我们尝试使用 istio 入口网关访问 ArgoCD 服务器,但没有成功。它自动重定向到 HTTPS,页面显示服务器无法访问。我们在互联网上尝试了各种建议,但尚未成功。下面是我们的设置。请帮助我们解决这个问题。
启用 istio sidecar 注入
kubectl label namespace argocd istio-injection=enabled
告诉 argocd-server 以“不安全模式”启动,请参阅链接
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cmd-params-cm
app.kubernetes.io/part-of: argocd
data:
server.insecure: "true"
修补后的 argocd 服务器部署请参阅链接
kubectl patch deployment \
argocd-server \
--namespace argocd \
--type='json' \
-p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [
"server",
"--auth-mode=server"
]}]'
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argocd-virtual-service
namespace: argocd
spec:
hosts:
- argocd.lumik.com
gateways:
- argocd-gateway
http:
- route:
- destination:
host: argocd-server.argocd.svc.cluster.local
port:
number: 80
Istio 网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: argocd-gateway
namespace: argocd
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- argocd.lumik.com
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: argocd-secret
- hosts:
- argocd.lumik.com
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
Istio Destination 规则参考link
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: argocd-server-dtrl
namespace: istio-system
spec:
host: argocd-server.argocd.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
根据您发布的设置指南和他们的 github 上的快速入门清单,argo-server 绑定到端口 2746。同一端口还有一个相应的服务(来自他们的快速入门清单):
---
apiVersion: v1
kind: Service
metadata:
name: argo-server
spec:
ports:
- name: web
port: 2746
targetPort: 2746
selector:
app: argo-server
所以你的
VirtualService80host:portistioctl analyze --namespace argocdVirtualServiceapiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argocd-virtual-service
namespace: argocd
spec:
hosts:
- argocd.lumik.com
gateways:
- argocd-gateway
http:
- route:
- destination:
host: argocd-server.argocd.svc.cluster.local
port:
number: 2764 # port of the argo-service Service manifest
请尝试此链接,这是描述问题和解决方案的漂亮链接。如果您仍然遇到该问题,请告诉我。
https://pet2cattle.com/2022/03/argocd-redirect-loop
这里基本上有两个解决方案:
服务器: 额外参数:
--不安全
启用 TLS b/w 入口和 argocd nginx 服务器
服务器: 入口: 启用:真 https:正确
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/group.name: argocd
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
**alb.ingress.kubernetes.io/backend-protocol: HTTPS**
hosts:
- "argocd.pet2cattle.com"
在 helm 文件中,将 server.ingress.https 设置为 true,然后添加 alb.ingress.kubernetes.io/backend-protocol 注释以告诉 ALB 使用 https 而不是 http。
@NitinGarg。是的,我现在有工作解决方案。ArgoCD UI 可以通过 Istio-GW 和 VS 访问。没有目标规则。我认为没有必要。
步骤: 编辑 cm argocd-cmd-params-cm -n argocd 在数据部分设置 server.insecure: "true"
---
apiVersion: v1
data:
applicationsetcontroller.enable.leader.election: "false"
.
.
repo.server: argo-cd-argocd-repo-server:8081
reposerver.log.format: text
**server.insecure: "true"**
server.log.format: text
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
namespace: argocd
name: dev-argocd-vs
spec:
hosts:
- "argocd1.vyomsoft.lab.tech"
gateways:
- istio-ingress-gateway-argo
http:
- route:
- destination:
host: argo-cd-argocd-server.argocd.svc.cluster.local
port:
number: 80
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
namespace: argocd
name: istio-ingress-gateway-argo
spec:
selector:
istio: ingressgateway
app: istio-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- "argocd1.vyomsoft.lab.tech"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: lab-argocd-tls-ca
hosts:
- "argocd1.vyomsoft.lab.tech"