What is the best approach to use Kong as Ingress for Argocd considering the fact that ssl-passthrough is not an option currently (Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes)?
Something similar to Ingress Configuration - Argo CD - Declarative GitOps CD for Kubernetes should be fine.
Our equivalent annotations a bit different. You’ll set konghq.com/protocols on your Ingress, probably with http,https
on one and grpc,grpcs
on the other and konghq.com/https-redirect-status-code set to 301
on both.
On your Services, you’ll set konghq.com/protocol to https
on one and grpcs
on the other (or http
and grpc
if you’re terminating TLS at the Kong proxy).
On your Services, you’ll set konghq.com/protocol to
https
on one andgrpcs
on the other (orhttp
andgrpc
if you’re terminating TLS at the Kong proxy).
Unfortunately it’s not exactly possible, because there is only one service created during the install of argocd-server providing both http/https and grpc/grpcs. Should I create another service then?
Nonetheless I’ve put together the following working solution based on your guide:
Let’s start with a cert:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-cert
namespace: argocd
spec:
secretName: argocd-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- argocd.example.com
install argocd from the downloaded argocd-install.yaml with the patch you mentioned:
apiVersion: v1
kind: Service
metadata:
annotations:
konghq.com/protocol: "https"
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
and create only one ingress for http/https:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-kong-ingress-http
namespace: argocd
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: kong
kubernetes.io/tls-acme: "true"
konghq.com/protocols: "http,https"
konghq.com/https-redirect-status-code: "301"
spec:
rules:
- host: argocd.example.com
http:
paths:
- backend:
service:
name: argocd-server
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- argocd.example.com
secretName: argocd-secret
with this setup I could use the argocd
cli with the extra flag --grpc-web
for logging in and change the admin password (as in the doc) for example:
argocd login argocd.example.com --grpc-web
argocd account update-password
And the UI is ready to use. Did I miss something? Does this setup have any drawbacks? It seems to me ok at first sight but I haven’t deployed anything complex yet…
Yeah, creating a duplicate of the stock Service for the other protocol label and pointing the GRPC Ingress to that is the only option I can think of there. Probably a bit annoying to manage, but barring the addition of multi-stack services in Kong itself I don’t think there’s any other option.
This discussion works for me, even not that clean
(have to edit/annotate existing services). Great suggestion and codes.