https://github.com/programmer-network/k3s-argocd

ArgoCD + Traefik + cert-manager (DNS-01/Cloudflare) on k3s
https://github.com/programmer-network/k3s-argocd

Last synced: about 1 month ago
JSON representation

ArgoCD + Traefik + cert-manager (DNS-01/Cloudflare) on k3s

• Host: GitHub
• URL: https://github.com/programmer-network/k3s-argocd
• Owner: Programmer-Network
• Created: 2025-06-14T17:59:37.000Z (10 months ago)
• Default Branch: main
• Last Pushed: 2025-06-14T18:02:26.000Z (10 months ago)
• Last Synced: 2025-10-22T12:47:43.035Z (5 months ago)
• Size: 1.95 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# ArgoCD + Traefik + cert-manager (DNS-01/Cloudflare) on k3s

This repo provides a clear, production-ready setup for deploying ArgoCD on k3s with Traefik ingress and cert-manager for Let's Encrypt SSL using DNS-01 (Cloudflare).

## Files

- `clusterissuer.yaml`: ClusterIssuer for Let's Encrypt DNS-01 (Cloudflare)

- `argocd-config-map.yaml`: ArgoCD config map to enable insecure mode (HTTP only)

- `argocd-certificate.yaml`: Certificate resource for ArgoCD domain

- `argocd-ingress.yaml`: Ingress resource for ArgoCD with Traefik and cert-manager annotations

## Prerequisites

- k3s cluster

- cert-manager installed

- Traefik ingress controller installed (default in k3s)

## Cloudflare API Token Secret

1. Create a Cloudflare API token with Zone:DNS:Edit and Zone:Zone:Read permissions for your domain.

2. Create the secret in the cert-manager namespace:

```bash

kubectl create secret generic cloudflare-api-token-secret --from-literal=api-token= -n cert-manager

```

## Why ArgoCD is Configured in Insecure Mode

ArgoCD is set to run in insecure (HTTP) mode via `argocd-config-map.yaml` (with `server.insecure: "true"`). This is intentional for the following reasons:

- **SSL/TLS Termination by Traefik:** Traefik, as the ingress controller, handles all HTTPS (SSL/TLS) traffic at the edge. It provides secure connections to clients and manages certificates via cert-manager.

- **Simplified Internal Traffic:** ArgoCD only needs to serve HTTP traffic inside the cluster, since all external traffic is already secured by Traefik. This avoids double encryption and simplifies troubleshooting.

- **Centralized Certificate Management:** Only Traefik manages certificates, reducing complexity and avoiding issues with self-signed or mismatched certificates inside the cluster.

- **Best Practice for Ingress:** This pattern is common for Kubernetes ingress setups, where the ingress controller is responsible for encryption and backend services run in HTTP mode.

## Deployment Steps

1. **Apply the ClusterIssuer:**

```bash

kubectl apply -f clusterissuer.yaml

```

2. **Apply the ArgoCD config map (insecure mode):**

```bash

kubectl apply -f argocd-config-map.yaml

```

3. **Apply the Certificate manifest:**

```bash

kubectl apply -f argocd-certificate.yaml

```

4. **Apply the Ingress manifest:**

```bash

kubectl apply -f argocd-ingress.yaml

```

5. **Restart the ArgoCD server deployment:**

```bash

kubectl rollout restart deployment argocd-server -n argocd

```

6. **Check the certificate status:**

```bash

kubectl describe certificate argo-programmer-network-tls -n argocd

```

## Notes

- Ensure your DNS for `example.com` points to your cluster's external IP (managed by your ingress).

- All SSL/TLS termination is handled by Traefik and cert-manager; ArgoCD runs in HTTP (insecure) mode internally.

- No network policy is needed for DNS-01 (Cloudflare) challenges.