How to Permanently Expose Argo CD on OpenShift
If you're currently using the kubectl port-forward command to access your Argo CD server on OpenShift, you might be looking for a more permanent solution that doesn't require you to run this command every time you want to access the server. Port-forwarding is a quick way to expose services running within your cluster, but it is not a sustainable method for long-term access or production environments.
Here’s how you can set up a permanent, more reliable way to access your Argo CD server on OpenShift.
1. Understanding the Problem
The command you’re using:
kubectl port-forward service/argocd-server -n argocd 8080:443
is forwarding traffic from your local machine (on port 8080) to the Argo CD server’s service in the cluster (on port 443). This command is temporary and will stop once the terminal session ends or the process is interrupted. For a permanent solution, you'll need to configure a route or use an Ingress on OpenShift to expose the Argo CD service.
2. Creating a Route on OpenShift
OpenShift has a built-in routing layer that allows you to expose services to the outside world. A Route is an OpenShift-specific way of exposing a service. It is the most straightforward way to make Argo CD accessible permanently.
Here’s how you can create a Route to expose Argo CD:
- Log in to your OpenShift cluster:
oc login --token=
- Create a new route for the Argo CD server:
oc expose service/argocd-server -n argocd --port=443 --name=argocd-route
This command will create a Route named argocd-route in the argocd namespace that exposes the Argo CD server service on port 443.
- Verify the route is created:
oc get routes -n argocd
You should see output that includes the hostname of the newly created route. This hostname is the URL that you can use to access your Argo CD server from outside the cluster.
3. Configuring TLS for the Route
By default, the route might be created with HTTP. However, for a production setup, you'll want to secure it with HTTPS. You can create a secure route by specifying a TLS termination policy:
oc create route edge argocd-server --service=argocd-server --hostname=
Replace <desired-hostname> with a domain name that you own or control. The edge termination policy means that TLS encryption will terminate at the router, and the communication between the router and the service will be in plain text. You can change this to passthrough if you want the TLS connection to terminate at the service.
4. Using an Ingress Controller (Optional)
Alternatively, if your OpenShift cluster is configured with an Ingress controller, you can expose your Argo CD server via an Ingress resource:
- Create an Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-ingress
namespace: argocd
spec:
rules:
- host:
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 443
tls:
- hosts:
-
secretName: argocd-tls-secret
- Apply the Ingress resource:
kubectl apply -f argocd-ingress.yaml
This will create an Ingress resource that points to your Argo CD server. You will also need a TLS secret (argocd-tls-secret) that contains your TLS certificate and key.
5. Verifying Your Setup
After creating either a Route or an Ingress, test that you can access the Argo CD web interface via the hostname you specified. Make sure your DNS records are correctly set up if you are using a custom domain.
Conclusion
By using OpenShift’s Route or Ingress, you can expose your Argo CD server in a more permanent and manageable way than port-forwarding. This approach provides a scalable solution suitable for production environments and simplifies access management for users who need to interact with Argo CD.
Now, you can access your Argo CD server directly using the route URL or the Ingress hostname, ensuring consistent and reliable access to your deployments and CI/CD pipelines.
Imported from rifaterdemsahin.com · 2024