Setting Up an Ingress for ArgoCD: A Step-by-Step Guide

ArgoCD is a powerful GitOps tool for managing Kubernetes applications, but accessing its web interface often requires additional configuration. By default, ArgoCD uses a service accessible only within the cluster. To make it accessible externally, you can configure an Ingress controller. In this article, I’ll walk you through how to set up an Ingress for ArgoCD using Helm and Kubernetes.

Step 1: Install or Upgrade ArgoCD with Custom Values

First, ensure ArgoCD is installed or upgraded with the appropriate configuration to support Ingress. You can extract the default Helm values and modify them:

Upgrade or install ArgoCD using the modified values:

helm upgrade argocd argo/argo-cd -n argocd -f values.yaml

Extract the default Helm values:

helm show values argo/argo-cd > values.yaml

This ensures ArgoCD is configured correctly to work with the Ingress.

Modify the values.yaml file: Enable insecure mode to allow ArgoCD to run without TLS, as the Ingress controller will handle TLS termination. Add the following line:

   ## Server properties
    # -- Run server without TLS
    ## NOTE: This value should be set when you generate params by other 
    means as it changes ports used >
    server.insecure: true

Step 2: Create an Ingress Resource

Next, configure an Ingress resource to route traffic to the argocd-server service.

Create the Ingress configuration file: Save the following YAML as argocd-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
    - hosts:
        - argocd.example.com
      secretName: argocd-tls
  rules:
    - host: argocd.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: argocd-server
                port:
                  number: 80

Key points:

• annotations: Configures the Ingress for Traefik with TLS enabled.
• tls: Specifies the host and the TLS secret.
• rules: Defines the host and backend service.

Apply the Ingress configuration:

kubectl apply -f argocd-ingress.yaml

Step 3: Configure TLS for Ingress

If TLS is required, ensure that the specified TLS secret exists. You can create it using a certificate and private key:

Create a TLS secret:

kubectl create secret tls argocd-tls -n argocd \
  --cert=/path/to/tls.crt \
  --key=/path/to/tls.key

Replace /path/to/tls.crt and /path/to/tls.key with the paths to your TLS certificate and key.

Verify the secret:

kubectl get secrets -n argocd

Step 4: Retrieve Initial Admin Credentials

Once ArgoCD is accessible through the Ingress, you’ll need the initial admin credentials to log in.

kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d

1. Retrieve the initial admin password:
2. The default username is admin.
3. Navigate to https://argocd.example.com in your browser and log in with the retrieved password.

Step 5: Test Access

1. Open your browser and navigate to the configured URL (e.g., https://argocd.example.com).
2. Verify the TLS certificate if configured.
3. Log in using the credentials retrieved in Step 4.

以上資料來自GPT整理。