github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/routes.md (about) 1 # Routes 2 3 The Argo CD Operator offers support for managing OpenShift Routes to access the Argo CD resources. 4 5 Once the operator is deployed and running, create a new ArgoCD custom resource. 6 The following example shows the minimal required to create a new ArgoCD 7 environment with the default configuration. 8 9 ``` bash 10 oc create -f examples/argocd-route.yaml 11 ``` 12 13 There will be several resources created. 14 15 ``` bash 16 oc get pods 17 ``` 18 19 ``` bash 20 NAME READY STATUS RESTARTS AGE 21 example-argocd-application-controller-7c74b5855b-brn7s 1/1 Running 0 29s 22 example-argocd-dex-server-859bd5458c-78c8k 1/1 Running 0 29s 23 example-argocd-redis-6986d5fdbd-vzzjp 1/1 Running 0 29s 24 example-argocd-repo-server-7bfc477c58-q7d8g 1/1 Running 0 29s 25 example-argocd-server-7d56c5bf4d-9wxz6 1/1 Running 0 29s 26 argocd-operator-758dd86fb-qshll 1/1 Running 0 51s 27 ``` 28 29 The ArgoCD Server should be available via an OpenShift Route. 30 31 ``` bash 32 oc get routes 33 ``` 34 35 ``` bash 36 NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 37 example-argocd-server example-argocd-server-argocd.apps.test.example.com example-argocd-server http edge/Redirect None 38 ``` 39 40 The Route is `example-argocd-server` in this example and should be available at the HOST/PORT value listed. The admin 41 password is stored in the `argocd-cluster` secret in the installation namespace: 42 43 To get the password for the admin user: 44 45 ```shell 46 $ kubectl get secret argocd-cluster -n argocd -ojsonpath='{.data.admin\.password}' | base64 --decode 47 ``` 48 49 ## Setting TLS modes for routes 50 51 You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR. 52 53 ### TLS edge termination mode 54 55 In `edge` termination mode, the route controller terminates the TLS connection and proxies the requests 56 to Argo CD in plain text throughout the cluster. 57 58 The `edge` termination mode requires the Argo CD server to run in `insecure` mode, so it will accept 59 HTTP requests instead of TLS requests. 60 61 To set a route to `edge` mode, you can use the following configuration: 62 63 ```yaml 64 spec: 65 server: 66 insecure: true 67 route: 68 enabled: true 69 tls: 70 termination: edge 71 insecureEdgeTerminationPolicy: Redirect 72 ``` 73 74 Keep in mind that the connection will be unencrypted within your cluster. 75 76 ### TLS passthrough mode 77 78 Passthrough will terminate TLS not on the route controller, but at the `argocd-server` service. This means, 79 that Argo CD will need to be configured with a valid TLS certificate, otherwise clients will issue 80 a warning upon trying to connect. 81 82 To set a route to `passthrough` mode, you can use the following configuration: 83 84 ```yaml 85 spec: 86 server: 87 route: 88 enabled: true 89 tls: 90 termination: passthrough 91 ``` 92 93 ### TLS reencrypt mode 94 95 The `reencrypt` mode works a bit like the `edge` mode, in that TLS termination of the client 96 will happen at the route controller. However, unlike `edge` mode, the communication between 97 the route controller and the Argo CD server will be encrypted as well, so the Argo CD server 98 does not need to be set in `insecure` mode. 99 100 For this to work, the route controller needs to be able to validate the Argo CD server's TLS 101 certificate, otherwise the request will fail. 102 103 If you enable `reencrypt` mode in an OCP cluster, the Operator will request a valid TLS 104 certificate for the `argocd-server` service from OpenShift's Service CA, which is sufficient 105 for satisfying the validation constraints of the route controller. The Service CA will issue 106 this certificate to a secret named `argocd-server-tls` in the operand's namespace if it does 107 not yet exist. 108 109 When you later chose to switch back to another TLS termination policy, you should manually 110 delete the `argocd-server-tls` secret from the namespace after changing the mode. 111 112 To enable `reencrypt` mode, you can use the following configuration: 113 114 ```yaml 115 spec: 116 server: 117 route: 118 enabled: true 119 tls: 120 termination: reencrypt 121 insecureEdgeTerminationPolicy: Redirect 122 ``` 123 ### Host for Route in Argo CD Status 124 125 When setting up access to Argo CD via a Route, one can easily retrieve the hostname used for accessing the Argo CD installation through the ArgoCD Operand's `status` field. To expose the `host` field, run `kubectl edit argocd argocd` and then edit the Argo CD instance server to have route enabled as `true`, like so: 126 127 ```yaml 128 server: 129 autoscale: 130 enabled: false 131 grpc: 132 ingress: 133 enabled: false 134 ingress: 135 enabled: false 136 route: 137 enabled: true 138 service: 139 type: "" 140 tls: 141 ca: {} 142 ``` 143 If a route is found, your hostname can now be accessed by inspecting your Argo CD instance. It will look like the following: 144 145 ```yaml 146 status: 147 applicationController: Running 148 dex: Running 149 host: argocd-server-default.my-cluster-url.openshift.com 150 phase: Available 151 redis: Running 152 repo: Running 153 server: Running 154 ssoConfig: Unknown 155 ``` 156 157 If the status of the Route is pending, this will affect the overall status of the Operand by making it `Pending` instead of `Available`. Once the Route is available, the status of the Operand should change to `Available`. 158 159 Note that Routes are specific to OpenShift clusters, so in non-OpenShift clusters enabling Route will yield no results.