Skip to content

feat(argo-cd): Add TLSRoute configuration for Argo CD server#3780

Open
xavier-re wants to merge 3 commits into
argoproj:mainfrom
xavier-re:tlsroute-template-add
Open

feat(argo-cd): Add TLSRoute configuration for Argo CD server#3780
xavier-re wants to merge 3 commits into
argoproj:mainfrom
xavier-re:tlsroute-template-add

Conversation

@xavier-re

@xavier-re xavier-re commented Mar 16, 2026
edited
Loading

Copy link
Copy Markdown

Motivation

Sometimes we want to have end-to-end tls encryption. Argocd server has already a https listener, so if we are using gateway api (recommended after ingress nginx retirement), we need a TLSRoute to route tls traffic up to the argocd endpoint.

What this PR does / why we need it:

This PR adds support for Gateway API TLSRoute resource to the Argo CD Helm chart. TLSRoute enables TLS passthrough or termination at the Gateway level, allowing traffic routing based on the hostname (= SNI = Server Name Indication) without requiring the Gateway to decrypt the traffic. This is particularly useful for scenarios where:

  • TLS termination needs to happen at the backend service (passthrough mode)
  • Gateway-based routing is required for TLS traffic
  • Integration with Gateway API-compatible ingress controllers like Envoy Gateway, Istio, or Cilium

Special notes:

  • TLSRoute support is marked as EXPERIMENTAL (like HTTPRoute and GRPCRoute)
  • Requires Gateway API CRDs to be installed in the cluster
  • The API version used is gateway.networking.k8s.io/v1 (standard for TLSRoute)
  • The implementation dynamically selects the correct service port (HTTP 80 or HTTPS 443) based on the server.insecure configuration
  • If no custom rules are specified, a sensible default rule is created that routes to the argocd-server service

Release notes:

- Add Gateway API TLSRoute support for Argo CD server with configurable parentRefs, hostnames, and routing rules

Tests:

  • Manual template rendering verification with various configurations

Checklist:

  • I have bumped the chart version according to versioning
  • I have updated the documentation according to documentation
  • I have updated the chart changelog with all the changes that come with this pull request according to changelog.
  • Any new values are backwards compatible and/or have sensible default.
  • I have signed off all my commits as required by DCO.
  • I have created a separate pull request for each chart according to pull requests
  • My build is green (troubleshooting builds).

@xavier-re xavier-re force-pushed the tlsroute-template-add branch from a1fd0cc to c7b85bf Compare April 8, 2026 17:32
@xavier-re xavier-re changed the title feat(tlsroute): Add TLSRoute configuration for Argo CD server feat(argo-cd): Add TLSRoute configuration for Argo CD server Apr 8, 2026
@xavier-re xavier-re force-pushed the tlsroute-template-add branch from beee88d to 7a00e3f Compare April 8, 2026 19:41
@xavier-re xavier-re marked this pull request as ready for review April 8, 2026 19:49
@github-actions github-actions Bot added size/L and removed size/XXL labels Apr 24, 2026
@jmeridth

jmeridth commented Apr 25, 2026

Copy link
Copy Markdown
Member

@xavier-re please fix your conflicts and sign your commits.

@jmeridth jmeridth marked this pull request as draft April 25, 2026 19:27
@xavier-re
feat(argo-cd): Add Gateway API TLSRoute support for Argo CD server
9642fe7 
Signed-off-by: Xavier Renaut <xavier.renaut@gmail.com>
@xavier-re xavier-re force-pushed the tlsroute-template-add branch 2 times, most recently from 4ae758d to 659fc32 Compare May 14, 2026 20:10
@xavier-re xavier-re marked this pull request as ready for review May 14, 2026 20:11
@xavier-re xavier-re marked this pull request as draft May 14, 2026 20:19
@xavier-re
feat(argo-cd): Add Gateway API TLSRoute tests CI and update chart ver…
16ee86c 
…sion to 9.5.13

Signed-off-by: Xavier Renaut <xavier.renaut@gmail.com>
@xavier-re xavier-re force-pushed the tlsroute-template-add branch from 659fc32 to 16ee86c Compare May 14, 2026 21:17
@xavier-re xavier-re marked this pull request as ready for review May 14, 2026 21:19
@xavier-re

xavier-re commented May 14, 2026

Copy link
Copy Markdown
Author

@jmeridth Thanks !

  • GPG-signed commits
  • sign-off on each commit
  • conflict solved

@xavier-re
Merge branch 'main' into tlsroute-template-add
db78790 
Signed-off-by: xavier renaut <xavier.renaut@gmail.com>
@xavier-re

xavier-re commented May 21, 2026 via email
edited
Loading

Copy link
Copy Markdown
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 Awaiting requested review from mbevc1 mbevc1 is a code owner

@mkilchhofer mkilchhofer Awaiting requested review from mkilchhofer mkilchhofer is a code owner

@yu-croco yu-croco Awaiting requested review from yu-croco yu-croco is a code owner

@jmeridth jmeridth Awaiting requested review from jmeridth jmeridth is a code owner

@pdrastil pdrastil Awaiting requested review from pdrastil pdrastil is a code owner

@tico24 tico24 Awaiting requested review from tico24 tico24 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

argo-cd Mark Ready When Ready size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xavier-re @jmeridth