2

We are trying to access the ArgoCD server with the istio ingress gateway but no fate. It is auto redirecting to HTTPS and the page shows the server is not reachable. We have tried various suggestions over the internet but no success yet. Below is our setup. Please help us to resolve this.

Enable istio sidecar injection

kubectl label namespace argocd istio-injection=enabled

Tells argocd-server to start in “insecure mode” refer link

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cmd-params-cm
    app.kubernetes.io/part-of: argocd
data:
  server.insecure: "true"

Patched argocd-server deployment refer link

kubectl patch deployment \
  argocd-server \
  --namespace argocd \
  --type='json' \
  -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [
  "server",
  "--auth-mode=server"
]}]'

Virtualservice

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argocd-virtual-service
  namespace: argocd
spec:
  hosts:
  - argocd.lumik.com
  gateways:
  - argocd-gateway
  http:
  - route:
    - destination:
        host: argocd-server.argocd.svc.cluster.local
        port:
            number: 80

Istio gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: argocd-gateway
  namespace: argocd
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - argocd.lumik.com
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: argocd-secret
        
    - hosts:
        - argocd.lumik.com
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true

Istio Destination rule refer link

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: argocd-server-dtrl
  namespace: istio-system
spec:
  host: argocd-server.argocd.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE
AlecBrooks
  • 524
  • 4
  • 12
Nitin G
  • 714
  • 7
  • 31
  • Try running the argocd service without tls by setting the `--insecure` flag. – Chris Oct 26 '22 at 14:47
  • Hi Chris thanks for the response but I believe i have already tried that. Are you talking about setting this flag in the argocd-server deployment under the command section? – Nitin G Oct 26 '22 at 15:13
  • Were you able to test my answer? – Chris Oct 27 '22 at 11:18

3 Answers3

0

According to the setup guide you posted and the quickstart manifests on their github the argo-server is binding to the port 2746. There is also a corresponding service for the same port (from their quickstart manifest):

---
apiVersion: v1
kind: Service
metadata:
  name: argo-server
spec:
  ports:
  - name: web
    port: 2746
    targetPort: 2746
  selector:
    app: argo-server

So your VirtualService is pointing to the wrong port (80). You should also see an error about an host:port reference that can not be found if you run istioctl analyze --namespace argocd. You can fix the issue by pointing the VirtualService to the right port:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argocd-virtual-service
  namespace: argocd
spec:
  hosts:
  - argocd.lumik.com
  gateways:
  - argocd-gateway
  http:
  - route:
    - destination:
        host: argocd-server.argocd.svc.cluster.local
        port:
          number: 2764 # port of the argo-service Service manifest
Nitin G
  • 714
  • 7
  • 31
Chris
  • 5,109
  • 3
  • 19
  • 40
  • Hello Chris thanks for your suggestion, but in our case, ARGOCD is not binding to port 2746 but to the Ports: 80/TCP, 443/TCP Therefore changing the ports wont help much – Nitin G Oct 28 '22 at 05:12
  • @NitinGarg Could you pls. updated were you able bring up ArgoCD via IstioGW &VS. I am in same position. – Sanjeev Apr 20 '23 at 19:14
  • @Sanjeev actually we moved on to some different issue after some time that's why I don't remember whether we were able to do it or not. Please share your inputs if you are able to resolve this with any of the listed answers and I will accept that one as a solution. – Nitin G Apr 22 '23 at 05:02
0

Please try this link, it's beautiful link describing the issue and solution. Let me know if you still face the issue.

https://pet2cattle.com/2022/03/argocd-redirect-loop

Basically two solutions here:

  • Disable TLS to be handled at the ingress level

server: extraArgs:

  • --insecure

  • Enable TLS b/w ingress and argocd nginx server

server: ingress: enabled: true https: true

annotations:
  kubernetes.io/ingress.class: alb
  alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
  alb.ingress.kubernetes.io/scheme: internal
  alb.ingress.kubernetes.io/target-type: ip
  alb.ingress.kubernetes.io/group.name: argocd
  alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
  **alb.ingress.kubernetes.io/backend-protocol: HTTPS**

hosts:
- "argocd.pet2cattle.com"

In helm files, set server.ingress.https to true and then add the alb.ingress.kubernetes.io/backend-protocol annotation to tell the ALB to use https instead of http.

Entangle Software
  • 1
  • 1
  • 1
0

@NitinGarg. Yes I have working solution now.ArgoCD UI is accessible via Istio-GW & VS. Without DestinationRule. I don't think it is required.

Steps: Edit cm argocd-cmd-params-cm -n argocd Under data section set server.insecure: "true"

---
apiVersion: v1
data:
  applicationsetcontroller.enable.leader.election: "false"
  .
  . 
  repo.server: argo-cd-argocd-repo-server:8081
  reposerver.log.format: text
  **server.insecure: "true"**
  server.log.format: text
---
    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      namespace: argocd
      name: dev-argocd-vs
    spec:
      hosts:
        - "argocd1.vyomsoft.lab.tech"
      gateways:
        - istio-ingress-gateway-argo
      http:
        - route:
            - destination:
                host: argo-cd-argocd-server.argocd.svc.cluster.local
                port:
                  number: 80
    ---
    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      namespace: argocd
      name: istio-ingress-gateway-argo
    spec:
      selector:
        istio: ingressgateway
        app: istio-ingressgateway
      servers:
        - port:
            number: 80
            name: http
            protocol: HTTP
          tls:
            httpsRedirect: true  
          hosts:
            - "argocd1.vyomsoft.lab.tech"
        - port:
            number: 443
            name: https
            protocol: HTTPS
          tls:
            mode: SIMPLE
            credentialName: lab-argocd-tls-ca
          hosts:
            - "argocd1.vyomsoft.lab.tech"
Sanjeev
  • 375
  • 1
  • 3
  • 14
  • Hey, Sanjeev thanks for posting a solution to this issue. As I said earlier that I moved on from this requirement. Therefore won't be able to test this currently. However, if any other user confirms that it is working then I would be happy to accept your answer :) – Nitin G May 03 '23 at 13:28