From 3fe0472ebeff2b7dedb1e34ba1cebb52d0f0ccce Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:00:54 +0000 Subject: [PATCH 1/5] Initial plan From b904401648d429e833d6e11d1b3757a178a255f5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:04:07 +0000 Subject: [PATCH 2/5] Replace hardcoded values in Makefile ports target with configurable variables Co-authored-by: bwalsh <47808+bwalsh@users.noreply.github.com> --- Makefile | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 483b6ca5..c01c7d77 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,12 @@ S3_HOSTNAME ?= minio.minio-system.svc.cluster.local:9000 # Vault configuration for local development (in-cluster deployment) VAULT_TOKEN ?= root +# Ingress configuration - must be set for production deployments +# ARGO_HOSTNAME: The domain name for your Argo services (e.g., argo.example.com) +# TLS_SECRET_NAME: Name of the TLS secret for SSL certificates +# EXTERNAL_IP: External IP address for ingress (leave empty to skip external IP assignment) +TLS_SECRET_NAME ?= argo-tls +EXTERNAL_IP ?= check-vars: @echo "🔍 Checking required environment variables..." @@ -158,34 +164,41 @@ deploy: init argo-stack docker-install ports ports: # manual certificate # If the secret already exists, delete it first: - kubectl delete secret calypr-demo-tls -n argo-stack || true + kubectl delete secret $(TLS_SECRET_NAME) -n argo-stack || true # Create the TLS secret from your certificate files - sudo cp /etc/letsencrypt/live/calypr-demo.ddns.net/fullchain.pem /tmp/ - sudo cp /etc/letsencrypt/live/calypr-demo.ddns.net/privkey.pem /tmp/ + # Requires: ARGO_HOSTNAME to be set (e.g., argo.example.com) + # Certificate location: /etc/letsencrypt/live/${ARGO_HOSTNAME}/ + sudo cp /etc/letsencrypt/live/$(ARGO_HOSTNAME)/fullchain.pem /tmp/ + sudo cp /etc/letsencrypt/live/$(ARGO_HOSTNAME)/privkey.pem /tmp/ sudo chmod 644 /tmp/fullchain.pem /tmp/privkey.pem - kubectl create secret tls calypr-demo-tls -n argo-stack --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n argocd --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n argo-workflows --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n argo-events --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n calypr-api --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n calypr-tenants --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls calypr-demo-tls -n default --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n argo-stack --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n argocd --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n argo-workflows --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n argo-events --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n calypr-api --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n calypr-tenants --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls $(TLS_SECRET_NAME) -n default --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true # install ingress helm upgrade --install ingress-authz-overlay \ helm/argo-stack/overlays/ingress-authz-overlay \ --namespace argo-stack \ - --set ingressAuthzOverlay.host=${ARGO_HOSTNAME} + --set ingressAuthzOverlay.host=$(ARGO_HOSTNAME) # start nginx helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \ -n ingress-nginx --create-namespace \ --set controller.service.type=NodePort \ - --set controller.extraArgs.default-ssl-certificate=default/calypr-demo-tls - kubectl create secret tls calypr-demo-tls -n ingress-nginx --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + --set controller.extraArgs.default-ssl-certificate=default/$(TLS_SECRET_NAME) + kubectl create secret tls $(TLS_SECRET_NAME) -n ingress-nginx --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true sudo rm /tmp/fullchain.pem /tmp/privkey.pem - # Assign external address - kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{ "spec": { "type": "NodePort", "externalIPs": ["100.22.124.96"] } }' + # Assign external address (only if EXTERNAL_IP is set) + @if [ -n "$(EXTERNAL_IP)" ]; then \ + echo "➡️ Assigning external IP: $(EXTERNAL_IP)"; \ + kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{ "spec": { "type": "NodePort", "externalIPs": ["$(EXTERNAL_IP)"] } }'; \ + else \ + echo "⚠️ EXTERNAL_IP not set, skipping external IP assignment"; \ + fi # Solution - Use NodePort instead of LoadBalancer in kind kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"port":80,"nodePort":30080},{"port":443,"nodePort":30443}]}}' From 13af8a8753cb9c65ce999a921396897132110198 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:06:45 +0000 Subject: [PATCH 3/5] Fix variable syntax consistency to use ${} throughout ports target Co-authored-by: bwalsh <47808+bwalsh@users.noreply.github.com> --- Makefile | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index c01c7d77..53430a93 100644 --- a/Makefile +++ b/Makefile @@ -164,38 +164,38 @@ deploy: init argo-stack docker-install ports ports: # manual certificate # If the secret already exists, delete it first: - kubectl delete secret $(TLS_SECRET_NAME) -n argo-stack || true + kubectl delete secret ${TLS_SECRET_NAME} -n argo-stack || true # Create the TLS secret from your certificate files # Requires: ARGO_HOSTNAME to be set (e.g., argo.example.com) # Certificate location: /etc/letsencrypt/live/${ARGO_HOSTNAME}/ - sudo cp /etc/letsencrypt/live/$(ARGO_HOSTNAME)/fullchain.pem /tmp/ - sudo cp /etc/letsencrypt/live/$(ARGO_HOSTNAME)/privkey.pem /tmp/ + sudo cp /etc/letsencrypt/live/${ARGO_HOSTNAME}/fullchain.pem /tmp/ + sudo cp /etc/letsencrypt/live/${ARGO_HOSTNAME}/privkey.pem /tmp/ sudo chmod 644 /tmp/fullchain.pem /tmp/privkey.pem - kubectl create secret tls $(TLS_SECRET_NAME) -n argo-stack --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n argocd --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n argo-workflows --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n argo-events --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n calypr-api --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n calypr-tenants --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true - kubectl create secret tls $(TLS_SECRET_NAME) -n default --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n argo-stack --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n argocd --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n argo-workflows --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n argo-events --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n calypr-api --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n calypr-tenants --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + kubectl create secret tls ${TLS_SECRET_NAME} -n default --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true # install ingress helm upgrade --install ingress-authz-overlay \ helm/argo-stack/overlays/ingress-authz-overlay \ --namespace argo-stack \ - --set ingressAuthzOverlay.host=$(ARGO_HOSTNAME) + --set ingressAuthzOverlay.host=${ARGO_HOSTNAME} # start nginx helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \ -n ingress-nginx --create-namespace \ --set controller.service.type=NodePort \ - --set controller.extraArgs.default-ssl-certificate=default/$(TLS_SECRET_NAME) - kubectl create secret tls $(TLS_SECRET_NAME) -n ingress-nginx --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true + --set controller.extraArgs.default-ssl-certificate=default/${TLS_SECRET_NAME} + kubectl create secret tls ${TLS_SECRET_NAME} -n ingress-nginx --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true sudo rm /tmp/fullchain.pem /tmp/privkey.pem # Assign external address (only if EXTERNAL_IP is set) - @if [ -n "$(EXTERNAL_IP)" ]; then \ - echo "➡️ Assigning external IP: $(EXTERNAL_IP)"; \ - kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{ "spec": { "type": "NodePort", "externalIPs": ["$(EXTERNAL_IP)"] } }'; \ + @if [ -n "${EXTERNAL_IP}" ]; then \ + echo "➡️ Assigning external IP: ${EXTERNAL_IP}"; \ + kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{ "spec": { "type": "NodePort", "externalIPs": ["${EXTERNAL_IP}"] } }'; \ else \ echo "⚠️ EXTERNAL_IP not set, skipping external IP assignment"; \ fi From 2f3359bcea27c022d52db0e84fef614477e7d373 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:07:45 +0000 Subject: [PATCH 4/5] Fix EXTERNAL_IP variable expansion in JSON patch command Co-authored-by: bwalsh <47808+bwalsh@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 53430a93..521d1fb0 100644 --- a/Makefile +++ b/Makefile @@ -195,7 +195,7 @@ ports: # Assign external address (only if EXTERNAL_IP is set) @if [ -n "${EXTERNAL_IP}" ]; then \ echo "➡️ Assigning external IP: ${EXTERNAL_IP}"; \ - kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{ "spec": { "type": "NodePort", "externalIPs": ["${EXTERNAL_IP}"] } }'; \ + kubectl patch svc ingress-nginx-controller -n ingress-nginx -p "{\"spec\": {\"type\": \"NodePort\", \"externalIPs\": [\"${EXTERNAL_IP}\"]}}"; \ else \ echo "⚠️ EXTERNAL_IP not set, skipping external IP assignment"; \ fi From d75d1b5a50070403907f0ab4c8aa9f04a7a66996 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:09:25 +0000 Subject: [PATCH 5/5] Clarify ARGO_HOSTNAME as required environment variable in documentation Co-authored-by: bwalsh <47808+bwalsh@users.noreply.github.com> --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 521d1fb0..88366788 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,8 @@ S3_HOSTNAME ?= minio.minio-system.svc.cluster.local:9000 VAULT_TOKEN ?= root # Ingress configuration - must be set for production deployments -# ARGO_HOSTNAME: The domain name for your Argo services (e.g., argo.example.com) +# ARGO_HOSTNAME: (REQUIRED) The domain name for your Argo services (e.g., argo.example.com) +# Must be set as environment variable: export ARGO_HOSTNAME=your-domain.com # TLS_SECRET_NAME: Name of the TLS secret for SSL certificates # EXTERNAL_IP: External IP address for ingress (leave empty to skip external IP assignment) TLS_SECRET_NAME ?= argo-tls