Argo CD Istio deploy compatibility #2784
Comments
|
Would you like to raise a PR on the manifests to add these? |
|
I will make an attempt :) But might not be the fastest, I need to figure out how to build and test etc ... |
|
In my case enabling istio on argocd broke argo. If someone else ends up on this ticket because argocd won't work with istio. The reason is the same requirements - specifically service port naming. For example when using "--insecure" with argo-cd then you can not use "https" as the port name of argocd-server service, since istio will assume it is https. As a quick workaround I prefixed all the service port names in argocd with "tcp-" and now it is working. The related errors in argocd were "tls: first record does not look like a TLS handshake". |
|
My workaround was to enable "--insecure" at argocd-server and disable "TLS" VirtualService.yaml apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argocd-server-vts
namespace: argocd
spec:
gateways:
- default/global-gateway
hosts:
- argocd.example.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: argocd-server.argocd.svc.cluster.local
port:
number: 80DestinationRule.yaml apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: argocd-server-dtrl
namespace: argocd
spec:
host: argocd-server.argocd.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE |
|
I wrote about how to bootstrap a k8s cluster with ArgoCD 1.4.2 and Istio 1.5.1 using istio Operator in this blog post: https://nemo83.dev/posts/argocd-istio-operator-bootstrap/ Please pay attention to:
Hope it helps |
|
Thanks for the workarounds! I tried using SSL Passthrough of istio, but without success.
I would highly appreciate if this could get fixed by the argo team. |
|
Hi Guys, I've created a kustomize setup to make the ArgoCD manifests fully compatible with Istio requirements (link in the description of the ticket). With this these are the steps to install ArgoCD on an Istio enabled k8s cluster with Istio TLS passthrough:
The kustomize does the following changes:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argocd
resources:
- argocd_install.yaml
patchesStrategicMerge:
- istio_patches.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app: argocd-server
version: v1.6.1
name: argocd-server
spec:
template:
metadata:
labels:
app: argocd-server
version: v1.6.1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app: argocd-repo-server
version: v1.6.1
name: argocd-repo-server
spec:
template:
metadata:
labels:
app: argocd-repo-server
version: v1.6.1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
app: argocd-redis
version: v5.0.3
name: argocd-redis
spec:
template:
metadata:
labels:
app: argocd-redis
version: v5.0.3
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app: argocd-dex-server
version: v2.22.0
name: argocd-dex-server
spec:
template:
metadata:
labels:
app: argocd-dex-server
version: v2.22.0
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app: argocd-application-controller
version: v1.6.1
name: argocd-application-controller
spec:
template:
metadata:
labels:
app: argocd-application-controller
version: v1.6.1
---
apiVersion: v1
kind: Service
metadata:
name: argocd-dex-server
spec:
ports:
- name: http
port: 5556
protocol: TCP
targetPort: 5556
- name: http-grpc
port: 5557
protocol: TCP
targetPort: 5557
- name: http-metrics
port: 5558
protocol: TCP
targetPort: 5558
---
apiVersion: v1
kind: Service
metadata:
name: argocd-metrics
spec:
ports:
- name: http-metrics
port: 8082
protocol: TCP
targetPort: 8082
---
apiVersion: v1
kind: Service
metadata:
name: argocd-repo-server
spec:
ports:
- name: https-server
port: 8081
protocol: TCP
targetPort: 8081
- name: http-metrics
port: 8084
protocol: TCP
targetPort: 8084
---
apiVersion: v1
kind: Service
metadata:
name: argocd-server-metrics
spec:
ports:
- name: http-metrics
port: 8083
protocol: TCP
targetPort: 8083
---
apiVersion: v1
kind: Service
metadata:
name: argocd-server
spec:
ports:
- port: 80
$patch: delete
- name: https-argocd-server
port: 443
protocol: TCP
targetPort: 8080
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: argocd-gateway
namespace: argocd
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- "argocd-dev.example.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- "argocd-dev.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argocd
namespace: argocd
spec:
hosts:
- "argocd-dev.example.com"
gateways:
- argocd-gateway
tls:
- match:
- port: 443
sniHosts:
- argocd-dev.example.com
route:
- destination:
host: argocd-server.argocd.svc.cluster.local
port:
number: 443 |
|
@Cajga Thanks for posting the fix. Side note, I had to name the port with http-, typical Istio stuff. |
|
Honestly I've had so many issues where the name of the port was just |
|
@sp185503 I just asked if
Maybe you could elaborate a bit what did you see there and we can find out what was the problem. For me, the kustomize above (after I applied my fixes) works well. |
After following @Cajga kustomize solution I was able to get Argocd installed with Istio however we were getting the following errors when trying to create a new application in Arogocd. Using thie Previous error message: |
|
@sp185503 I got that error when the agro-repo-server service had http instead of https in its port name. In the latest kustomize (see above the updated version) I fixed that: apiVersion: v1
kind: Service
metadata:
name: argocd-repo-server
spec:
ports:
- name: https-server
port: 8081
protocol: TCP
targetPort: 8081
- name: http-metrics
port: 8084
protocol: TCP
targetPort: 8084Please note that using tcp prefix will limit the possibilities that istio provides you. |
|
@Cajga I'll try that in a few minutes. |
|
Could someone please review the PR above? |
|
Thanks for your work on this Cajga! |
|
This is pretty cool thanks. I took the install.yaml from @Cajga PR above and deployed on my test GKE clustee which uses Istio Ingress GW which normally does the TLS termination and has the certificates there. As this is PASSTHROUGH where is the best place to add a valid cert as going to https:// reports a bad cert ? Cheers |
|
@PsychoSid I will create a PR for Istio ingress config options. As a side note: you can easily make it work with Istio gateway termination (and together with mTLS STRICT mode you won't need https on the argocd-server). To make that work apply the following kustomization on the install.yaml: And use the following gateway and virtualservice config (obviously adjust the gateway to your needs): |
|
@Cajga above config's works like a charm with my certs handed by cert-manager/letsencypt. Many thanks. Although the CLI now throws an error:- If using plaintext get another error And another edit but this may help others:) It works if using So all seems well. Thanks again |
I've tried accessing argocd through istio-ingress gateway.
|
|
I used a modified version of Cajgas great work above and wrote a guide on setting this up: Manifests can be found here: Hopefully it helps someone else! |
@raonelakurti For prefix to work, you need to |
vigohe
When I did the curl to the ingressgateway with suffix, I'm not able to see the argocd-ui login page,instead I |
I thought It would work like that... 😢 A better approach would be to to set the reference: |
|
@vigohe Thanks for your response. It worked after adding the root path. I really appreciate your time in answering my question. |
|
Exellent work @Cajga !! Thank you so much !
And then, it works perfectly. |
|
Hello There, below args are used for the server,
Below is the virtualservice manifest fileapiVersion: networking.istio.io/v1beta1
Contrarily, it works if I pass in a hostname in hosts like belowapiVersion: networking.istio.io/v1beta1
Could someone please help with this issue. |
|
error: got file 'argocd_install.yaml', but 'argocd_install.yaml' must be a directory to be a root I am getting this error when i am trying to kubectl apply -k argocd_install.yaml |
|
@leepereira You're probably putting it under the kustomizations: section instead of resources section. |
|
This is what I have on kustomization yaml, I tried that and still getting the same error Thanks for the help |
I am trying to access the url: |
On what version of ArgoCD is this? On v2.4.0, for me See also #10371 |
|
Hello, is there solution? How everyone use ArgoCD with Istio in prod? Since preferably for Kubrenetes cluster is to have one Ingress Controller it's better to adopt ArgoCD in order to be able to run with sidecar containers and so on... |
|
@Hronom argocd works out-of-the-box with Istio with the following changes:
|
|
@pre it's not work out-of-the-box if you need to make changes :=) Check this description from comments in this thread #2784 (comment) So currently I can't use helm as is and I need to apply next kustomziation patch: So if we properly set prefixes for ports - it will helps to switch to the helm without maintaining and applying kustomization patch with fixes. There was started PR #3893 but so needed changes not reached final state... It will be cool if fix at least with ports will be done. And BTW this issues already 4 years... Istio pretty popular services mesh nowadays. |
|
@Hronom also the dex service port needs to be renamed from |
|
I got this working via the helm chart, which I have locally: argocd-istio-virtualservice.yaml: |
|
@sailormurph sure - that works until you enable |
|
I have been fighting this for the better part of a week. I have it mostly working except for when trying to add a new repo im using the helm chart to install |
|
Hi any news in this one? I'm not being able to make it as it seems that argocd tries to always redirect to https. Is it possible to disable argocd https -> http redirects in any way? |
|
https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ |
I tried it but it was ignoring me because the name of the parameter in the helm chart contains a dot, so i had to escape it as it wasn't applying the change in the correct place in the configmap configmap argocd-cmd-params-cm: I came across this issue and it resolved it: Now it works with istio without major problems! |
and others
Summary
We are trying to make use of Argo CD and are deploying it together with Istio (service mesh).
However there are a few rough edges with using the provided manifest and deploying it without modifications, so I wonder if they couldn't be address 'upstreams' ?!
This is spec here => https://istio.io/docs/ops/deployment/requirements/
Also Included here for easy ref
I would appreciate some feedback on how to handle this !
(Currently I work around it with copy&paste the manifest and do some minor edits, but its a bit hacky)
The text was updated successfully, but these errors were encountered: