DEV Community

John Ajera
John Ajera

Posted on

Argo CD Ingress Stuck – Find & Fix

#argocd #eks #ingress #troubleshooting

Argo CD Ingress Stuck – Find & Fix

When Argo CD ingress gets stuck—no ADDRESS assigned or stuck in Terminating—the AWS Load Balancer Controller may be failing to reconcile. Use the steps below to find the cause and apply fixes.

1. Overview

Common causes:

  • Stale ssl-redirect annotation without certificate-arn—ALB controller cannot create the HTTPS listener
  • Ingress stuck in deletion—finalizers prevent removal (e.g. ingress.k8s.aws/resources)
  • ALB controller errors—certificate validation or security group cleanup failures

What this guide does:

  • Confirms the ingress is stuck and why (no ADDRESS or stuck in Terminating)
  • Shows how to check for stale annotations and controller logs
  • Removes the ssl-redirect annotation when it blocks creation
  • Clears finalizers when the ingress is stuck in deletion

2. Prerequisites

Before starting, ensure you have:

  • kubectl configured with context set to your cluster
  • Permissions to get, patch, and annotate resources in the argocd namespace

3. Confirm the Ingress Is Stuck

Check ingress status:

kubectl get ingress -n argocd -o wide
Enter fullscreen mode Exit fullscreen mode

No ADDRESS = stuck (controller hasn't provisioned the load balancer).

Check if stuck in deletion:

kubectl get ingress -A -o custom-columns='NS:.metadata.namespace,NAME:.metadata.name,DELETING:.metadata.deletionTimestamp,ADDRESS:.status.loadBalancer.ingress[0].hostname'
Enter fullscreen mode Exit fullscreen mode

DELETING set + empty ADDRESS = stuck in Terminating.

4. Check for Stale ssl-redirect

ssl-redirect without certificate-arn causes the ALB controller to fail creating the HTTPS listener:

kubectl get ingress argocd-server-ingress -n argocd -o jsonpath='{.metadata.annotations}' | tr ',' '\n' | grep -E "listen-ports|ssl-redirect|certificate"
Enter fullscreen mode Exit fullscreen mode

If you see ssl-redirect but no certificate-arn, remove the annotation (see step 6).

5. Check ALB Controller Logs

Inspect the controller logs for errors:

kubectl logs -n aws-load-balancer-controller -l app.kubernetes.io/name=aws-load-balancer-controller --tail=200 | grep -i -E "argocd|certificate|CreateListener|error|failed|delet"
Enter fullscreen mode Exit fullscreen mode

Look for:

  • ValidationError: A certificate must be specified for HTTPS listeners
  • failed to delete securityGroup

6. Fix: Remove Stale ssl-redirect

If the ingress has ssl-redirect but no certificate-arn:

kubectl annotate ingress argocd-server-ingress -n argocd alb.ingress.kubernetes.io/ssl-redirect-
Enter fullscreen mode Exit fullscreen mode

The controller should reconcile and provision the load balancer (HTTP-only initially, or HTTPS if you add the certificate annotation separately).

7. Fix: Unstick Ingress Stuck in Deletion

If the ingress is stuck in Terminating, clear its finalizers:

kubectl patch ingress argocd-server-ingress -n argocd -p '{"metadata":{"finalizers":null}}' --type=merge
Enter fullscreen mode Exit fullscreen mode

Note: Use this only when you intend to delete the ingress. If you want to keep it, removing finalizers while it's in deletion may leave orphaned AWS resources; fix the underlying issue instead.

8. Summary: Copy-Paste

Use this sequence when you know the ingress name is argocd-server-ingress:

# 1. Remove stale ssl-redirect (if blocking creation)
kubectl annotate ingress argocd-server-ingress -n argocd alb.ingress.kubernetes.io/ssl-redirect-

# 2. Clear finalizers (if stuck in Terminating)
kubectl patch ingress argocd-server-ingress -n argocd -p '{"metadata":{"finalizers":null}}' --type=merge
Enter fullscreen mode Exit fullscreen mode

9. Troubleshooting

Issue: Ingress still has no ADDRESS after removing ssl-redirect

Solution: Check ALB controller logs (step 5). Ensure the controller is running, has IAM permissions, and that subnet tags (for internal/private ALBs) are correct. Add certificate-arn if you need HTTPS.

Issue: Ingress reappears or is recreated by Argo CD

Solution: Update the Argo CD manifest or Helm values to remove the ssl-redirect annotation and add certificate-arn if needed. Let Argo CD reconcile; avoid patching in a loop.

Issue: Orphaned load balancer or security groups after clearing finalizers

Solution: Manually delete the ALB and security groups in the AWS console if the controller didn't clean them up. Consider fixing the controller before force-deleting ingresses.

10. References

Top comments (0)