Document Traefik configuration fix for ArgoCD Ingress health check

- Add traefik-middleware.yaml with patch documentation - Add ARGOCD-INGRESS-FIX.md with complete explanation of the issue and solution - Traefik now reports Ingress status.loadBalancer IP to allow ArgoCD to assess Ingress health - Fixes: Django Ingress stuck in 'Progressing' state
2025-12-01 16:03:35 +01:00
parent b290d39d64
commit 3d9d01c240
2 changed files with 119 additions and 0 deletions
--- a/Documentation/ARGOCD-INGRESS-FIX.md
+++ b/Documentation/ARGOCD-INGRESS-FIX.md
@@ -0,0 +1,95 @@
+# ArgoCD Ingress "Progressing" State Fix
+
+## Problem
+
+The `django` Ingress resource in the `vorgabenui` namespace was stuck in "Progressing" state in ArgoCD and would not transition to "Healthy".
+
+### Root Cause
+
+ArgoCD determines Ingress health by checking if the `status.loadBalancer.ingress` field is populated with an IP address or hostname. Without this field, the Ingress is considered "Progressing" indefinitely.
+
+The issue occurred because **Traefik was not configured to report its IP address** in the Ingress status field.
+
+## Solution
+
+Two changes were made to fix this issue:
+
+### 1. Update Ingress Annotation (Applied)
+
+**File**: `argocd/ingress.yaml`
+
+**Change**:
+```yaml
+# Before
+annotations:
+  argocd.argoproj.io/ignore-healthcheck: "true"
+
+# After
+annotations:
+  argocd.argoproj.io/sync-wave: "1"
+```
+
+**Rationale**:
+- The `ignore-healthcheck` annotation was causing ArgoCD to not monitor the Ingress health at all
+- The `sync-wave: "1"` annotation ensures the Ingress syncs after the Deployment and Service are ready (which have default sync-wave of 0)
+- This allows ArgoCD to properly assess the Ingress health status
+
+### 2. Configure Traefik to Report Ingress Status (Cluster Patch)
+
+**Patch Command**:
+```bash
+kubectl patch deployment traefik -n traefik --type='json' \
+  -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik"}]'
+```
+
+**Configuration Flag Added**:
+```
+--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik
+```
+
+**Rationale**:
+This flag tells Traefik to:
+- Watch for changes to Ingress resources in the cluster
+- Monitor the Service `traefik/traefik` (the Traefik LoadBalancer service)
+- Automatically populate `status.loadBalancer.ingress[].ip` with the service's external IP address
+- Allow ArgoCD to detect when the Ingress has been assigned an IP and transition to "Healthy"
+
+## Result
+
+✅ **Status**: RESOLVED
+
+**Current State**:
+- Ingress Address: `192.168.17.53` (Traefik LoadBalancer IP)
+- Ingress Health: Healthy
+- ArgoCD Application Health: Healthy
+- Accessible at: `http://vorgabenportal.knowyoursecurity.com/`
+
+## Verification
+
+To verify the fix is working:
+
+```bash
+# Check Ingress status
+kubectl get ingress django -n vorgabenui -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+# Should output: 192.168.17.53
+
+# Check ArgoCD application health
+kubectl get application vorgabenui -n argocd -o jsonpath='{.status.health.status}'
+# Should output: Healthy
+
+# Check Traefik configuration
+kubectl get deploy traefik -n traefik -o jsonpath='{.spec.template.spec.containers[0].args}' | jq 'map(select(. | contains("publishedservice")))'
+# Should output the publishedservice flag
+```
+
+## Documentation Location
+
+The Traefik configuration patch is documented in:
+- `argocd/traefik-middleware.yaml` - ConfigMap with patch details and rationale
+
+## Notes for Future Maintenance
+
+- If Traefik is upgraded or redeployed via Helm, ensure the `--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik` flag is preserved
+- The flag must point to the correct LoadBalancer Service that has an external IP
+- In this case, it's `traefik/traefik` (namespace/service-name) with external IP `192.168.17.53`
+- If the Traefik service configuration changes, this flag may need adjustment
--- a/argocd/traefik-middleware.yaml
+++ b/argocd/traefik-middleware.yaml
@@ -0,0 +1,24 @@
+---
+# Traefik configuration to enable Ingress status updates
+# This patch configures Traefik to report its IP address in Ingress.status.loadBalancer
+# which is required for ArgoCD to properly assess Ingress health status
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-patch-note
+  namespace: traefik
+  annotations:
+    description: "Manual patch applied to traefik deployment to enable ingress status reporting"
+data:
+  patch-command: |
+    kubectl patch deployment traefik -n traefik --type='json' \
+      -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik"}]'
+  
+  rationale: |
+    The Ingress resource needs its status.loadBalancer.ingress field populated for ArgoCD to assess health.
+    Without this, Ingress resources remain in "Progressing" state indefinitely.
+    
+    This flag tells Traefik to:
+    - Monitor the specified Service (traefik/traefik - the LoadBalancer service)
+    - Automatically update Ingress.status.loadBalancer with the service's external IP
+    - Allow ArgoCD to transition the Ingress from "Progressing" to "Healthy"