Exposing ArgoCD Using Kubernetes Ingress
ArgoCD can be exposed via Kubernetes Ingress without requiring an external Nginx or reverse proxy. This is particularly useful if you have an Ingress controller like Traefik or NGINX Ingress already installed in your cluster.
1. Keep ArgoCD Service as ClusterIP
For Ingress, the argocd-server service can remain ClusterIP. NodePort or LoadBalancer is not required.
kubectl -n argocd get svc argocd-server
2. Create an Ingress Resource
Example argocd-server-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: "traefik" # or "nginx" depending on your controller
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: argocd.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
Apply the Ingress:
kubectl -n argocd apply -f argocd-server-ingress.yaml
3. Update ArgoCD ConfigMap for Ingress
When using an Ingress controller with TLS termination, ArgoCD may redirect HTTP to HTTPS internally, causing redirect loops. Fix this by editing argocd-cmd-params-cm:
kubectl -n argocd edit configmap argocd-cmd-params-cm
Add or update:
data:
server.insecure: "true"
Then restart the server:
kubectl -n argocd rollout restart deployment argocd-server
4. Test Access
After Ingress is applied, you can access ArgoCD via the hostname configured in your Ingress rule:
http://argocd.example.com
If using TLS termination in the Ingress controller, use HTTPS:
https://argocd.example.com
5. Key Points
- ClusterIP is sufficient when using Ingress.
- NodePort or LoadBalancer is not required.
- ConfigMap
server.insecureprevents redirect loops when TLS is terminated by the Ingress controller. - Ensure the Ingress controller supports WebSocket headers for ArgoCD UI and API functionality.
This approach is fully in-cluster and eliminates the need for an external reverse proxy.