feat(argo-cd): Add AWS TargetGroupConfiguration support for Gateway API

Signed-off-by: arielev <[email protected]>

Author: ArieLevs

charts/argo-cd/README.md

@@ -330,6 +330,38 @@ server:
     wellKnownCACertificates: System
 ```
 
+#### AWS ALB Gateway API with HTTPS backend
+
+AWS Load Balancer Controller does **NOT** support the standard Gateway API `BackendTLSPolicy`. Instead, use the AWS-specific `TargetGroupConfiguration` CRD for HTTPS backend communication.
+
+> **Note:**
+> Reference: [AWS Load Balancer Controller Gateway API documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/gateway/l7gateway/)
+
+```yaml
+configs:
+  params:
+    server.insecure: false  # HTTPS backend
+
+server:
+  httproute:
+    enabled: true
+    parentRefs:
+      - name: example-gateway
+        namespace: gateway-system
+
+  aws:
+    targetGroupConfiguration:
+      enabled: true
+      defaultConfiguration:
+        protocol: HTTPS
+        protocolVersion: HTTP1
+        healthCheck:
+          protocol: HTTPS
+          path: /healthz
+          intervalSeconds: 15
+          timeoutSeconds: 5
+```
+
 ## Setting the initial admin password via Argo CD Application CR
 
 > **Note:** When deploying the `argo-cd` chart via an Argo CD `Application` CR, define your bcrypt-hashed admin password under `helm.values`—not `helm.parameters`—because Argo CD performs variable substitution on `parameters`, which will mangle any `$…` in your hash.

charts/argo-cd/templates/argocd-server/aws/targetgroupconfiguration.yaml

@@ -0,0 +1,27 @@
+{{- if and (or .Values.server.httproute.enabled .Values.server.grpcroute.enabled) .Values.server.aws.targetGroupConfiguration.enabled -}}
+{{- $fullName := include "argo-cd.server.fullname" . -}}
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+    {{- with .Values.server.aws.targetGroupConfiguration.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.server.aws.targetGroupConfiguration.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  targetGroupARN: {{ $fullName }}
+  {{- with .Values.server.aws.targetGroupConfiguration.defaultConfiguration }}
+  defaultConfiguration:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.server.aws.targetGroupConfiguration.routeConfigurations }}
+  routeConfigurations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/argo-cd/values.yaml

@@ -2687,6 +2687,7 @@ server:
   # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
   # Required for HTTPS backends when using Gateway API
   # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
+  # NOTE: AWS ALB Gateway does NOT support BackendTLSPolicy - use server.aws.targetGroupConfiguration instead
   backendTLSPolicy:
     # -- Enable BackendTLSPolicy resource for Argo CD server (Gateway API)
     enabled: false
@@ -2711,6 +2712,36 @@ server:
       #     kind: ConfigMap
       # wellKnownCACertificates: System
 
+  ## AWS-specific Gateway API configuration
+  ## Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/gateway/l7gateway/
+  aws:
+    # TargetGroupConfiguration for AWS ALB Gateway API
+    # Required for HTTPS backends when using AWS Load Balancer Controller with Gateway API
+    # NOTE: AWS ALB Gateway does NOT support BackendTLSPolicy - use this instead
+    targetGroupConfiguration:
+      # -- Enable TargetGroupConfiguration resource for Argo CD server (AWS Gateway API)
+      enabled: false
+      # -- Additional TargetGroupConfiguration labels
+      labels: {}
+      # -- Additional TargetGroupConfiguration annotations
+      annotations: {}
+      # -- Default target group configuration
+      # @default -- `{}` (See [values.yaml])
+      defaultConfiguration: {}
+        # protocol: HTTPS
+        # protocolVersion: HTTP1
+        # healthCheck:
+        #   protocol: HTTPS
+        #   path: /healthz
+        #   intervalSeconds: 15
+        #   timeoutSeconds: 5
+      # -- Route-specific configurations
+      # @default -- `[]` (See [values.yaml])
+      routeConfigurations: []
+        # - name: argocd-server-route
+        #   targetGroupConfiguration:
+        #     protocol: HTTPS
+
   ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
   ## Defaults to off
   clusterRoleRules: