It’s been quite a while since I installed Flux CD V2 in my garage Kubernetes lab, as there’s a lot of debate going on between Flux and ArgoCD I decided to give ArgoCD a go. The other reason to try ArgoCD is that it supports Jsonnet.
By default installation, ArgoCD will use self-signed TLS certificate and enforce TLS connection, which means users get to see the security warning and have to trust the certificate to continue. Naturally with Istio handles ingress and TLS termination, I would like to enable Istio sidecar for ArgoCD and run it in HTTP mode.
Here are the steps to configure and install ArgoCD along side with Istio:
Enalbe Istio Sidecar
I choose to enable automatic Istio sidecar injection for ArgoCD’s namespace.
# create the namespace, by default it's argocd kubectl create namespace argocd # turn on istio injection kubectl label namespace argocd istio-injection=enabled
Install ArgoCD the Normal Way
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
Disable TLS for argocd-server Deployment
This can be done before or after the deployment being applied to the cluster in the above step, eg. edit the install.yaml before the apply command or use kubectl edit deployment command afterwards. It may probably be easier if using Helm for this tweak.
# kubectl edit deployment argocd-server # and add --insecure argument ... containers: - command: - argocd-server - args: - --insecure ... # then save and exit. A new pod with --insecure will start and replace the old one
Sample Gateway Schema
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: argocd-gateway spec: selector: istio: ingressgateway servers: - hosts: - argo.example.com port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE # argo-cert is a tls secret in istio-system namespace, containing a valid TLS cert for the domain name argo.example.com credentialName: argo-cert - hosts: - argo.example.com port: name: http number: 80 protocol: HTTP tls: httpsRedirect: true
I use cert-manager and let’s encrypt to provision free TLS certificates for my personal projects. For more info please see this.
Sample VirtualService Schema
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: argocd spec: gateways: - argocd-gateway hosts: - argo.example.com http: - route: - destination: host: argocd-server port: number: 80
If the DNS is already working and pointing to the Istio ingress gateway, I can see ArgoCD in my browser with a valid TLS certificate.