Setup
I am using an Azure Kubernetes Cluster with Azure Application Gateway.
The external domain is aks-tst.myurl.com. The Application Gateway overrides this host to aks-tst.intern.com and forwards the requests with a self signed certificate to the AKS which has the following ingress for most of the applications defined:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Chart.Name }}
namespace: {{ .Release.Namespace }}
spec:
rules:
- host: aks-tst.intern.com
http:
paths:
- path: {{ .Values.ingress.path }}
pathType: Prefix
backend:
service:
name: {{ .Values.service.name }}
port:
number: {{ .Values.service.port }}
tls:
- hosts:
- aks-tst.intern.com
Argo CD values.yaml:
server:
insecure: true
ingress:
enabled: true
hosts:
- aks-tst.intern.com
paths:
- /argocd
tls:
- hosts:
- aks-tst.intern.com
The generated Ingress for Argo CD:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.8.4
argocd.argoproj.io/instance: argo-cd
helm.sh/chart: argo-cd-5.46.7
name: argo-cd-argocd-server
namespace: argocd
spec:
ingressClassName: traefik
rules:
- host: aks-tst.intern.com
http:
paths:
- backend:
service:
name: argo-cd-argocd-server
port:
number: 80
path: /argocd
pathType: Prefix
tls:
- hosts:
- aks-tst.intern.com
status:
loadBalancer:
ingress:
- ip: <ip-of-traefik-loadbalancer>
Problem
The ingress works fine for any application we define. But the Argo CD UI is not available. If accessing aks-tst.myurl.com/argocd the browser receives the response 307 and gets directly redirected to aks-tst.intern.com/argocd which is obviously not available from outside of Azure.
Is there a way to tell the Argo CD UI to use the external URL for redirects?
What I've tried so far
Configmap argocd-cm
Argo CD values.yaml:
configs:
cm:
# tried with and without protocol and with and without path /argocd
url: https://aks-tst.myurl.com
The value above generates the following configmap:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.8.4
argocd.argoproj.io/instance: argo-cd
helm.sh/chart: argo-cd-5.46.7
name: argocd-cm
namespace: argocd
data:
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
exec.enabled: "false"
server.rbac.log.enforce.enable: "false"
timeout.hard.reconciliation: 0s
timeout.reconciliation: 180s
url: https://aks-tst.myurl.com
This didn't work either so I added the following part to the argocd-server deployment manually and restarted all the pods in the argocd namespace:
...
spec:
template:
spec:
containers:
...
- args:
...
volumeMounts:
...
- mountPath: /etc/argo-cd/config/cm
name: argocd-cm
volumes:
...
- configMap:
defaultMode: 420
name: argocd-cm
name: argocd-cm
The pod then shows these logs:
url modified. restarting
shutting down settings watch
Shut down requested
0xc000f810e0 unsubscribed from settings updates
rbac configmap informer cancelled
argocd v2.8.4+c279299 serving on port 8080 (url: https://aks-tst.myurl.com/argocd, tls: true, namespace: argocd, sso: false)"
Enabled application namespace patterns: argocd
0xc000bd9500 subscribed to settings updates
Starting rbac config informer
RBAC ConfigMap 'argocd-rbac-cm' added
I managed to find a solution after reading this and this article for the 10th time.
There were two main mistakes in my config:
insecureproperty does not belong to theserverconfig within the values.yaml, but to theconfigspart.The correct
values.yamllooks like the following. No manual configuration except thevalues.yamlwas needed: