I would like to run ArgoCD behind Traefik such that I can both access the ArgoCD web ui and interact with the argocd API using the argocd command line tool.
-
I have deployed ArgoCD into a Kubernetes cluster from the upstream manifests.
-
I have deployed Traefik as in ingress server from the helm chart. I haven't set any chart values other than the log level.
-
I am using the following Ingress resource:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argocd spec: tls: - hosts: - argocd.internal secretName: argocd-certificate rules: - host: argocd.internal http: paths: - path: / pathType: Prefix backend: service: name: argocd-server port: number: 80 -
The secret
argocd-certificateexists and has a valid certificate and key intls.crtandtls.key.
With this in place, I can access ArgoCD at http://argocd.internal, but attempts to access it at https://argocd.internal fail with:
$ curl https://argocd.internal
404 page not found
(Note that there is no certificate error; the endpoint is servering the certificate configured in the Ingress resource.)
I'm not sure what's going on here: I haven't bound this to any particular Traefik endpoint, so I would expect it to be available on all endpoints...and when we query the Traefik API, we see:
$ curl -sf 'http://localhost:9000/api/http/routers?search=&status=&per_page=6&page=1' |
jq '.[]|select(.service == "argocd-argocd-server-80")'
{
"entryPoints": [
"metrics",
"web",
"websecure"
],
"service": "argocd-argocd-server-80",
"rule": "Host(`argocd.internal`) && PathPrefix(`/`)",
"status": "enabled",
"using": [
"metrics",
"web",
"websecure"
],
"name": "argocd-argocd-argocd-internal@kubernetes",
"provider": "kubernetes"
}
Which confirms that the router is available on all endpoints.
What's going on here -- why does this only seem to do the right thing when accessed via http:// and not via https://?