docs: Add Documentation for Istio (argoproj#14197)

tesla59 · Dec 16, 2023 · bb0782b · bb0782b
1 parent 8fdea01
commit bb0782b
Showing 1 changed file with 126 additions and 0 deletions.
diff --git a/docs/operator-manual/ingress.md b/docs/operator-manual/ingress.md
@@ -414,6 +414,132 @@ Once we create this service, we can configure the Ingress to conditionally route
       - argocd.argoproj.io
 ```
 
+## [Istio](https://www.istio.io)
+You can put ArgoCD behind Istio using following configurations. Here we will achive both serving ArgoCD behind istio and using subpath on Istio
+
+First we need to make sure that we can run ArgoCD with subpath (ie /argocd). For this we have used install.yaml from argocd project as is
+
+```bash
+curl -kLs -o install.yaml https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+```
+
+save following file as kustomization.yml
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./install.yaml
+
+patches:
+- path: ./patch.yml
+``` 
+
+And following lines as patch.yml
+
+```yaml
+# Use --insecure so Ingress can send traffic with HTTP
+# --bashref /argocd is the subpath like https://IP/argocd
+# env was added because of https://github.com/argoproj/argo-cd/issues/3572 error
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: argocd-server
+spec:
+ template:
+   spec:
+     containers:
+     - args:
+       - /usr/local/bin/argocd-server
+       - --staticassets
+       - /shared/app
+       - --redis
+       - argocd-redis-ha-haproxy:6379
+       - --insecure
+       - --basehref
+       - /argocd
+       - --rootpath
+       - /argocd
+       name: argocd-server
+       env:
+       - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+         value: "0"
+```
+
+After that install ArgoCD  (there should be only 3 yml file defined above in current directory )
+
+```bash
+kubectl apply -k ./ -n argocd --wait=true
+```
+
+Be sure you create secret for Isito ( in our case secretname is argocd-server-tls on argocd Namespace). After that we create Istio Resources
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: argocd-gateway
+  namespace: argocd
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+    tls:
+     httpsRedirect: true
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*"
+    tls:
+      credentialName: argocd-server-tls
+      maxProtocolVersion: TLSV1_3
+      minProtocolVersion: TLSV1_2
+      mode: SIMPLE
+      cipherSuites:
+        - ECDHE-ECDSA-AES128-GCM-SHA256
+        - ECDHE-RSA-AES128-GCM-SHA256
+        - ECDHE-ECDSA-AES128-SHA
+        - AES128-GCM-SHA256
+        - AES128-SHA
+        - ECDHE-ECDSA-AES256-GCM-SHA384
+        - ECDHE-RSA-AES256-GCM-SHA384
+        - ECDHE-ECDSA-AES256-SHA
+        - AES256-GCM-SHA384
+        - AES256-SHA
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: argocd-virtualservice
+  namespace: argocd
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - argocd-gateway
+  http:
+  - match:
+    - uri:
+        prefix: /argocd
+    route:
+    - destination:
+        host: argocd-server
+        port:
+          number: 80
+```
+
+And now we can browse http://{{ IP }}/argocd (it will be rewritten to https://{{ IP }}/argocd
+
+
 ## Google Cloud load balancers with Kubernetes Ingress
 
 You can make use of the integration of GKE with Google Cloud to deploy Load Balancers using just Kubernetes objects.