如何在没有TLS的情况下用istio入口网关访问ArgoCD

Question

我们试图用istio入口网关访问ArgoCD服务器，但没有命运。它将自动重定向到HTTPS，页面显示无法到达服务器。我们在互联网上尝试过各种建议，但都没有成功。下面是我们的设置。请帮我们解决这个问题。

启用istio侧面注射

kubectl label namespace argocd istio-injection=enabled

告诉argocd-server以“不安全模式”启动，请参考 链接。

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cmd-params-cm
    app.kubernetes.io/part-of: argocd
data:
  server.insecure: "true"

修补argocd-服务器部署参考 链接

kubectl patch deployment \
  argocd-server \
  --namespace argocd \
  --type='json' \
  -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [
  "server",
  "--auth-mode=server"
]}]'

Virtualservice

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argocd-virtual-service
  namespace: argocd
spec:
  hosts:
  - argocd.lumik.com
  gateways:
  - argocd-gateway
  http:
  - route:
    - destination:
        host: argocd-server.argocd.svc.cluster.local
        port:
            number: 80

Istio网关

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: argocd-gateway
  namespace: argocd
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - argocd.lumik.com
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: argocd-secret
        
    - hosts:
        - argocd.lumik.com
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true

Istio目标规则引用链接

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: argocd-server-dtrl
  namespace: istio-system
spec:
  host: argocd-server.argocd.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

Answer 1

根据您发布的设置指南和github上的快速启动清单，argo服务器将绑定到端口2746。对于同一个端口也有相应的服务(来自它们的快速启动清单)：

---
apiVersion: v1
kind: Service
metadata:
  name: argo-server
spec:
  ports:
  - name: web
    port: 2746
    targetPort: 2746
  selector:
    app: argo-server

所以您的VirtualService指向错误的端口(80)。您还应该看到一个关于host:port引用的错误，如果您运行istioctl analyze --namespace argocd，就找不到这个错误。您可以通过将VirtualService指向正确的端口来解决这个问题：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argocd-virtual-service
  namespace: argocd
spec:
  hosts:
  - argocd.lumik.com
  gateways:
  - argocd-gateway
  http:
  - route:
    - destination:
        host: argocd-server.argocd.svc.cluster.local
        port:
          number: 2764 # port of the argo-service Service manifest