adebaumann/vgui-cicd
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3d9d01c240124554bf1525aaf13c774e83be4883
vgui-cicd/Documentation/ARGOCD-INGRESS-FIX.md
Adrian A. Baumann 3d9d01c240 Document Traefik configuration fix for ArgoCD Ingress health check 
- Add traefik-middleware.yaml with patch documentation
- Add ARGOCD-INGRESS-FIX.md with complete explanation of the issue and solution
- Traefik now reports Ingress status.loadBalancer IP to allow ArgoCD to assess Ingress health
- Fixes: Django Ingress stuck in 'Progressing' state
2025-12-01 16:03:35 +01:00

3.3 KiB
Raw Blame History

ArgoCD Ingress "Progressing" State Fix

Problem

The django Ingress resource in the vorgabenui namespace was stuck in "Progressing" state in ArgoCD and would not transition to "Healthy".

Root Cause

ArgoCD determines Ingress health by checking if the status.loadBalancer.ingress field is populated with an IP address or hostname. Without this field, the Ingress is considered "Progressing" indefinitely.

The issue occurred because Traefik was not configured to report its IP address in the Ingress status field.

Solution

Two changes were made to fix this issue:

1. Update Ingress Annotation (Applied)

File: argocd/ingress.yaml

Change:

# Before
annotations:
  argocd.argoproj.io/ignore-healthcheck: "true"

# After
annotations:
  argocd.argoproj.io/sync-wave: "1"

Rationale:

  • The ignore-healthcheck annotation was causing ArgoCD to not monitor the Ingress health at all
  • The sync-wave: "1" annotation ensures the Ingress syncs after the Deployment and Service are ready (which have default sync-wave of 0)
  • This allows ArgoCD to properly assess the Ingress health status

2. Configure Traefik to Report Ingress Status (Cluster Patch)

Patch Command:

kubectl patch deployment traefik -n traefik --type='json' \
  -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik"}]'

Configuration Flag Added:

--providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik

Rationale: This flag tells Traefik to:

  • Watch for changes to Ingress resources in the cluster
  • Monitor the Service traefik/traefik (the Traefik LoadBalancer service)
  • Automatically populate status.loadBalancer.ingress[].ip with the service's external IP address
  • Allow ArgoCD to detect when the Ingress has been assigned an IP and transition to "Healthy"

Result

Status: RESOLVED

Current State:

  • Ingress Address: 192.168.17.53 (Traefik LoadBalancer IP)
  • Ingress Health: Healthy
  • ArgoCD Application Health: Healthy
  • Accessible at: http://vorgabenportal.knowyoursecurity.com/

Verification

To verify the fix is working:

# Check Ingress status
kubectl get ingress django -n vorgabenui -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
# Should output: 192.168.17.53

# Check ArgoCD application health
kubectl get application vorgabenui -n argocd -o jsonpath='{.status.health.status}'
# Should output: Healthy

# Check Traefik configuration
kubectl get deploy traefik -n traefik -o jsonpath='{.spec.template.spec.containers[0].args}' | jq 'map(select(. | contains("publishedservice")))'
# Should output the publishedservice flag

Documentation Location

The Traefik configuration patch is documented in:

  • argocd/traefik-middleware.yaml - ConfigMap with patch details and rationale

Notes for Future Maintenance

  • If Traefik is upgraded or redeployed via Helm, ensure the --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik flag is preserved
  • The flag must point to the correct LoadBalancer Service that has an external IP
  • In this case, it's traefik/traefik (namespace/service-name) with external IP 192.168.17.53
  • If the Traefik service configuration changes, this flag may need adjustment