AppProject's roles for finer-grained scopes.

UI hosting

ui/embed.go exports a go:embed filesystem of the prebuilt UI bundle. server/server.go mounts that filesystem under the same listener and rewrites index.html with the --basehref and --rootpath flags.

Webhooks

The server registers webhook handlers from util/webhook/webhook.go for GitHub, GitLab, Bitbucket Server/Cloud, Bitbucket-Cloud, Azure DevOps, and Gitea. On a matching webhook, it scans Applications and triggers refreshes — bypassing the controller's polling cadence.

Configuration surface (selected flags)

The full list is in cmd/argocd-server/commands/argocd_server.go. Highlights:

  • --repo-server, --commit-server, --dex-server — peer addresses.
  • --redis, --redis-compress — cache backend.
  • --insecure, --rootpath, --basehref — TLS and reverse-proxy support.
  • --application-namespaces — list of namespaces from which to pick up Applications (multi-tenant).
  • --otlp-address, --otlp-headers — OpenTelemetry tracing.
  • --enable-gzip, --content-types — HTTP performance and CSP knobs.

Entry points for modification

  • New API method → add to the relevant server/<service>/<service>.proto, regenerate, implement in <service>.go. Update the CLI in cmd/argocd/commands/.
  • New auth method → extend util/session/ and util/jwt/.
  • New webhook provider → extend util/webhook/webhook.go.
  • UI extension → see server/extension/extension.go.

For the underlying API see API. For RBAC see features/sso-and-rbac.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

argocd-server (API server) – Argo CD wiki | Factory