ArgoCD Ingress Setup
Prerequisite:-
Ingress-Nginx needs to be present in your Cluster!
Ingress can be configured in a number of ways. I will create multiple ingress objects and hosts.
A- Externally accessible argocd endpoint (If you use single sign-on, this is required for Okta SSO setup.)
[ It is possible to setup Okta SSO with a private Argo CD installation, where the Okta callback URL is the only publicly exposed endpoint ]
B- Internally accessible argocd endpoint (to access your private Kubernetes cluster and Pods, you need to use an internal argocd endpoint).
Note: In most cases, you may need to use ArgoCD as an internal access point, and I believe the reason is that your internal team is using ArgoCD to deploy K8s services. This is also True in my use case.
Multiple Ingress Objects And Hosts -
Ingress-Nginx Ingress only supports one protocol per Ingress object; another option is to define two Ingress objects. One for HTTP/HTTPS and one for gRPC.
HTTP/HTTPS Ingress -
My external Ingress-Nginx (accessible from outside your organization) [* I needed this because I need to use Okta for SSO [SAML (with Dex)] however if that is not your use case, do not create it.]
Change-ME [Change the below Key Values as per your infra]
- ingressClassName, host , Path, tls hosts & tls secretName
Note:-
> I used the secret that I got from the Let’s Encrypt cert secrets and changed the tls hosts secretName.
[You can use any ssl cert not necessarily the Let’s Encrypt cert]
tls:
- hosts:
- argocd-ex.example.com #[Change-ME]
secretName: argocd-tls #[Change-ME] #["My Let's encrypt cert secrets name"]
> Please change the path to “/api/dex/callback” if you are using Okta; otherwise, the path will be “/”.
External Ingress-Nginx With Okta Path —
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress-external
namespace: argocd
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: external-nginx #[Change-ME]
rules:
- host: argocd-ex.example.com #[Change-ME]
http:
paths:
- path: /api/dex/callback #[SAML (with Dex) SSO Setup path]
pathType: ImplementationSpecific
backend:
service:
name: argocd-server #[your argoCD server service name]
port:
name: http
tls:
- hosts:
- argocd-ex.example.com #[Change-ME]
secretName: argocd-tls #["My Let's encrypt cert secrets name"] #[Change-ME]
Internal Ingress-Nginx —
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress-internal
namespace: argocd
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: internal-nginx #[Change-ME]
rules:
- host: argocd-in.example.com #[Change-ME]
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: argocd-server #[your argoCD server service name]
port:
name: https
tls:
- hosts:
- argocd-in.example.com #[Change-ME]
secretName: argocd-tls #["My Let's encrypt cert secrets name"] #[Change-ME]
gRPC Ingress( used by the CLI) -
Note - If you prefer to forward encrypted traffic to your POD and terminate TLS at the gRPC server itself, add the ingress annotation nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"
.
else use- nginx.ingress.kubernetes.io/backend-protocol: “GRPC”
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-grpc-ingress
namespace: argocd
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPCS" #[Note me]
spec:
ingressClassName: internal-nginx #[Change-ME]
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server #[your argoCD server service name]
port:
name: https
host: grpc.argocd.example.com
tls:
- hosts:
- grpc.argocd.example.com
secretName: argocd-tls #["My Let's Encrypt Cert Secrets Name"] #[Change-ME]
You Can Check your Ingress Object by running the below command -
kubectl get ing -n argocd
Now, if you want to Create Single Sign-On [Recommended as per me using Okta SAML (with Dex). kindly click the link provided below.
Why SSO- Single sign-on is an authentication process that allows users to securely access multiple related applications or systems using just one set of credentials.
Click Me-
ArgoCD All-in-One Setup Guide.
ArgoCD High Availability (HA) [Production Ready].
ArgoCD Okta Setup. <<<< — -
I hope you find this article educational and beneficial.
If you enjoy the blog, please give me a Clap : ) and Follow me for more such content.
Your applause motivates me to continue writing such blogs.