argo-cd: ERR_TOO_MANY_REDIRECTS
The following configuration was performed according to the official documentation(https://argoproj.github.io/argo-cd/getting_started/):
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: argocd-server-ingress annotations: kubernetes.io/ingress.class: crs-nginx nginx.ingress.kubernetes.io/force-ssl-redirect: “true” nginx.ingress.kubernetes.io/ssl-passthrough: “true” spec: rules:
- host: argocd.gril.com
http:
paths:
- backend: serviceName: argocd-server servicePort: 443
now,encounter a redirect loop or are getting a 307 response code.So I added nginx.ingress.kubernetes.io/backend-protocol: “HTTPS” according to the official documentation to the configuration above.
The web page can be opened normally,But I got the following error during argocd login command
FATA[0008] rpc error: code = Internal desc = transport: received the unexpected content-type "text/plain; charset=utf-8"
I don’t know how to configure it to open the page normally and the argocd login command can log in normally.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 45
- Comments: 40 (1 by maintainers)
After searching for a while I found a solution that works in my case. I’m using Traefik instead of Nginx, but I believe this can be used with any ingress controller.
The problem is that by default Argo-CD handles TLS termination itself and always redirects HTTP requests to HTTPS. Combine that with an ingress controller that also handles TLS termination and always communicates with the backend service with HTTP and you get Argo-CD’s server always responding with a redirects to HTTPS.
So one of the solutions would be to disable HTTPS on Argo-CD, which you can do by using the
--insecureflag onargocd-server.This is actually documented here: https://argoproj.github.io/argo-cd/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts Its just not exactly obvious.
It would be nice if there was a page with command line flags for the server somewhere in the docs.
Using NGINX ingress, send --insecure arg for container of argocd-server Deployment. It works for me.
Help: https://argoproj.github.io/argo-cd/operator-manual/ingress/
Following configuration works without further modifications
I encountered the same error and found that when installing ArgoCD, one can either add the
--insecureflag (as written above) or you can update the ConfigMap to populate the environment variables used byargo-server(only thedataobject is new):Unfortunately you can’t apply this after running the installer since it will have no effect on the already deployed service, and applying it before the install will have the install overwrite it.
– edit: While the install yaml file will overwrite this definition, you can put this in a separate file and apply it after the install yaml and then force a restart of the argocd-server deployment, like so:
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yamlkubectl apply -n argocd -f argocd-config.yamlkubectl scale -n argocd deployment/argocd-server --replicas=0 && kubectl scale -n argocd deployment/argocd-server --replicas=1For my case, i have AWS ELB where the SSL is offloaded, then ingress controller receives on port 80, then forward to argocd-server service on insecure port (80).
I fixed the issue of too-many-redirects by implementing the above solution:
Thank you @kszpakowski
Beautiful, this worked for me too, the main lines:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS name: https
Fixed via this
Nginx and other reverse proxies send the header X-Forwarded-Proto to indicate that TLS is being handled by the proxy. This could be checked in addition to checking the secure setting in the useSecure function. I have yet to venture into writing Go, so I am not sure of how that is done exactly. Maybe I will give it a shot.
Thanks for this, I wrote a little patch here and the IngressRoute CRD I use here. I wrote an article about all of this and more here.
I was struggling with this issue for ours, and finally found this thread.
@georgepaoli suggesiton worked. Adding
--insecurefixed the issue. I suggest adding this to Argo’s Traefik docs while the issue persists.Somehow I ran into the same issue with a 308 redirect. I added the --insecure arg but no change so far. Any ideas?
I believe the original issue was solved by @kszpakowski’s post #issuecomment-93219085. It’s also documented. Therefore I’m closing this issue.
Please open another issue or ping us on Slack if you are still experiencing issues.
I use passthrough mode in my Ingress, but I forget the annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"and it resulted in nginx-ingress-controller generatingproxy_pass http://upstream_balancerin the nginx.conf. After I added this annotation, the server stopped responsing 307.Using Helm, I managed to set the
--insecureflag using the following values (values.yaml)its working thanks