What is the best approach to use Kong as Ingress for Argocd considering the fact that ssl-passthrough is not an option currently (Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes)?
Something similar to Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes should be fine.
Our equivalent annotations a bit different. You’ll set konghq.com/protocols on your Ingress, probably with http,https on one and grpc,grpcs on the other and konghq.com/https-redirect-status-code set to 301 on both.
On your Services, you’ll set konghq.com/protocol to https on one and grpcs on the other (or http and grpc if you’re terminating TLS at the Kong proxy).
On your Services, you’ll set konghq.com/protocol to
httpson one andgrpcson the other (orhttpandgrpcif you’re terminating TLS at the Kong proxy).
Unfortunately it’s not exactly possible, because there is only one service created during the install of argocd-server providing both http/https and grpc/grpcs. Should I create another service then?
Nonetheless I’ve put together the following working solution based on your guide:
Let’s start with a cert:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-cert
namespace: argocd
spec:
secretName: argocd-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- argocd.example.com
install argocd from the downloaded argocd-install.yaml with the patch you mentioned:
apiVersion: v1
kind: Service
metadata:
annotations:
konghq.com/protocol: "https"
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
and create only one ingress for http/https:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-kong-ingress-http
namespace: argocd
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: kong
kubernetes.io/tls-acme: "true"
konghq.com/protocols: "http,https"
konghq.com/https-redirect-status-code: "301"
spec:
rules:
- host: argocd.example.com
http:
paths:
- backend:
service:
name: argocd-server
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- argocd.example.com
secretName: argocd-secret
with this setup I could use the argocd cli with the extra flag --grpc-web for logging in and change the admin password (as in the doc) for example:
argocd login argocd.example.com --grpc-web
argocd account update-password
And the UI is ready to use. Did I miss something? Does this setup have any drawbacks? It seems to me ok at first sight but I haven’t deployed anything complex yet…
Yeah, creating a duplicate of the stock Service for the other protocol label and pointing the GRPC Ingress to that is the only option I can think of there. Probably a bit annoying to manage, but barring the addition of multi-stack services in Kong itself I don’t think there’s any other option.
This discussion works for me, even not that clean (have to edit/annotate existing services). Great suggestion and codes.