Run ArgoCD with Istio Service Mesh in a Kubernetes Cluster

It’s been quite a while since I installed Flux CD V2 in my garage Kubernetes lab, as there’s a lot of debate going on between Flux and ArgoCD I decided to give ArgoCD a go. The other reason to try ArgoCD is that it supports Jsonnet.

By default installation, ArgoCD will use self-signed TLS certificate and enforce TLS connection, which means users get to see the security warning and have to trust the certificate to continue. Naturally with Istio handles ingress and TLS termination, I would like to enable Istio sidecar for ArgoCD and run it in HTTP mode.

Here are the steps to configure and install ArgoCD along side with Istio:

Enalbe Istio Sidecar

I choose to enable automatic Istio sidecar injection for ArgoCD’s namespace.

# create the namespace, by default it's argocd
kubectl create namespace argocd
# turn on istio injection
kubectl label namespace argocd istio-injection=enabled

Install ArgoCD the Normal Way

kubectl apply -n argocd -f

Disable TLS for argocd-server Deployment

This can be done before or after the deployment being applied to the cluster in the above step, eg. edit the install.yaml before the apply command or use kubectl edit deployment command afterwards. It may probably be easier if using Helm for this tweak.

# UPDATE: in recent version(mine was 2.5.2)
# kubectl edit cm argocd-cmd-params-cm
# and add server.insecure option
  server.insecure: "true"

# in older versions
# kubectl edit deployment argocd-server
# and add --insecure argument
      - command:
        - argocd-server
      - args:
        - --insecure
# then save and exit. A new pod with --insecure will start and replace the old one

Ref: argocd-cmd-params-cm

Sample Gateway Schema

kind: Gateway
  name: argocd-gateway
    istio: ingressgateway
    - hosts:
        name: https
        number: 443
        protocol: HTTPS
        mode: SIMPLE
        # argo-cert is a tls secret in istio-system namespace, containing a valid TLS cert for the domain name
        credentialName: argo-cert
    - hosts:
        name: http
        number: 80
        protocol: HTTP
        httpsRedirect: true

I use cert-manager and let’s encrypt to provision free TLS certificates for my personal projects. For more info please see this.

Sample VirtualService Schema

kind: VirtualService
  name: argocd
    - argocd-gateway
    - route:
      - destination:
          host: argocd-server
            number: 80

If the DNS is already working and pointing to the Istio ingress gateway, I can see ArgoCD in my browser with a valid TLS certificate.


One response to “Run ArgoCD with Istio Service Mesh in a Kubernetes Cluster”