Ingress for Argocd

Kubernetes
1

What is the best approach to use Kong as Ingress for Argocd considering the fact that ssl-passthrough is not an option currently (Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes)?

2

Something similar to Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes should be fine.

Our equivalent annotations a bit different. You’ll set konghq.com/protocols on your Ingress, probably with http,https on one and grpc,grpcs on the other and konghq.com/https-redirect-status-code set to 301 on both.

On your Services, you’ll set konghq.com/protocol to https on one and grpcs on the other (or http and grpc if you’re terminating TLS at the Kong proxy).

3

On your Services, you’ll set konghq.com/protocol to https on one and grpcs on the other (or http and grpc if you’re terminating TLS at the Kong proxy).

Unfortunately it’s not exactly possible, because there is only one service created during the install of argocd-server providing both http/https and grpc/grpcs. Should I create another service then?

Nonetheless I’ve put together the following working solution based on your guide:

Let’s start with a cert:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: argocd-cert
  namespace: argocd
spec:
  secretName: argocd-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - argocd.example.com

install argocd from the downloaded argocd-install.yaml with the patch you mentioned:

apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/protocol: "https"
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/name: argocd-server
    app.kubernetes.io/part-of: argocd
  name: argocd-server

and create only one ingress for http/https:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-kong-ingress-http
  namespace: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: kong
    kubernetes.io/tls-acme: "true"
    konghq.com/protocols: "http,https"
    konghq.com/https-redirect-status-code: "301"
spec:
  rules:
  - host: argocd.example.com
    http:
      paths:
      - backend:
          service:
            name: argocd-server
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - argocd.example.com
    secretName: argocd-secret

with this setup I could use the argocd cli with the extra flag --grpc-web for logging in and change the admin password (as in the doc) for example:

argocd login argocd.example.com --grpc-web

argocd account update-password

And the UI is ready to use. Did I miss something? Does this setup have any drawbacks? It seems to me ok at first sight but I haven’t deployed anything complex yet…

1 Like
4

Yeah, creating a duplicate of the stock Service for the other protocol label and pointing the GRPC Ingress to that is the only option I can think of there. Probably a bit annoying to manage, but barring the addition of multi-stack services in Kong itself I don’t think there’s any other option.

1 Like
5

This discussion works for me, even not that clean (have to edit/annotate existing services). Great suggestion and codes.