Skip to content

feat(foundry): add public Ingress for argocd.gauchoracing.com#120

Merged
BK1031 merged 1 commit into
mainfrom
bk1031/foundry-argocd
Jul 6, 2026
Merged

feat(foundry): add public Ingress for argocd.gauchoracing.com#120
BK1031 merged 1 commit into
mainfrom
bk1031/foundry-argocd

Conversation

@BK1031

@BK1031 BK1031 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Adds the public argocd Ingress on the foundry cluster so argocd.gauchoracing.com can flip off EKS and onto foundry. Follow-up to #119.

What's here

  • manifests-foundry/argocd-server-ingress/ingress.yaml — Traefik Ingress on argocd.gauchoracing.comargocd-server:80. external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" so external-dns writes the record orange-cloud through the tunnel.
  • apps-foundry/argocd-server-ingress.yaml — ArgoCD Application referencing the above.

Foundry's argocd-server already exposes Service port 80 → targetPort 8080; no Helm/configmap patch needed.

Cutover after merge

  1. Wait for ArgoCD to sync the new Application (auto).
  2. Verify the Ingress exists: kubectl -n argocd get ingress argocd-server-public.
  3. Verify external-dns wants to write it: kubectl -n external-dns logs deploy/external-dns | grep argocd.gauchoracing.com. Should show it can't create because the record still exists (owned by EKS external-dns).
  4. If EKS external-dns is still running: kubectl --context eks -n external-dns scale deploy external-dns --replicas=0 first.
  5. Delete argocd.gauchoracing.com CNAME via CF dashboard.
  6. Foundry external-dns writes the new record → tunnel within ~1min. Traffic flips within CF TTL.

Test plan

  • kubectl -n argocd get ingress argocd-server-public returns the Ingress with Traefik class + node IPs.
  • kubectl port-forward -n argocd svc/argocd-server 8080:80 + curl -H 'Host: argocd.gauchoracing.com' http://localhost:8080/ returns the ArgoCD UI HTML before DNS flip.
  • After DNS flip: https://argocd.gauchoracing.com loads the foundry ArgoCD UI, shows the foundry Applications (cloudflared, external-dns, sentinel, argocd-server-ingress, root-foundry).
  • Existing users' argocd CLI sessions targeting argocd.gauchoracing.com will need to log in again since it's a different ArgoCD instance now (different session tokens).

Adds argocd-server-public Ingress in the argocd namespace routing
argocd.gauchoracing.com to the foundry ArgoCD server. Foundry
argocd-server already serves HTTP on Service port 80 (targetPort 8080),
so no Helm value change is needed.

external-dns writes the CNAME to the gr-foundry tunnel target (via
--default-targets); no terraform change.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 60fd0cd2df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

service:
name: argocd-server
port:
number: 80

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Disable Argo CD TLS before proxying to port 80

When this foundry ingress is used behind the Cloudflare Tunnel, infra/environments/prod/foundry.tf:88 sends plain HTTP to Traefik and this backend forwards that plain HTTP to argocd-server port 80. The Argo CD ingress docs describe port 80 as HTTP that redirects to HTTPS unless the API server is run with TLS disabled; the EKS install explicitly sets server.insecure in infra/modules/argocd/main.tf:71, but this foundry app says the upstream install is left unchanged, so after DNS cutover the public UI will redirect back to the same HTTPS URL instead of loading. Add a managed argocd-cmd-params-cm/Deployment patch to set server.insecure (or proxy to the HTTPS backend) along with this ingress.

Useful? React with 👍 / 👎.

@BK1031 BK1031 merged commit 6273cff into main Jul 6, 2026
@BK1031 BK1031 deleted the bk1031/foundry-argocd branch July 6, 2026 06:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant