diff --git a/Documentation/ARGOCD-INGRESS-FIX.md b/Documentation/ARGOCD-INGRESS-FIX.md new file mode 100644 index 0000000..ce56157 --- /dev/null +++ b/Documentation/ARGOCD-INGRESS-FIX.md @@ -0,0 +1,95 @@ +# ArgoCD Ingress "Progressing" State Fix + +## Problem + +The `django` Ingress resource in the `vorgabenui` namespace was stuck in "Progressing" state in ArgoCD and would not transition to "Healthy". + +### Root Cause + +ArgoCD determines Ingress health by checking if the `status.loadBalancer.ingress` field is populated with an IP address or hostname. Without this field, the Ingress is considered "Progressing" indefinitely. + +The issue occurred because **Traefik was not configured to report its IP address** in the Ingress status field. + +## Solution + +Two changes were made to fix this issue: + +### 1. Update Ingress Annotation (Applied) + +**File**: `argocd/ingress.yaml` + +**Change**: +```yaml +# Before +annotations: + argocd.argoproj.io/ignore-healthcheck: "true" + +# After +annotations: + argocd.argoproj.io/sync-wave: "1" +``` + +**Rationale**: +- The `ignore-healthcheck` annotation was causing ArgoCD to not monitor the Ingress health at all +- The `sync-wave: "1"` annotation ensures the Ingress syncs after the Deployment and Service are ready (which have default sync-wave of 0) +- This allows ArgoCD to properly assess the Ingress health status + +### 2. Configure Traefik to Report Ingress Status (Cluster Patch) + +**Patch Command**: +```bash +kubectl patch deployment traefik -n traefik --type='json' \ + -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik"}]' +``` + +**Configuration Flag Added**: +``` +--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik +``` + +**Rationale**: +This flag tells Traefik to: +- Watch for changes to Ingress resources in the cluster +- Monitor the Service `traefik/traefik` (the Traefik LoadBalancer service) +- Automatically populate `status.loadBalancer.ingress[].ip` with the service's external IP address +- Allow ArgoCD to detect when the Ingress has been assigned an IP and transition to "Healthy" + +## Result + +✅ **Status**: RESOLVED + +**Current State**: +- Ingress Address: `192.168.17.53` (Traefik LoadBalancer IP) +- Ingress Health: Healthy +- ArgoCD Application Health: Healthy +- Accessible at: `http://vorgabenportal.knowyoursecurity.com/` + +## Verification + +To verify the fix is working: + +```bash +# Check Ingress status +kubectl get ingress django -n vorgabenui -o jsonpath='{.status.loadBalancer.ingress[0].ip}' +# Should output: 192.168.17.53 + +# Check ArgoCD application health +kubectl get application vorgabenui -n argocd -o jsonpath='{.status.health.status}' +# Should output: Healthy + +# Check Traefik configuration +kubectl get deploy traefik -n traefik -o jsonpath='{.spec.template.spec.containers[0].args}' | jq 'map(select(. | contains("publishedservice")))' +# Should output the publishedservice flag +``` + +## Documentation Location + +The Traefik configuration patch is documented in: +- `argocd/traefik-middleware.yaml` - ConfigMap with patch details and rationale + +## Notes for Future Maintenance + +- If Traefik is upgraded or redeployed via Helm, ensure the `--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik` flag is preserved +- The flag must point to the correct LoadBalancer Service that has an external IP +- In this case, it's `traefik/traefik` (namespace/service-name) with external IP `192.168.17.53` +- If the Traefik service configuration changes, this flag may need adjustment diff --git a/argocd/traefik-middleware.yaml b/argocd/traefik-middleware.yaml new file mode 100644 index 0000000..5eedd5e --- /dev/null +++ b/argocd/traefik-middleware.yaml @@ -0,0 +1,24 @@ +--- +# Traefik configuration to enable Ingress status updates +# This patch configures Traefik to report its IP address in Ingress.status.loadBalancer +# which is required for ArgoCD to properly assess Ingress health status +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-patch-note + namespace: traefik + annotations: + description: "Manual patch applied to traefik deployment to enable ingress status reporting" +data: + patch-command: | + kubectl patch deployment traefik -n traefik --type='json' \ + -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik"}]' + + rationale: | + The Ingress resource needs its status.loadBalancer.ingress field populated for ArgoCD to assess health. + Without this, Ingress resources remain in "Progressing" state indefinitely. + + This flag tells Traefik to: + - Monitor the specified Service (traefik/traefik - the LoadBalancer service) + - Automatically update Ingress.status.loadBalancer with the service's external IP + - Allow ArgoCD to transition the Ingress from "Progressing" to "Healthy"