Skip to content

feat(tlsroute): Add TLSRoute configuration for Argo CD server#3780

Draft
xavier-re wants to merge 3 commits intoargoproj:mainfrom
xavier-re:tlsroute-template-add
Draft

feat(tlsroute): Add TLSRoute configuration for Argo CD server#3780
xavier-re wants to merge 3 commits intoargoproj:mainfrom
xavier-re:tlsroute-template-add

Conversation

@xavier-re
Copy link
Copy Markdown

@xavier-re xavier-re commented Mar 16, 2026

Motivation

Sometimes we want to have end-to-end tls encryption. Argocd server has already a https listener, so if we are using gateway api (recommended after ingress nginx retirement), we need a TLSRoute to route tls traffic up to the argocd endpoint.

What this PR does / why we need it:

This PR adds support for Gateway API TLSRoute resource to the Argo CD Helm chart. TLSRoute enables TLS passthrough or termination at the Gateway level, allowing traffic routing based on the hostname (= SNI = Server Name Indication) without requiring the Gateway to decrypt the traffic. This is particularly useful for scenarios where:

  • TLS termination needs to happen at the backend service (passthrough mode)
  • Gateway-based routing is required for TLS traffic
  • Integration with Gateway API-compatible ingress controllers like Envoy Gateway, Istio, or Cilium

Special notes:

  • TLSRoute support is marked as EXPERIMENTAL (like HTTPRoute and GRPCRoute)
  • Requires Gateway API CRDs to be installed in the cluster
  • The API version used is gateway.networking.k8s.io/v1alpha2 (standard for TLSRoute)
  • The implementation dynamically selects the correct service port (HTTP 80 or HTTPS 443) based on the server.insecure configuration
  • If no custom rules are specified, a sensible default rule is created that routes to the argocd-server service

Release notes:

- Add Gateway API TLSRoute support for Argo CD server with configurable parentRefs, hostnames, and routing rules

Tests:

  • Manual template rendering verification with various configurations

Checklist:

  • I have bumped the chart version according to versioning
  • I have updated the documentation according to documentation
  • I have updated the chart changelog with all the changes that come with this pull request according to changelog.
  • Any new values are backwards compatible and/or have sensible default.
  • I have signed off all my commits as required by DCO.
  • I have created a separate pull request for each chart according to pull requests
  • My build is green (troubleshooting builds).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 Awaiting requested review from mbevc1 mbevc1 will be requested when the pull request is marked ready for review mbevc1 is a code owner

@mkilchhofer mkilchhofer Awaiting requested review from mkilchhofer mkilchhofer will be requested when the pull request is marked ready for review mkilchhofer is a code owner

@yu-croco yu-croco Awaiting requested review from yu-croco yu-croco will be requested when the pull request is marked ready for review yu-croco is a code owner

@jmeridth jmeridth Awaiting requested review from jmeridth jmeridth will be requested when the pull request is marked ready for review jmeridth is a code owner

@pdrastil pdrastil Awaiting requested review from pdrastil pdrastil will be requested when the pull request is marked ready for review pdrastil is a code owner

@tico24 tico24 Awaiting requested review from tico24 tico24 will be requested when the pull request is marked ready for review tico24 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

argo-cd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xavier-re