feat: make argocd installation manifests Istio compatible #2784

[Cajga]

Checklist:

• [ X ] Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• [ X ] The title of the PR states what changed and the related issues number (used for the release note).
• [ X ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Optional. My organization is added to USERS.md.
• [ Partly ] I've signed the CLA and my build is green (troubleshooting builds).

I've signed the CLA but apart from making some simple tests, did not run the tests locally.

This PR makes argocd installation manifests compatible with Istio. It implements this request: #2784

In case this is accepted I will make a PR to have 2 examples with Istio ingress:

TLS termination at Istio Ingress gateway
TLS termination at ArgoCD server (Istio ingress gateway is configured to TLS PASSTHROUGH)

[Cajga]

Please note that Istio is about to switch to use the labels recommended by kubernetes.
Based on the latest comment it is already working with those so the PR is making sure that argocd is using the new labels for deployments (by adding app.kubernetes.io/version to it). The PR uses argocd version for each deployments for the label.

[codecov]

Codecov Report

Merging #3893 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3893   +/-   ##
=======================================
  Coverage   42.44%   42.44%           
=======================================
  Files         120      120           
  Lines       17567    17567           
=======================================
  Hits         7456     7456           
  Misses       9161     9161           
  Partials      950      950           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 21c93d9...8237f66. Read the comment docs.

[Cajga]

Hmm... seems I got kustomize3... I will downgrade to 2 and will commit the fixes required.

[Cajga]

Please note the ideally we would remove port 80 and keep only 443. In that case we could use https as protocol (istio does not support multiple protocols for a single service ports and as such we have to go down to TCP which works fine with two ports but we will lack http level information in Istio telemetry).
I did not want to put that into the PR as that would be probably too big change... or?

[jannfis]

We can't remove port 80 from this service, because many people actually run ArgoCD using HTTP mode and doing TLS termination elsewhere.

[Cajga]

Yes, that is my plan as well (doing TLS termination at the Istio gateway level) but to be honest, I believe we should have one way of doing it as default (like keep 443 as that is a simple, "secure" setup) and document all the other possibilities (like how to do TLS termination elsewhere).
I have Istio config for both (Istio passthrough with TLS termination at argocd-server and Istio TLS termination with Istio mTLS and argocd-server using http) and planning to send a PR to your Ingress docu page.

[Cajga]

As the version is a variable and kustomize does not support such external variables (more info on this here) I had to introduce "simple templating" to properly set the version labels on deployments with kustomize

[Cajga]

@jannfis would you need any more information to get this reviewed/merged?

[jannfis]

@Cajga Awesome work! I was first under the impression that this change would be somewhat intrusive to the manifests, but I think the pros outweigh the cons. I think that especially the version tag is very useful, also for troubleshooting ("Does someone use old versions of manifests with a newer version of the application").

@alexmt @jessesuen are there any dependencies on service names that I don't know of?

[jannfis]

LGTM. Waiting for others to raise their hands, if necessary.

[jannfis]

I just noticed that changing the service names would be a breaking change for many that refer to service names in their ingress.

Maybe it would make sense to provide a new set of services compatible with Istio instead of modifying the existing ones?

[Cajga]

I just noticed that changing the service names would be a breaking change for many that refer to service names in their ingress.

Maybe it would make sense to provide a new set of services compatible with Istio instead of modifying the existing ones?

We do not change the service names but we do the name of the service ports. I think you were referring to that and yes, seems you are right, this would break the normal ingress config if it follows the examples from the website.

So, should we have new install files compatible with istio? If yes, which way would you prefer:

1. under its own directory (like manifests/istio-compatible/install.yaml)?
2. just append -istio to the name of the existing yaml files (like manifests/install-istio.yaml etc.)

[yogeek]

Hello everyone :)

@Cajga I am currently struggling to expose ArgoCD UI with Istio Gateway/VirtualService and I would like to know if this PR is still ongoing or otherwise, where can I find intel about the good argocd-server options (deployment options + service config) and the corresponding Istio manifests.
Thank you

[sbose78]

Queued for discussion at the contributor meeting

[omidb]

Hi, thanks for working on this. what's the status of this PR? @Cajga @sbose78
Is there any other activity on Istio + argocd ?

[roee-landesman]

I'm also in support of this PR as we use Istio for ingress and would like a native integration with ArgoCD. Thanks!

[tafaust]

@jannfis @Cajga Any chance this PR can make its way into upstream? We are currently on the brink of whether to opt for argocd or fluxcd in our company.

[crenshaw-dev]

@jannfis as far as I can tell, your concern about this PR (changing service names) has been addressed. Are we okay to move forward?

@Cajga are you still available to resolve conflicts? If not, would someone like to open a new PR based on this one?

[Hronom]

This PR relates to this issue #2784 please can you merge it?

[pre]

Would be superb to get this merged OR create list of steps required to get this merged.

Istio requires the application protocol be specified in the Service resources so that the port's name is protocol-suffix (eg http-metrics).

It'd be a straightforward change for ArgoCD to name the ports as eg.http-metrics instead of metrics in the default manifests. Now these need to be overridden eg. with kustomize when deploying argocd with istio mtls:

• metrics -> http-metrics
• webhook -> http-webhook
• server -> https-server (argocd-repo-server)

https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/

[howardjohn]

I just noticed that changing the service names would be a breaking change for many that refer to service names in their ingress.

Maybe it would make sense to provide a new set of services compatible with Istio instead of modifying the existing ones?

You could set appProtocol instead. That should be backwards compatible, is supported by istio, and is likely supported by other things as it is a k8s-defined standard.

[pre]

I just noticed that changing the service names would be a breaking change for many that refer to service names in their ingress.
Maybe it would make sense to provide a new set of services compatible with Istio instead of modifying the existing ones?

You could set appProtocol instead. That should be backwards compatible, is supported by istio, and is likely supported by other things as it is a k8s-defined standard.

Service name does not need to be changed, only the port name is.

Probably setting the appProtocol would work too, however, it might perhaps break on a non-istio setup? Currently it takes a lot of trial and error to get Istio mTLS working with ArgoCD due to the missing protocol definitions in argocd manifests (unless one finds eg this Github issue which defines the correct values).

Especially the argocd-repo-server https-server was tricky to find out because all other services need a http-prefix.

Also the argocd-server https port needs to be removed because argocd-server already has http. Argocd can’t correctly detect the connection type with istio mtls hence the https port mixes up the setup.

Full set of required changes is here: #2784 (comment)

EDIT: Also the dex service port needs to be renamed from http to either https or tcp: #6183 (comment)

[Cajga]

Hi All, sorry but we are not using ArgoCD nor Istio anymore. I am afraid someone will have to take this PR over as I have to focus on projects that we use.

[eightseventhreethree]

This is an issue for us. I manually renamed the port, but this means that upgrades to the chart will break SSO.

[todaywasawesome]

The author of this PR is no longer working on it, so I'm going to close it but I strongly encourage someone else to pick it up and get it over the finish line.