Managing secure access to ArgoCD's web UI on Google Cloud Platform (GCP) can be streamlined with Kubernetes Ingress and cert-manager. This guide walks you through configuring ArgoCD to be accessible via a custom domain with HTTPS, automatically issuing and renewing TLS certificates from Let's Encrypt.
Prerequisites
- ArgoCD installed in a Kubernetes cluster on GCP
- nginx ingress controller installed and running with SSL passthrough enabled
- kubectl configured to manage your cluster
- A DNS record pointing your domain (e.g.,
argocd-example.com) to the ingress controller's external IP
Step 1: Install cert-manager
cert-manager automates certificate management on Kubernetes.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
kubectl wait --for=condition=available --timeout=3m deployment/cert-manager -n cert-manager
Step 2: Create a ClusterIssuer for Let's Encrypt
Create a file cluster-issuer.yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com # Change this to your email
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Apply it:
kubectl apply -f cluster-issuer.yaml
Step 3: Patch ArgoCD Server Service to Use HTTPS Port Name
Ensure the argocd-server service exposes port 443 with name https pointing to 8080:
kubectl -n argocd patch svc argocd-server -p '{"spec": {"ports": [{"name": "https", "port": 443, "targetPort": 8080}]}}'
Step 4: Create the Ingress Definition with cert-manager Annotation
Save the following as argocd-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: argocd-example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
name: https
tls:
- hosts:
- argocd-example.com
secretName: argocd-server-tls
Apply the ingress resource:
kubectl apply -f argocd-ingress.yaml
Step 5: Update ArgoCD Configuration Map
Update ArgoCD to recognize the new URL:
kubectl patch cm argocd-cm -n argocd --type merge -p '{"data":{"url":"https://argocd-example.com"}}'
Step 6: Restart ArgoCD Server Deployment
Reload ArgoCD server to apply changes:
kubectl rollout restart deployment argocd-server -n argocd
Step 7: Update DNS Records
Point argocd-example.com DNS A or CNAME record to your ingress controller's external IP, retrievable via:
kubectl -n ingress-nginx get svc ingress-nginx-controller
Verification
- Check the status of the issued certificate:
kubectl describe certificate -n argocd argocd-server-tls
- Access ArgoCD at
https://argocd-example.comin a browser; it should load securely with a valid Let’s Encrypt TLS certificate.
To get the ArgoCD admin password in Kubernetes, use the following command which retrieves the initial admin password stored as a Kubernetes secret and decodes it from base64:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
This command fetches the password from the secret named argocd-initial-admin-secret in the argocd namespace, which is the default namespace where ArgoCD is installed.
Additional Details:
- The default username is
admin. - If you want to reset the admin password, you can nullify the current password in the
argocd-secretand restart the ArgoCD server pods to revert to the initial password from the secret. - To reset, run:
kubectl -n argocd patch secret argocd-secret -p '{"data": {"admin.password": null, "admin.passwordMtime": null}}'
kubectl delete pods -n argocd -l app.kubernetes.io/name=argocd-server
Then retrieve the initial password again with the first command.
By combining Kubernetes Ingress, cert-manager, and ArgoCD, you can securely expose your Kubernetes GitOps dashboard with fully automated certificate management on GCP.
Top comments (0)