diff --git a/docs/operator-manual/ingress.md b/docs/operator-manual/ingress.md index d60165e284542..a8387b352f6fd 100644 --- a/docs/operator-manual/ingress.md +++ b/docs/operator-manual/ingress.md @@ -414,6 +414,132 @@ Once we create this service, we can configure the Ingress to conditionally route - argocd.argoproj.io ``` +## [Istio](https://www.istio.io) +You can put ArgoCD behind Istio using following configurations. Here we will achive both serving ArgoCD behind istio and using subpath on Istio + +First we need to make sure that we can run ArgoCD with subpath (ie /argocd). For this we have used install.yaml from argocd project as is + +```bash +curl -kLs -o install.yaml https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml +``` + +save following file as kustomization.yml + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./install.yaml + +patches: +- path: ./patch.yml +``` + +And following lines as patch.yml + +```yaml +# Use --insecure so Ingress can send traffic with HTTP +# --bashref /argocd is the subpath like https://IP/argocd +# env was added because of https://github.com/argoproj/argo-cd/issues/3572 error +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-server +spec: + template: + spec: + containers: + - args: + - /usr/local/bin/argocd-server + - --staticassets + - /shared/app + - --redis + - argocd-redis-ha-haproxy:6379 + - --insecure + - --basehref + - /argocd + - --rootpath + - /argocd + name: argocd-server + env: + - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT + value: "0" +``` + +After that install ArgoCD (there should be only 3 yml file defined above in current directory ) + +```bash +kubectl apply -k ./ -n argocd --wait=true +``` + +Be sure you create secret for Isito ( in our case secretname is argocd-server-tls on argocd Namespace). After that we create Istio Resources + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: argocd-gateway + namespace: argocd +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: argocd-server-tls + maxProtocolVersion: TLSV1_3 + minProtocolVersion: TLSV1_2 + mode: SIMPLE + cipherSuites: + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-SHA + - AES128-GCM-SHA256 + - AES128-SHA + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-AES256-SHA + - AES256-GCM-SHA384 + - AES256-SHA +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: argocd-virtualservice + namespace: argocd +spec: + hosts: + - "*" + gateways: + - argocd-gateway + http: + - match: + - uri: + prefix: /argocd + route: + - destination: + host: argocd-server + port: + number: 80 +``` + +And now we can browse http://{{ IP }}/argocd (it will be rewritten to https://{{ IP }}/argocd + + ## Google Cloud load balancers with Kubernetes Ingress You can make use of the integration of GKE with Google Cloud to deploy Load Balancers using just Kubernetes objects.