ArgoCD 6 - Enabling Ingress with CertManager

[ggolub]

I'm trying to move from ArgoCD 5.x to 6.0.14. (No upgrade is needed, I am able to start clean.) We are using CertManager to issue certificates using letsencrypt. Our code is deployed using terraform but, as I noted that a number of things changed w/regard to the ingress, I tried to first get things working with a "generic" helm deployment with the attached values.zip.

I've tried to configure using https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ssl-passthrough-with-cert-manager-and-lets-encrypt and also w/o the cert-manager.io/cluster-issuer annotation since server.certificate section in values.yaml does create the certificate and corresponding secret.

I had no issues deploying the chart, I can see certificates get issued and the argocd-server-tls secret is created with what looks like good values. However, when I try to access the UI I get an error that the site isn't secure. I was able to port-forward and see the certificate but it is reporting invalid. Not sure if there are other settings I need in values.yaml to get a valid certificate. In the systems running v5 it appears to be using the tls info from argocd-secret which seems to be deprecated.

Any thoughts as to what I should look at? Any help is appreciated - I've been banging my head against this for over a day.

[pdrastil]

Hi,
I've checked your values with latest chart 6.3.1 and it your setup seems to be correct if I assume that frontend-internal ingress class is nginx controller and argocd-server-tls is getting created. Can you try to check in browser that cert is really from let's encrypt staging CA that is being used for testing (not sure if this is self-singed or it's using valid CA chain)? You can also verify your setup with helm template argocd argocd/argo-cd -f values.yaml

[ggolub]

Yes, frontend-internal is the nginx controller and argocd-server-tls is getting created. I did check the cert and it looks like what I expected. This is what I see in firefox: Certificate.pdf
Running the helm template... gives me this (also looks correct to me): template.txt

To further dig into this, I tried deploying w/o a cert, in v5.53.0, so as to use the certs from argocd-secret. Doing so gave me this self-signed cert Self-Signed-Cert.pdf, as expected, but I still get the certificate error (in multiple browsers).

I am leaning towards this not being anything with the charts, although I'm still at a loss as to what is causing this. Appreciate the help.

[pdrastil]

From what I can see in your browser (Certificate.pdf) you have correct cert from staging Let's Encrypt. If it's not trusted by your browser you might be missing CA chain on your laptop. In 5.x release users had a freedom to use whatever name for TLS secret they wanted. This could cause misconfiguration as argocd-server-tls is watched by UI server for TLS passthrough (reason behind tls: true option with hardcoded secret name. The argocd-secret is fallback / legacy location where UI server generated self-signed certs if user didn't provide it's own (this location is not supported by Helm charts) but newer location is argocd-server-tls that takes precedence.

[ggolub]

To close this out, my issue was due to some firewall blocking access to the root certs.