Wrong Ingress documentation about Contour

[swood]

Hello, I found that the documentation here is wrong:
https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/

I can reach the UI with this configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    ingress.kubernetes.io/force-ssl-redirect: "true"
    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/issue-temporary-certificate: "true"
    kubernetes.io/ingress.class: contour
    kubernetes.io/tls-acme: "true"
    projectcontour.io/upstream-protocol.tls: "443"
spec:
  tls:
  - secretName: argocd
    hosts:
    - argocd-server.domain.com
  rules:
  - host: "argocd-server.domain.com"
    http:
      paths:
      - pathType: ImplementationSpecific
        #path: "/"
        backend:
          service:
            name: argocd-server
            port:
              number: 443

However I can't login via console utility:

$ argocd login argocd-server.domain.com --grpc-web
Username: admin
Password:
FATA[0012] rpc error: code = Unknown desc = POST https://argocd-server.domain.com:443/session.SessionService/Create failed with status code 404

$ argocd login argocd-server.domain.com --grpc-web-root-path /
Username: admin
Password:
FATA[0011] rpc error: code = Unknown desc = POST https://argocd-server.domain.com:443/session.SessionService/Create failed with status code 404

To reach the UI I added --insecure to the Deployment configuration and patched the Argo-server service into LoadBalancer.

Could you please help me to fix this configuration to use with console utility?

[jessesuen]

With contour, I recommend terminating TLS at the pod. I think the problem is that contour doesn't like the different protocols (gRPC & HTTP) happening on the same port and gets confused even though the client is sending HTTP using the --grpc-web flag. You can use the following HTTPProxy using Contour's TLS passthrough feature to allow argocd to decrypt TLS:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: argocd-server
spec:
  ingressClassName: contour  # adjust to your env
  virtualhost:
    fqdn: cd.demo.akuity.io
    tls:
      passthrough: true
  tcpproxy:
    services:
    - name: argocd-server
      port: 443
  # this route allows port 80 to reach the argocd-server which will return 301 to HTTPS
  routes:
  - services:
    - name: argocd-server
      port: 80
    conditions:
    - prefix: /

In your argocd-server Deployment, you would not use the --insecure flag.

The CLI client would login without the --grpc-web flag and use normal gRPC. Argocd will handle the mux between the two protocols.

argocd login cd.demo.akuity.io --sso

[swood]

Unfortunately, it still doesn't work.

[swood]

I am also tried other examples of ingress configuration for ArgoCD and non of those goes work. It seems to me that you are not interested in whether correct documentation or works examples as you are more orientated on your commercial product.

[Simon-Boyer]

@swood I stumbled into the same problem recently. It's been a while but here is my solution which allows me to terminate TLS with contour (using httpproxy):

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: argocd
  namespace: argocd
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  virtualhost:
    fqdn: my-fqdn
    tls:
      secretName: argocd-tls
  routes:
  - conditions:
    - header:
        contains: application/grpc
        name: Content-Type
    services:
    - name: argocd-server
      port: 80
      protocol: h2c
  - services:
    - name: argocd-server
      port: 80

Basically this is routing based on the content-type header. If it's grpc, it's using HTTP2 cleartext to talk to argo which makes grpc works correctly.

@jessesuen If you think this is a good solution, I could open a PR on the documentation to add this.