DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace ingress paths and hosts with single backend service

Browse source 
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
This commit is contained in:
Petr Drastil 2024-01-21 18:05:51 +01:00
parent fa94d09605
commit 17f2ef8731
No known key found for this signature in database
GPG key ID: B147517F4051E6ED
7 changed files with 119 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
charts/argo-cd/Chart.yaml
View file

@ -31,4 +31,7 @@ annotations:
- kind: removed
description: Wildcard catch all ingress rule
- kind: added
description: Ingress extra rules to allow explicit configuration of catch all rule
description: Ingress extra rules to allow custom ingress custom rules
- kind: changed
description: Support for multiple ingress hosts and paths refactored into `extraHosts` and `extraPaths`

27
charts/argo-cd/README.md
View file

@ -119,11 +119,13 @@ Please upgrade with replace strategy due to removal of immutable fields in State
1) Use Helm uninstall / install 6.0.0
2) Use `helm template argocd/argo-cd | kubectl replace -f`
Major version also contains **changes related to Argo CD Ingress** resources that are were hard to extend and maintain due to support of multiple ingress controllers.
Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
Please review your setup and adjust to new configuration options:
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide rule without hostname
* ingress rule for `paths` changed to `path` as there is single Argo CD backend
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given domain
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
* additional hostnames and routing can be provided via `extraHosts` configuration section
### 5.53.0
@ -764,29 +766,31 @@ NAME: my-release
| server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server |
| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| server.ingress.annotations | object | `{}` | Additional ingress annotations |
| server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server |
| server.ingress.enabled | bool | `true` | Enable an ingress resource for the Argo CD server |
| server.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
| server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
| server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| server.ingress.hosts | list | `[]` | List of ingress hosts |
| server.ingress.hostname | string | `"argocd.server.local"` | Argo CD server hostname |
| server.ingress.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
| server.ingress.labels | object | `{}` | Additional ingress labels |
| server.ingress.path | string | `"/"` | The path to Argo CD server |
| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingress.paths | list | `["/"]` | List of ingress paths |
| server.ingress.tls | list | `[]` | Ingress TLS configuration |
| server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] |
| server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
| server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
| server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] |
| server.ingressGrpc.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
| server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] |
| server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| server.ingressGrpc.hosts | list | `[]` | List of ingress hosts for dedicated [gRPC-ingress] |
| server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] |
| server.ingressGrpc.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
| server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] |
| server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB |
| server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] |
| server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] |
| server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingressGrpc.paths | list | `["/"]` | List of ingress paths for dedicated [gRPC-ingress] |
| server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] |
| server.initContainers | list | `[]` | Init containers to add to the server pod |
| server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container |
@ -1189,13 +1193,14 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller |
| applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations |
| applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks |
| applicationSet.webhook.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
| applicationSet.webhook.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
| applicationSet.webhook.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts |
| applicationSet.webhook.ingress.hostname | string | `""` | Argo CD ApplicationSet hostname |
| applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
| applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels |
| applicationSet.webhook.ingress.path | string | `"/api/webhook"` | List of ingress paths |
| applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths |
| applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration |
## Notifications

10
charts/argo-cd/README.md.gotmpl
View file

@ -118,11 +118,13 @@ Please upgrade with replace strategy due to removal of immutable fields in State
1) Use Helm uninstall / install 6.0.0
2) Use `helm template argocd/argo-cd | kubectl replace -f`
Major version also contains **changes related to Argo CD Ingress** resources that are were hard to extend and maintain due to support of multiple ingress controllers.
Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
Please review your setup and adjust to new configuration options:
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide rule without hostname
* ingress rule for `paths` changed to `path` as there is single Argo CD backend
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given domain
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
* additional hostnames and routing can be provided via `extraHosts` configuration section
### 5.53.0

28
charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.applicationSet.enabled (and .Values.applicationSet.webhook.ingress.enabled .Values.applicationSet.webhook.ingress.hosts) -}}
{{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}}
{{- $servicePort := .Values.applicationSet.service.portName -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
@ -21,15 +21,14 @@ spec:
ingressClassName: {{ . }}
{{- end }}
rules:
{{- range .Values.applicationSet.webhook.ingress.hosts }}
- host: {{ . }}
{{- if .Values.applicationSet.webhook.ingress.hostname }}
- host: {{ .Values.applicationSet.webhook.ingress.hostname }}
http:
paths:
{{- with $.Values.applicationSet.webhook.ingress.extraPaths }}
{{- with .Values.applicationSet.webhook.ingress.extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $.Values.applicationSet.webhook.ingress.paths }}
- path: {{ . }}
- path: {{ .Values.applicationSet.webhook.ingress.path }}
pathType: {{ $.Values.applicationSet.webhook.ingress.pathType }}
backend:
service:
@ -40,7 +39,22 @@ spec:
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default .Values.server.ingress.path .path }}
pathType: {{ default .Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
{{- with .Values.applicationSet.webhook.ingress.extraRules }}
{{- toYaml . | nindent 4 }}

25
charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
View file

@ -1,4 +1,5 @@
{{- if and (and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.hosts) (not .Values.server.ingressGrpc.isAWSALB) -}}
{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}}
{{- $hostname := printf "grpc.%s" .Values.server.ingress.hostname -}}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
@ -21,15 +22,13 @@ spec:
ingressClassName: {{ . }}
{{- end }}
rules:
{{- range .Values.server.ingressGrpc.hosts }}
- host: {{ . }}
- host: {{ default $hostname .Values.server.ingressGrpc.hostname }}
http:
paths:
{{- with $.Values.server.ingressGrpc.extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $.Values.server.ingressGrpc.paths }}
- path: {{ . }}
- path: {{ .Values.server.ingressGrpc.path }}
pathType: {{ $.Values.server.ingressGrpc.pathType }}
backend:
service:
@ -40,7 +39,21 @@ spec:
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default .Values.server.ingress.path .path }}
pathType: {{ default .Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
{{- with .Values.server.ingressGrpc.extraRules }}
{{- toYaml . | nindent 4 }}

34
charts/argo-cd/templates/argocd-server/ingress.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.server.ingress.enabled .Values.server.ingress.hosts -}}
{{- if .Values.server.ingress.enabled }}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
@ -25,16 +25,25 @@ spec:
ingressClassName: {{ . }}
{{- end }}
rules:
{{- range .Values.server.ingress.hosts }}
- host: {{ . }}
- host: {{ .Values.server.ingress.hostname }}
http:
paths:
{{- with $.Values.server.ingress.extraPaths }}
{{- with .Values.server.ingress.extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $.Values.server.ingress.paths }}
{{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }}
- path: {{ . }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingress.pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingressGrpc.pathType }}
backend:
service:
@ -46,18 +55,21 @@ spec:
name: {{ $servicePort }}
{{- end }}
{{- end }}
- path: {{ . }}
pathType: {{ $.Values.server.ingress.pathType }}
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default .Values.server.ingress.path .path }}
pathType: {{ default .Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
name: {{ include "argo-cd.server.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.server.ingress.extraRules }}
{{- toYaml . | nindent 4 }}

57
charts/argo-cd/values.yaml
View file

@ -1902,7 +1902,7 @@ server:
ingress:
# -- Enable an ingress resource for the Argo CD server
enabled: false
enabled: true #false
# -- Additional ingress labels
labels: {}
# -- Additional ingress annotations
@ -1914,19 +1914,22 @@ server:
# -- Defines which ingress controller will implement the resource
ingressClassName: ""
# -- List of ingress hosts
## Argo Ingress.
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
hosts: []
# - argocd.example.com
# -- Argo CD server hostname
## Hostname must be provided if Ingress is enabled
hostname: argocd.server.local
# -- The path to Argo CD server
## NOTE: You may need to set this to `/*` in order to use this with GKE ingress controller
path: /
# -- List of ingress paths
paths:
- /
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- The list of additional hostnames to be covered by ingress record
extraHosts: []
# - name: argocd.server.local
# path: /
# -- Additional ingress paths
# @default -- `[]` (See [values.yaml])
extraPaths: []
@ -1985,21 +1988,20 @@ server:
## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features
backendProtocolVersion: HTTP2
# -- List of ingress hosts for dedicated [gRPC-ingress]
## Argo Ingress.
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
##
hosts: []
# - argocd.example.com
# -- Argo CD server hostname for dedicated [gRPC-ingress]
hostname: ""
# -- List of ingress paths for dedicated [gRPC-ingress]
paths:
- /
# -- Argo CD server ingress path for dedicated [gRPC-ingress]
path: /
# -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- The list of additional hostnames to be covered by ingress record
extraHosts: []
# - name: grpc.argocd.server.local
# path: /
# -- Additional ingress paths for dedicated [gRPC-ingress]
# @default -- `[]` (See [values.yaml])
extraPaths: []
@ -2718,19 +2720,20 @@ applicationSet:
# -- Defines which ingress ApplicationSet controller will implement the resource
ingressClassName: ""
# -- List of ingress hosts
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
hosts: []
# - argocd-applicationset.example.com
# -- Argo CD ApplicationSet hostname
hostname: ""
# -- List of ingress paths
paths:
- /api/webhook
path: /api/webhook
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- The list of additional hostnames to be covered by ingress record
extraHosts: []
# - name: argocd.server.local
# path: /
# -- Additional ingress paths
# @default -- `[]` (See [values.yaml])
extraPaths: []