wip: Gateway Setup

values/argo/manifests/argo.yaml

@@ -28,6 +28,7 @@ spec:
     managedNamespaceMetadata:
       labels:
         component: sys
+        shared-gateway-access: "true"
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true

values/argo/manifests/httproute.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.clusterConfig.gatewayAPI.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: kube-system
+    sectionName: https-internal
+  hostnames:
+  - argocd.{{ .Values.clusterConfig.domain }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: "/"
+    backendRefs:
+    - name: argocd-server
+      port: 80
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-gateway-to-argocd
+  namespace: argocd
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  ingress:
+  - fromCIDRSet:
+    {{- range .Values.clusterConfig.ingress_whitelist }}
+    - cidr: {{ . }}
+    {{- end }}
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.kubernetes.pod.namespace": argocd
+{{- end }}

values/argo/values/argocd.yaml.gotmpl

@@ -4,13 +4,16 @@ global:
 ## Ref: https://github.com/argoproj/argo-cd
 ##
 configs:
-  {{- if .Values.argocd.anyNamespaces.enabled }}
   params:
+    {{- if .Values.clusterConfig.gatewayAPI.enabled }}
+    server.insecure: "true"
+    {{- end }}
+    {{- if .Values.argocd.anyNamespaces.enabled }}
     applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
     # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
     applicationsetcontroller.enable.scm.providers: "false"
     application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
-  {{- end }}
+    {{- end }}
   cm:
     application.resourceTrackingMethod: annotation+label
     application.instanceLabelKey: app.kubernetes.io/instance
@@ -238,6 +241,9 @@ server:
     serviceMonitor:
       enabled: true
   ingress:
+    {{- if .Values.clusterConfig.gatewayAPI.enabled }}
+    enabled: false
+    {{- else }}
     enabled: true
     ingressClassName: nginx
     annotations:
@@ -254,6 +260,7 @@ server:
       - secretName: argocd-tls
         hosts:
           - "argocd.{{ .Values.clusterConfig.domain }}"
+    {{- end }}
 applicationSet:
   metrics:
     enabled: true