ArgoCD ingress tls secret clarification #6173

psibi · 2021-05-06T05:30:57Z

psibi
May 6, 2021

Right now in the ingress docs, this is what is mentioned in it's manifest for tls:

tls:
- hosts:
  - argocd.example.com
  secretName: argocd-secret # do not change, this is provided by Argo CD

Now I don't understand why argocd-secret is required. Infact, when I
tried out using some other secret name - it's working fine for me.

On inspecting the helm chart, I don't see any such thing documented
there:
https://github.com/argoproj/argo-helm/blob/dbec4ad82e98770e7768eda751e771683fadf0db/charts/argo-cd/values.yaml#L519

Looking into the git history, it seemed to be initially introduced in
this PR: https://github.com/argoproj/argo-cd/pull/2629/files

So my question: Is the secret name required to be argocd-secret ? (If yes, it would be nice to have it documented on why it's required to be argocd-secret. I believe that will explain why in my setup it works without the secret name being argocd-secret)

I can send a PR improving the docs, if I get a better idea about this.

(Sorry for the cross-post between here and Slack.)

Answered by jannfis

May 6, 2021

Hey, indeed it is not a hard requirement to have your Ingress use the argocd-secret for TLS configuration, but can point to any other secret that contains tls.crt and tls.key keys in its data.

However, the specific scenario you mentioned involves Ingress TLS pass-through and cert-manager. For passthrough to work, the service must terminate TLS, and the Ingress will just pass down the TLS connection to the service. Cert-manager needs to update a secret with TLS certificate and key, and Argo CD will use the tls.key and tls.crt for configuring its TLS endpoint.

So, if you are using any other secret for TLS configuration in your Ingress, you either have to configure the connection between Ing…

View full answer

jannfis · 2021-05-06T07:57:15Z

jannfis
May 6, 2021
Maintainer

Hey, indeed it is not a hard requirement to have your Ingress use the argocd-secret for TLS configuration, but can point to any other secret that contains tls.crt and tls.key keys in its data.

However, the specific scenario you mentioned involves Ingress TLS pass-through and cert-manager. For passthrough to work, the service must terminate TLS, and the Ingress will just pass down the TLS connection to the service. Cert-manager needs to update a secret with TLS certificate and key, and Argo CD will use the tls.key and tls.crt for configuring its TLS endpoint.

So, if you are using any other secret for TLS configuration in your Ingress, you either have to configure the connection between Ingress and Argo CD to be unencrypted (e.g. --insecure on the argocd-server side and backend-protocol: http on the Ingress side), or establish TLS trust between Ingress and Argo CD yourself.

A recent change (#6071, to be released with v2.1) will allow you to also use a dedicated secret for this purpose, instead of the generic argocd-secret one.

HTH.

1 reply

psibi May 6, 2021
Author

Thanks, this helps.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ArgoCD ingress tls secret clarification #6173

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

ArgoCD ingress tls secret clarification #6173

psibi May 6, 2021

Replies: 1 comment · 1 reply

jannfis May 6, 2021 Maintainer

psibi May 6, 2021 Author

psibi
May 6, 2021

Replies: 1 comment 1 reply

jannfis
May 6, 2021
Maintainer

psibi May 6, 2021
Author