Fix 404 errors on ingress routes

Makefile

@@ -171,7 +171,13 @@ ports:
 	sudo cp /etc/letsencrypt/live/calypr-demo.ddns.net/fullchain.pem /tmp/
 	sudo cp /etc/letsencrypt/live/calypr-demo.ddns.net/privkey.pem /tmp/
 	sudo chmod 644 /tmp/fullchain.pem /tmp/privkey.pem
-	kubectl create secret tls ${TLS_SECRET_NAME}  -n default --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n default        --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n argocd         --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n argo-workflows --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n argo-events    --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n argo-stack     --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n calypr-api     --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
+	kubectl create secret tls ${TLS_SECRET_NAME}  -n calypr-tenants --cert=/tmp/fullchain.pem --key=/tmp/privkey.pem || true
 	sudo rm /tmp/fullchain.pem /tmp/privkey.pem
 	# install ingress
 	helm upgrade --install ingress-authz-overlay \
@@ -184,14 +190,16 @@ ports:
 	helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
   	-n ingress-nginx --create-namespace \
   	--set controller.service.type=NodePort \
-	--set controller.extraArgs.default-ssl-certificate=default/${TLS_SECRET_NAME} 
+	--set controller.extraArgs.default-ssl-certificate=default/${TLS_SECRET_NAME} \
+	--set controller.watchIngressWithoutClass=true \
+	-f helm/argo-stack/overlays/ingress-authz-overlay/values-ingress-nginx.yaml
 	# Assign external address (only if PUBLIC_IP is set)
-	@if [ -n "${PUBLIC_IP}" ]; then \
-		echo "➡️  Assigning external IP: ${PUBLIC_IP}"; \
-		kubectl patch svc ingress-nginx-controller -n ingress-nginx -p "{\"spec\": {\"type\": \"NodePort\", \"externalIPs\": [\"${PUBLIC_IP}\"]}}"; \
-	else \
-		echo "⚠️  PUBLIC_IP not set, skipping external IP assignment"; \
-	fi
+	# @if [ -n "${PUBLIC_IP}" ]; then \
+	# 	echo "➡️  Assigning external IP: ${PUBLIC_IP}"; \
+	# 	kubectl patch svc ingress-nginx-controller -n ingress-nginx -p "{\"spec\": {\"type\": \"NodePort\", \"externalIPs\": [\"${PUBLIC_IP}\"]}}"; \
+	# else \
+	# 	echo "⚠️  PUBLIC_IP not set, skipping external IP assignment"; \
+	# fi
 	# Solution - Use NodePort instead of LoadBalancer in kind
 	kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"port":80,"nodePort":30080},{"port":443,"nodePort":30443}]}}'
 

helm/argo-stack/overlays/ingress-authz-overlay/README.md

@@ -117,6 +117,40 @@ ingressAuthzOverlay:
     clusterIssuer: letsencrypt-prod
 ```
 
+### Route Configuration Options
+
+Each route supports the following options:
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `enabled` | Enable/disable this route | `true` |
+| `namespace` | Namespace where the ingress is created | Required |
+| `service` | Backend service name | Required |
+| `serviceNamespace` | Namespace of the actual service (for cross-namespace routing) | Same as `namespace` |
+| `port` | Backend service port | Required |
+| `pathPrefix` | URL path prefix for this route | Required |
+| `useRegex` | Enable regex path matching | `false` |
+| `rewriteTarget` | Path rewrite target (when `useRegex` is true) | `/$2` |
+| `backendProtocol` | Backend protocol (`HTTP`, `HTTPS`, `GRPC`, `GRPCS`) | `HTTP` |
+| `proxyConnectTimeout` | NGINX proxy connect timeout | - |
+| `proxyReadTimeout` | NGINX proxy read timeout | - |
+| `proxySendTimeout` | NGINX proxy send timeout | - |
+
+### Backend Protocol
+
+Some services use HTTPS or gRPC internally. Use the `backendProtocol` option to specify the correct protocol:
+
+```yaml
+ingressAuthzOverlay:
+  routes:
+    applications:
+      # ArgoCD server uses HTTPS by default
+      backendProtocol: HTTPS
+    grpc-service:
+      # For gRPC services
+      backendProtocol: GRPC
+```
+
 ## Documentation
 
 - [User Guide](docs/authz-ingress-user-guide.md) - Complete installation and configuration guide

helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md

@@ -522,7 +522,39 @@ curl -I -H "Authorization: Bearer $TOKEN" https://calypr-demo.ddns.net/workflows
 
 ### Common Issues
 
-1. **502 Bad Gateway**: AuthZ adapter not reachable
+1. **404 Not Found**: Routes return 404 error
+   - Check if backend services exist in their respective namespaces:
+     ```bash
+     # For workflows
+     kubectl get svc argo-stack-argo-workflows-server -n argo-workflows
+     # For applications (ArgoCD)
+     kubectl get svc argo-stack-argocd-server -n argocd
+     # For registrations
+     kubectl get svc github-repo-registrations-eventsource-svc -n argo-events
+     ```
+   - Verify ExternalName proxy services are created for cross-namespace routing:
+     ```bash
+     kubectl get svc -n argo-stack -l app.kubernetes.io/component=externalname-proxy
+     ```
+   - Check if NGINX ingress controller is running and has ADDRESS assigned:
+     ```bash
+     kubectl get ingress -A -l app.kubernetes.io/name=ingress-authz-overlay
+     ```
+   - Verify backend protocol settings (ArgoCD requires HTTPS):
+     ```bash
+     kubectl get ingress ingress-authz-applications -n argo-stack -o yaml | grep backend-protocol
+     ```
+   - Check NGINX ingress controller logs for routing errors:
+     ```bash
+     kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller --tail=100
+     ```
+   - Test direct connectivity to backend services:
+     ```bash
+     kubectl run -it --rm debug --image=curlimages/curl --restart=Never -- \
+       curl -v http://argo-stack-argo-workflows-server.argo-workflows:2746/
+     ```
+
+2. **502 Bad Gateway**: AuthZ adapter not reachable
    - Check authz-adapter deployment is running
    - Verify service selector matches pod labels
 

helm/argo-stack/overlays/ingress-authz-overlay/templates/externalname-services.yaml

@@ -8,7 +8,8 @@ in its original namespace. This enables NGINX Ingress to route traffic correctly
 {{- $root := . }}
 {{- $config := .Values.ingressAuthzOverlay }}
 {{- range $routeName, $route := $config.routes }}
-{{- if $route.enabled }}
+{{- $routeEnabled := $route.enabled | default true }}
+{{- if $routeEnabled }}
 {{- $serviceNamespace := $route.serviceNamespace | default $route.namespace }}
 {{- if ne $route.namespace $serviceNamespace }}
 ---

helm/argo-stack/overlays/ingress-authz-overlay/templates/ingress-authz.yaml

@@ -17,7 +17,8 @@ externalname-services.yaml template.
 {{- $root := . }}
 {{- $config := .Values.ingressAuthzOverlay }}
 {{- range $routeName, $route := $config.routes }}
-{{- if $route.enabled }}
+{{- $routeEnabled := $route.enabled | default true }}
+{{- if $routeEnabled }}
 {{- $serviceNamespace := $route.serviceNamespace | default $route.namespace }}
 {{- $isCrossNamespace := ne $route.namespace $serviceNamespace }}
 {{- $serviceName := ternary (printf "%s-proxy" $route.service) $route.service $isCrossNamespace }}
@@ -45,6 +46,11 @@ metadata:
     # # Let's Encrypt / cert-manager integration (only on primary route to avoid ownership conflicts)
     # cert-manager.io/cluster-issuer: {{ $config.tls.clusterIssuer | quote }}
     # {{- end }}
+    {{- if $route.backendProtocol }}
+    # Backend protocol for services using HTTPS/GRPC internally
+    # Valid values: HTTP, HTTPS, GRPC, GRPCS, AJP, FCGI
+    nginx.ingress.kubernetes.io/backend-protocol: {{ $route.backendProtocol | quote }}
+    {{- end }}
     {{- if $route.useRegex }}
     # Path rewriting for subpath support
     nginx.ingress.kubernetes.io/use-regex: "true"
@@ -54,8 +60,17 @@ metadata:
     # Cross-namespace routing via ExternalName service
     nginx.ingress.kubernetes.io/upstream-vhost: {{ $route.service }}.{{ $serviceNamespace }}.svc.cluster.local
     {{- end }}
+    {{- if $route.proxyConnectTimeout }}
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ $route.proxyConnectTimeout | quote }}
+    {{- end }}
+    {{- if $route.proxyReadTimeout }}
+    nginx.ingress.kubernetes.io/proxy-read-timeout: {{ $route.proxyReadTimeout | quote }}
+    {{- end }}
+    {{- if $route.proxySendTimeout }}
+    nginx.ingress.kubernetes.io/proxy-send-timeout: {{ $route.proxySendTimeout | quote }}
+    {{- end }}
 spec:
-  ingressClassName: {{ $config.ingressClassName | default "nginx" | quote }}
+  ingressClassName: "nginx"
   {{- if $config.tls.enabled }}
   tls:
     - hosts:

helm/argo-stack/overlays/ingress-authz-overlay/values-ingress-nginx.yaml

@@ -0,0 +1,4 @@
+controller:
+  config:
+    allow-snippet-annotations: "true"
+    annotations-risk-level: Critical   # allow Critical-risk annotations like auth-snippet    

helm/argo-stack/overlays/ingress-authz-overlay/values.yaml

@@ -10,6 +10,7 @@
 #     --set ingressAuthzOverlay.enabled=true
 # ============================================================================
 
+
 ingressAuthzOverlay:
   # Enable or disable the overlay
   enabled: true
@@ -102,7 +103,7 @@ ingressAuthzOverlay:
       # Only the primary route gets the cert-manager.io/cluster-issuer annotation
       primary: true
       # Namespace where the ingress will be created
-      namespace: argo-stack
+      namespace: argo-workflows
       # Service name to route to
       service: argo-stack-argo-workflows-server
       # Namespace where the actual service exists (for cross-namespace routing)
@@ -118,19 +119,21 @@ ingressAuthzOverlay:
     # Argo CD Applications UI
     applications:
       enabled: true
-      namespace: argo-stack
+      namespace: argocd
       service: argo-stack-argocd-server
       # ArgoCD server is in argocd namespace
       serviceNamespace: argocd
       port: 8080
       pathPrefix: /applications
       useRegex: true
       rewriteTarget: /$2
+      # ArgoCD server uses HTTPS by default
+      backendProtocol: HTTPS
 
     # GitHub Repository Registrations EventSource
     registrations:
       enabled: true
-      namespace: argo-stack
+      namespace: argo-events
       service: github-repo-registrations-eventsource-svc
       # EventSource is in argo-events namespace
       serviceNamespace: argo-events

helm/argo-stack/values.yaml

@@ -241,6 +241,8 @@ ingressAuthzOverlay:
       service: argo-stack-argocd-server
       port: 8080
       pathPrefix: /applications
+      # ArgoCD server uses HTTPS by default
+      backendProtocol: HTTPS
     registrations:
       namespace: argo-stack
       service: github-repo-registrations-eventsource-svc