Argo CD

Use Argo CD to automate the deployment and management of Gloo Gateway.

Argo Continuous Delivery (Argo CD) is a declarative, Kubernetes-native continuous deployment tool that can read and pull code from Git repositories and deploy it to your cluster. Because of that, you can integrate Argo CD into your GitOps pipeline to automate the deployment and synchronization of your apps.

Before you begin

Install the following command line tools:
- kubectl, the Kubernetes command line tool. Download the kubectl version that is within one minor version of the Kubernetes clusters you plan to use.
- argocd, the Argo CD command line tool.
Create or use an existing Kubernetes cluster.
Argo CD version 7.8 or later: Review the known issue with Argo CD version 7.8.x.

Set up Argo CD

Install the custom resources of the Kubernetes Gateway API.

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Example output:

customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created

Install Argo CD in your cluster.

kubectl create namespace argocd
until kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.12.3/manifests/install.yaml > /dev/null 2>&1; do sleep 2; done
# wait for deployment to complete
kubectl -n argocd rollout status deploy/argocd-applicationset-controller
kubectl -n argocd rollout status deploy/argocd-dex-server
kubectl -n argocd rollout status deploy/argocd-notifications-controller
kubectl -n argocd rollout status deploy/argocd-redis
kubectl -n argocd rollout status deploy/argocd-repo-server
kubectl -n argocd rollout status deploy/argocd-server

Update the default Argo CD password for the admin user to gateway.

# bcrypt(password)=$2y$10$f6GlB5V/8OzCduEDEgBU.ugVn4vzxgT7cq7vuCebZAKoADaNve9Ve
# password: gateway
kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "$2y$10$f6GlB5V/8OzCduEDEgBU.ugVn4vzxgT7cq7vuCebZAKoADaNve9Ve",
    "admin.passwordMtime": "'$(date +%FT%T%Z)'"
  }}'

Port-forward the Argo CD server on port 9999.

kubectl port-forward svc/argocd-server -n argocd 9999:443

Open the Argo CD UI.
Log in with the admin username and gateway password.

Install Gloo Gateway

Create an Argo CD application to install the Gloo Gateway Helm chart.

kubectl apply -f- <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: gloo-gateway-oss-helm
  namespace: argocd
spec:
  destination:
    namespace: gloo-system
    server: https://kubernetes.default.svc
  project: default
  source:
    chart: gloo
    helm:
      skipCrds: false
      values: |
        kubeGateway:
          # Enable K8s Gateway integration
          enabled: true
        gatewayProxies:
          gatewayProxy:
            disabled: true
        gloo:
          disableLeaderElection: true
        discovery:
          # For demo purposes, disable discovery
          enabled: false
    repoURL: https://storage.googleapis.com/solo-public-helm
    targetRevision: 1.18.36
  syncPolicy:
    automated:
      # Prune resources during auto-syncing (default is false)
      prune: true 
      # Sync the app in part when resources are changed only in the target Kubernetes cluster
      # but not in the git source (default is false).
      selfHeal: true 
    syncOptions:
    - CreateNamespace=true 
EOF

Verify that the gloo control plane is up and running.

kubectl get pods -n gloo-system

Example output:

NAME                                  READY   STATUS      RESTARTS   AGE
gateway-certgen-wfz9z                 0/1     Completed   0          35s
gloo-78f4cc8fc6-6hmsq                 1/1     Running     0          21s
gloo-resource-migration-sx5z4         0/1     Completed   0          48s
gloo-resource-rollout-28gj6           0/1     Completed   0          21s
gloo-resource-rollout-check-tjdp7     0/1     Completed   0          2s
gloo-resource-rollout-cleanup-nj4t8   0/1     Completed   0          39s

Verify that the gloo-gateway GatewayClass is created. You can optionally take a look at how the gateway class is configured by adding the -o yaml option to your command.
```
kubectl get gatewayclass gloo-gateway
```
Open the Argo CD UI and verify that you see the Argo CD application with a Healthy and Synced status.

Use the following YAML file to create an Argo CD application and deploy the Gloo Gateway Enterprise Helm chart. Make sure to enter your license key in the license_key field.

kubectl apply -f- <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: gloo-gateway-ee-helm
  namespace: argocd
spec:
  destination:
    namespace: gloo-system
    server: https://kubernetes.default.svc
  project: default
  source:
    chart: gloo-ee
    helm:
      skipCrds: false
      values: |
        gloo:
          discovery:
            enabled: false
          disableLeaderElection: true
          gatewayProxies:
            gatewayProxy:
              disabled: true
          kubeGateway:
            enabled: true
        gloo-fed:
          enabled: false
          glooFedApiserver:
            enable: false
        grafana:
          defaultInstallationEnabled: false
        license_key: <enterprise-license-key>
        observability:
          enabled: false
        prometheus:
          enabled: false
    repoURL: https://storage.googleapis.com/gloo-ee-helm
    targetRevision: 1.18.25
  syncPolicy:
    automated:
      # Prune resources during auto-syncing (default is false)
      prune: true 
      # Sync the app in part when resources are changed only in the target Kubernetes cluster
      # but not in the git source (default is false).
      selfHeal: true 
    syncOptions:
    - CreateNamespace=true
EOF

Verify that the gloo control plane is up and running.

kubectl get pods -n gloo-system

Example output:

NAME                                  READY   STATUS      RESTARTS   AGE
extauth-6f8db7b756-5q4rz              1/1     Running     0          110s
gloo-8bbd4bcc5-bbqs7                  1/1     Running     0          110s
gloo-resource-migration-fcrlr         0/1     Completed   0          2m17s
gloo-resource-rollout-check-88fmv     0/1     Completed   0          84s
gloo-resource-rollout-cleanup-9n2pf   0/1     Completed   0          2m7s
gloo-resource-rollout-kljnz           0/1     Completed   0          110s
rate-limit-56694f94d4-2jgwx           1/1     Running     0          110s
redis-54757c7964-k2tk2                1/1     Running     0          110s

Verify that the gloo-gateway GatewayClass is created. You can optionally take a look at how the gateway class is configured by adding the -o yaml option to your command.
```
kubectl get gatewayclass gloo-gateway
```
Open the Argo CD UI and verify that you see the Argo CD application with a Healthy and Synced status.

Set up an API gateway

Create a gateway resource and configure an HTTP listener. The following gateway can serve HTTP resources from all namespaces.

kubectl apply -n gloo-system -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
spec:
  gatewayClassName: gloo-gateway
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF

Verify that the gateway is created successfully. You can also review the external address that is assigned to the gateway. Note that depending on your environment it might take a few minutes for the load balancer service to be assigned an external address.
```
kubectl get gateway http -n gloo-system
```
Example output:
```
NAME   CLASS          ADDRESS                                                                  PROGRAMMED   AGE
http   gloo-gateway   a3a6c06e2f4154185bf3f8af46abf22e-139567718.us-east-2.elb.amazonaws.com   True         93s
```

Deploy a sample app

Create the httpbin namespace.
```
kubectl create ns httpbin
```

Deploy the httpbin app.

kubectl -n httpbin apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml

Verify that the httpbin app is running.

kubectl -n httpbin get pods

Example output:

NAME                      READY   STATUS    RESTARTS   AGE
httpbin-d57c95548-nz98t   3/3     Running   0          18s

Expose the app on the gateway

Create an HTTPRoute resource to expose the httpbin app on the gateway. The following example exposes the app on the wwww.example.com domain.

kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin
  namespace: httpbin
  labels:
    example: httpbin-route
spec:
  parentRefs:
    - name: http
      namespace: gloo-system
  hostnames:
    - "www.example.com"
  rules:
    - backendRefs:
        - name: httpbin
          port: 8000
EOF

Setting	Description
`spec.parentRefs`	The name and namespace of the gateway resource that serves the route. In this example, you use the HTTP gateway that you created earlier.
`spec.hostnames`	A list of hostnames that the route is exposed on.
`spec.rules.backendRefs`	The Kubernetes service that serves the incoming request. In this example, requests to `www.example.com` are forwarded to the httpbin app on port 9000. Note that you must create the HTTP route in the same namespace as the service that serves that route. To create the HTTP route resource in a different namespace, you must create a ReferenceGrant resource to allow the HTTP route to forward requests to a service in a different namespace. For more information, see the Kubernetes API Gateway documentation.

Verify that the HTTPRoute is applied successfully.
```
kubectl get -n httpbin httproute/httpbin -o yaml
```

Send a request to the httpbin app.

Get the external address of the gateway and save it in an environment variable.

export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o=jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS

Send a request to the httpbin app and verify that you get back a 200 HTTP response code. Note that it might take a few minutes for the load balancer service to become fully ready and accept traffic.

curl -i http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:8080"

Example output:

HTTP/1.1 200 OK
server: envoy
date: Wed, 17 Jan 2024 17:32:21 GMT
content-type: application/json
content-length: 211
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 2

Port-forward the gloo-proxy-http pod on port 8080.

kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Send a request to the httpbin app and verify that you get back a 200 HTTP response code.

curl -i localhost:8080/headers -H "host: www.example.com"

Example output:

HTTP/1.1 200 OK
server: envoy
date: Wed, 17 Jan 2024 17:32:21 GMT
content-type: application/json
content-length: 211
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 2

Next steps

Now that you have Gloo Gateway set up and running, check out the following guides to expand your API gateway capabilities.

Check out this blog post to learn how you can use Argo CD to deploy an application and how to manually sync the app with your cluster. This blog post also includes other guides for how to set up request matching, apply policies, or rollout a new version of an app.
Learn more about Gloo Gateway’s features and benefits.
Add routing capabilities to your httpbin route by using the Traffic management guides.
Explore ways to make your routes more resilient by using the Resiliency guides.
Secure your routes with external authentication and rate limiting policies by using the Security guides.

Keep in mind that you can only have one installation of Gloo Gateway with the Kubernetes Gateway API at a time. Installing the product twice causes required Kubernetes resources that are cluster-scoped, such as GatewayClass, to fail. You can still create multiple Gateway resources to configure HTTP and HTTPS listeners on Gloo Gateway.

Cleanup

If you no longer need this quick-start Gloo Gateway environment, you can uninstall your setup by following these steps:

Port-forward the Argo CD server on port 9999.

kubectl port-forward svc/argocd-server -n argocd 9999:443

Open the Argo CD UI.
Log in with the admin username and gateway password.
Find the application that you want to delete and click x.
Select Foreground and click Ok.
Verify that the pods were removed from the gloo-system namespace.
```
kubectl get pods -n gloo-system
```
Example output:
```
No resources found in gloo-system namespace.
```

Port-forward the Argo CD server on port 9999.

kubectl port-forward svc/argocd-server -n argocd 9999:443

argocd login localhost:9999 --username admin --password solo.io --insecure

Delete the application.

Open source:

argocd app delete gloo-gateway-oss-helm --cascade --server localhost:9999 --insecure

Enterprise:

argocd app delete gloo-gateway-ee-helm --cascade --server localhost:9999 --insecure

Example output:

Are you sure you want to delete 'gloo-gateway-oss-helm' and all its resources? [y/n] y
application 'gloo-gateway-oss-helm' deleted

Verify that the pods were removed from the gloo-system namespace.
```
kubectl get pods -n gloo-system
```
Example output:
```
No resources found in gloo-system namespace.
```

Known issues

Settings cannot sync

The Gloo Settings resource stays in a Progressing health status, which prevents updates from syncing. This is due to the Settings resource not returning a status, which became an issue in Argo CD version 7.8.x.

As a workaround, use Argo CD version 7.7.x. or add the following status override to your Argo CD config-cm file.

resource.customizations.health.gloo.solo.io_Settings: |
   hs = {}
   hs.status = "Healthy"
   hs.message = "we are good"
   return hs

For more details, see the open gloo and argo-cd GitHub issues.

Airgap environment Amazon EKS add-on