我有一个正常运行的 Microk8s 集群。启用 argocd 社区插件后,argocd 服务器的推荐入口似乎不起作用。
这是我启用该插件后收到的通知:
Infer repository community for addon argocd
Infer repository core for addon helm3
Addon core/helm3 is already enabled
Installing ArgoCD (Helm v4.6.3)
"argo" already exists with the same configuration, skipping
Release "argo-cd" does not exist. Installing it now.
NAME: argo-cd
LAST DEPLOYED: Thu Oct 20 17:34:33 2022
NAMESPACE: argocd
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
In order to access the server UI you have the following options:
1. kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
and then open the browser on http://localhost:8080 and accept the certificate
2. enable ingress in the values file `server.ingress.enabled` and either
- Add the annotation for ssl passthrough: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-1-ssl-passthrough
- Add the `--insecure` flag to `server.extraArgs` in the values file and terminate SSL at your ingress: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-2-multiple-ingress-objects-and-hosts
After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
(You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://github.com/argoproj/argo-cd/blob/master/docs/getting_started.md#4-login-using-the-cli)
ArgoCD is installed
另外,这是我定义的 Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
cert-manager.io/cluster-issuer: lets-encrypt
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# If you encounter a redirect loop or are getting a 307 response code
# then you need to force the nginx ingress to connect to the backend using HTTPS.
#
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: argocd.DOMAIN.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argo-cd-argocd-server
port:
name: https
tls:
- hosts:
- argocd.DOMAIN.com
secretName: argocd-secret # do not change, this is provided by Argo CD
当我访问主机地址时,我得到以下信息:
来自 Firefox,这是正在颁发的证书。
从启用此插件后收到的说明中,我该如何完成这部分enable ingress in the values file server.ingress.enabled 或使我的入口正常工作?
更新:
入口描述如下:
答案1
错误消息确实表明证书无效,浏览器不接受。 ingress 配置请求的证书和 ssl-passthrough 不匹配。kubernetes.io/tls-acme: "true"必须从 Ingress 中删除该行,并对服务名称进行微小更改。
与 ArgoCD 的 TLS 连接终止于 ArgoCD 服务器,而不是入口网关。ArgoCD 使用存储在 中的证书(和私钥)argocd-secret。入口应类似于
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: argocd.<domain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
name: https
tls:
- hosts:
- argocd.<url>
secretName: argocd-secret # not relevant
并且kubectl get services必须包含如下行
argocd-server ClusterIP 10.99.19.178 <none> 80/TCP,443/TCP 179d
结果kubectl get Ingress -n argocd是
NAME CLASS HOSTS ADDRESS PORTS AGE
argocd-server-ingress <none> argocd.k3sxx.xx 192.168.xx.xx 80, 443 15m
详细信息可通过kubectl get Ingress -n argocd -o yaml