diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 99a1209b..8471db92 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -31,4 +31,7 @@ annotations: - kind: removed description: Wildcard catch all ingress rule - kind: added - description: Ingress extra rules to allow explicit configuration of catch all rule + description: Ingress extra rules to allow custom ingress custom rules + - kind: changed + description: Support for multiple ingress hosts and paths refactored into `extraHosts` and `extraPaths` + diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index d70c3529..2f9db7e3 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -119,11 +119,13 @@ Please upgrade with replace strategy due to removal of immutable fields in State 1) Use Helm uninstall / install 6.0.0 2) Use `helm template argocd/argo-cd | kubectl replace -f` -Major version also contains **changes related to Argo CD Ingress** resources that are were hard to extend and maintain due to support of multiple ingress controllers. +Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations. +Please review your setup and adjust to new configuration options: -* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide rule without hostname -* ingress rule for `paths` changed to `path` as there is single Argo CD backend -* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given domain +* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname +* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path +* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname +* additional hostnames and routing can be provided via `extraHosts` configuration section ### 5.53.0 @@ -764,29 +766,31 @@ NAME: my-release | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server | | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.ingress.annotations | object | `{}` | Additional ingress annotations | -| server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server | +| server.ingress.enabled | bool | `true` | Enable an ingress resource for the Argo CD server | +| server.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | | server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | | server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | -| server.ingress.hosts | list | `[]` | List of ingress hosts | +| server.ingress.hostname | string | `"argocd.server.local"` | Argo CD server hostname | | server.ingress.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` | | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | | server.ingress.labels | object | `{}` | Additional ingress labels | +| server.ingress.path | string | `"/"` | The path to Argo CD server | | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingress.paths | list | `["/"]` | List of ingress paths | | server.ingress.tls | list | `[]` | Ingress TLS configuration | | server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] | | server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | | server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | | server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] | +| server.ingressGrpc.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | | server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] | | server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | -| server.ingressGrpc.hosts | list | `[]` | List of ingress hosts for dedicated [gRPC-ingress] | +| server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] | | server.ingressGrpc.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` | | server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] | | server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB | | server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] | +| server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] | | server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingressGrpc.paths | list | `["/"]` | List of ingress paths for dedicated [gRPC-ingress] | | server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] | | server.initContainers | list | `[]` | Init containers to add to the server pod | | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container | @@ -1189,13 +1193,14 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller | | applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations | | applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks | +| applicationSet.webhook.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | | applicationSet.webhook.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | | applicationSet.webhook.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | -| applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts | +| applicationSet.webhook.ingress.hostname | string | `""` | Argo CD ApplicationSet hostname | | applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource | | applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels | +| applicationSet.webhook.ingress.path | string | `"/api/webhook"` | List of ingress paths | | applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths | | applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration | ## Notifications diff --git a/charts/argo-cd/README.md.gotmpl b/charts/argo-cd/README.md.gotmpl index 59640f77..4a0361d1 100644 --- a/charts/argo-cd/README.md.gotmpl +++ b/charts/argo-cd/README.md.gotmpl @@ -118,11 +118,13 @@ Please upgrade with replace strategy due to removal of immutable fields in State 1) Use Helm uninstall / install 6.0.0 2) Use `helm template argocd/argo-cd | kubectl replace -f` -Major version also contains **changes related to Argo CD Ingress** resources that are were hard to extend and maintain due to support of multiple ingress controllers. +Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations. +Please review your setup and adjust to new configuration options: -* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide rule without hostname -* ingress rule for `paths` changed to `path` as there is single Argo CD backend -* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given domain +* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname +* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path +* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname +* additional hostnames and routing can be provided via `extraHosts` configuration section ### 5.53.0 diff --git a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml index 57503cac..56d76b12 100644 --- a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.applicationSet.enabled (and .Values.applicationSet.webhook.ingress.enabled .Values.applicationSet.webhook.ingress.hosts) -}} +{{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}} {{- $servicePort := .Values.applicationSet.service.portName -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -21,15 +21,14 @@ spec: ingressClassName: {{ . }} {{- end }} rules: - {{- range .Values.applicationSet.webhook.ingress.hosts }} - - host: {{ . }} + {{- if .Values.applicationSet.webhook.ingress.hostname }} + - host: {{ .Values.applicationSet.webhook.ingress.hostname }} http: paths: - {{- with $.Values.applicationSet.webhook.ingress.extraPaths }} + {{- with .Values.applicationSet.webhook.ingress.extraPaths }} {{- toYaml . | nindent 10 }} {{- end }} - {{- range $.Values.applicationSet.webhook.ingress.paths }} - - path: {{ . }} + - path: {{ .Values.applicationSet.webhook.ingress.path }} pathType: {{ $.Values.applicationSet.webhook.ingress.pathType }} backend: service: @@ -40,7 +39,22 @@ spec: {{- else }} name: {{ $servicePort }} {{- end }} - {{- end }} + {{- end }} + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default .Values.server.ingress.path .path }} + pathType: {{ default .Values.server.ingress.pathType .pathType }} + backend: + service: + name: {{ include "argo-cd.applicationSet.fullname" . }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} {{- end }} {{- with .Values.applicationSet.webhook.ingress.extraRules }} {{- toYaml . | nindent 4 }} diff --git a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml index 20c2f51f..bca62406 100644 --- a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml @@ -1,4 +1,5 @@ -{{- if and (and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.hosts) (not .Values.server.ingressGrpc.isAWSALB) -}} +{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}} +{{- $hostname := printf "grpc.%s" .Values.server.ingress.hostname -}} {{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -21,15 +22,13 @@ spec: ingressClassName: {{ . }} {{- end }} rules: - {{- range .Values.server.ingressGrpc.hosts }} - - host: {{ . }} + - host: {{ default $hostname .Values.server.ingressGrpc.hostname }} http: paths: {{- with $.Values.server.ingressGrpc.extraPaths }} {{- toYaml . | nindent 10 }} {{- end }} - {{- range $.Values.server.ingressGrpc.paths }} - - path: {{ . }} + - path: {{ .Values.server.ingressGrpc.path }} pathType: {{ $.Values.server.ingressGrpc.pathType }} backend: service: @@ -40,7 +39,21 @@ spec: {{- else }} name: {{ $servicePort }} {{- end }} - {{- end }} + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default .Values.server.ingress.path .path }} + pathType: {{ default .Values.server.ingress.pathType .pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" . }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} {{- end }} {{- with .Values.server.ingressGrpc.extraRules }} {{- toYaml . | nindent 4 }} diff --git a/charts/argo-cd/templates/argocd-server/ingress.yaml b/charts/argo-cd/templates/argocd-server/ingress.yaml index 498ef200..0eccc46f 100644 --- a/charts/argo-cd/templates/argocd-server/ingress.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.server.ingress.enabled .Values.server.ingress.hosts -}} +{{- if .Values.server.ingress.enabled }} {{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -25,16 +25,25 @@ spec: ingressClassName: {{ . }} {{- end }} rules: - {{- range .Values.server.ingress.hosts }} - - host: {{ . }} + - host: {{ .Values.server.ingress.hostname }} http: paths: - {{- with $.Values.server.ingress.extraPaths }} + {{- with .Values.server.ingress.extraPaths }} {{- toYaml . | nindent 10 }} {{- end }} - {{- range $.Values.server.ingress.paths }} - {{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }} - - path: {{ . }} + - path: {{ .Values.server.ingress.path }} + pathType: {{ $.Values.server.ingress.pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" . }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }} + - path: {{ .Values.server.ingress.path }} pathType: {{ $.Values.server.ingressGrpc.pathType }} backend: service: @@ -46,18 +55,21 @@ spec: name: {{ $servicePort }} {{- end }} {{- end }} - - path: {{ . }} - pathType: {{ $.Values.server.ingress.pathType }} + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default .Values.server.ingress.path .path }} + pathType: {{ default .Values.server.ingress.pathType .pathType }} backend: service: - name: {{ include "argo-cd.server.fullname" $ }} + name: {{ include "argo-cd.server.fullname" . }} port: {{- if kindIs "float64" $servicePort }} number: {{ $servicePort }} {{- else }} name: {{ $servicePort }} {{- end }} - {{- end }} {{- end }} {{- with .Values.server.ingress.extraRules }} {{- toYaml . | nindent 4 }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index cad4f8d9..62143316 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1902,7 +1902,7 @@ server: ingress: # -- Enable an ingress resource for the Argo CD server - enabled: false + enabled: true #false # -- Additional ingress labels labels: {} # -- Additional ingress annotations @@ -1914,19 +1914,22 @@ server: # -- Defines which ingress controller will implement the resource ingressClassName: "" - # -- List of ingress hosts - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - hosts: [] - # - argocd.example.com + # -- Argo CD server hostname + ## Hostname must be provided if Ingress is enabled + hostname: argocd.server.local + + # -- The path to Argo CD server + ## NOTE: You may need to set this to `/*` in order to use this with GKE ingress controller + path: / - # -- List of ingress paths - paths: - - / # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- The list of additional hostnames to be covered by ingress record + extraHosts: [] + # - name: argocd.server.local + # path: / + # -- Additional ingress paths # @default -- `[]` (See [values.yaml]) extraPaths: [] @@ -1985,21 +1988,20 @@ server: ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features backendProtocolVersion: HTTP2 - # -- List of ingress hosts for dedicated [gRPC-ingress] - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - ## - hosts: [] - # - argocd.example.com + # -- Argo CD server hostname for dedicated [gRPC-ingress] + hostname: "" - # -- List of ingress paths for dedicated [gRPC-ingress] - paths: - - / + # -- Argo CD server ingress path for dedicated [gRPC-ingress] + path: / # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- The list of additional hostnames to be covered by ingress record + extraHosts: [] + # - name: grpc.argocd.server.local + # path: / + # -- Additional ingress paths for dedicated [gRPC-ingress] # @default -- `[]` (See [values.yaml]) extraPaths: [] @@ -2718,19 +2720,20 @@ applicationSet: # -- Defines which ingress ApplicationSet controller will implement the resource ingressClassName: "" - # -- List of ingress hosts - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - hosts: [] - # - argocd-applicationset.example.com + # -- Argo CD ApplicationSet hostname + hostname: "" # -- List of ingress paths - paths: - - /api/webhook + path: /api/webhook # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- The list of additional hostnames to be covered by ingress record + extraHosts: [] + # - name: argocd.server.local + # path: / + # -- Additional ingress paths # @default -- `[]` (See [values.yaml]) extraPaths: []