Fix ArgoCD TLS: use Ingress with Let's Encrypt

- Switch from LoadBalancer to Ingress for automatic TLS certs - Add ConfigMap patch to disable internal HTTPS redirect - Tailscale Ingress provides Let's Encrypt certificates Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-18 20:00:27 -08:00 · 2026-01-18 20:00:27 -08:00 · d510374432
commit d510374432
parent fc72021d6b
4 changed files with 29 additions and 14 deletions
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@ -30,7 +30,8 @@ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.pas
 | File | Description |
 |------|-------------|
 | `kustomization.yaml` | References upstream install.yaml + local customizations |
-| `service-tailscale.yaml` | Tailscale LoadBalancer for external access |
+| `service-tailscale.yaml` | Tailscale Ingress for external access with Let's Encrypt TLS |
+| `argocd-cmd-params-cm.yaml` | Patch to disable HTTPS redirect (TLS terminates at Ingress) |
 | `README.md` | This file |

 ## Post-Setup
--- a/argocd/manifests/argocd/argocd-cmd-params-cm.yaml
+++ b/argocd/manifests/argocd/argocd-cmd-params-cm.yaml
@ -0,0 +1,8 @@
+# ArgoCD server parameters
+# Disables HTTPS redirect since TLS is terminated at Tailscale Ingress
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  server.insecure: "true"
--- a/argocd/manifests/argocd/kustomization.yaml
+++ b/argocd/manifests/argocd/kustomization.yaml
@ -6,3 +6,6 @@ namespace: argocd
 resources:
  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
  - service-tailscale.yaml
+
+patchesStrategicMerge:
+  - argocd-cmd-params-cm.yaml
--- a/argocd/manifests/argocd/service-tailscale.yaml
+++ b/argocd/manifests/argocd/service-tailscale.yaml
@ -1,20 +1,23 @@
-# Tailscale LoadBalancer service for ArgoCD
-# Exposes ArgoCD at https://argocd.tail8d86e.ts.net
+# Tailscale Ingress for ArgoCD
+# Exposes ArgoCD at https://argocd.tail8d86e.ts.net with Let's Encrypt TLS
+#
+# Using Ingress instead of LoadBalancer to get automatic TLS certificates.
+# See: https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress
 ---
-apiVersion: v1
-kind: Service
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
  name: argocd-server-tailscale
  namespace: argocd
  annotations:
-    tailscale.com/hostname: "argocd"
    tailscale.com/proxy-class: "default"
 spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/name: argocd-server
-  ports:
-    - name: https
-      port: 443
-      targetPort: 8080
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  tls:
+    - hosts:
+        - argocd