ArgoCD + Traefik + cert-manager (DNS-01/Cloudflare) on k3s

This repo provides a clear, production-ready setup for deploying ArgoCD on k3s with Traefik ingress and cert-manager for Let's Encrypt SSL using DNS-01 (Cloudflare).

Files

• clusterissuer.yaml: ClusterIssuer for Let's Encrypt DNS-01 (Cloudflare)
• argocd-config-map.yaml: ArgoCD config map to enable insecure mode (HTTP only)
• argocd-certificate.yaml: Certificate resource for ArgoCD domain
• argocd-ingress.yaml: Ingress resource for ArgoCD with Traefik and cert-manager annotations

Prerequisites

• k3s cluster
• cert-manager installed
• Traefik ingress controller installed (default in k3s)

Cloudflare API Token Secret

1. Create a Cloudflare API token with Zone:DNS:Edit and Zone:Zone:Read permissions for your domain.
2. Create the secret in the cert-manager namespace:

kubectl create secret generic cloudflare-api-token-secret --from-literal=api-token=<YOUR_API_TOKEN> -n cert-manager

Why ArgoCD is Configured in Insecure Mode

ArgoCD is set to run in insecure (HTTP) mode via argocd-config-map.yaml (with server.insecure: "true"). This is intentional for the following reasons:

• SSL/TLS Termination by Traefik: Traefik, as the ingress controller, handles all HTTPS (SSL/TLS) traffic at the edge. It provides secure connections to clients and manages certificates via cert-manager.
• Simplified Internal Traffic: ArgoCD only needs to serve HTTP traffic inside the cluster, since all external traffic is already secured by Traefik. This avoids double encryption and simplifies troubleshooting.
• Centralized Certificate Management: Only Traefik manages certificates, reducing complexity and avoiding issues with self-signed or mismatched certificates inside the cluster.
• Best Practice for Ingress: This pattern is common for Kubernetes ingress setups, where the ingress controller is responsible for encryption and backend services run in HTTP mode.

Deployment Steps

1. Apply the ClusterIssuer:

kubectl apply -f clusterissuer.yaml

2. Apply the ArgoCD config map (insecure mode):

kubectl apply -f argocd-config-map.yaml

3. Apply the Certificate manifest:

kubectl apply -f argocd-certificate.yaml

4. Apply the Ingress manifest:

kubectl apply -f argocd-ingress.yaml

5. Restart the ArgoCD server deployment:

kubectl rollout restart deployment argocd-server -n argocd

6. Check the certificate status:

kubectl describe certificate argo-programmer-network-tls -n argocd

Notes

• Ensure your DNS for example.com points to your cluster's external IP (managed by your ingress).
• All SSL/TLS termination is handled by Traefik and cert-manager; ArgoCD runs in HTTP (insecure) mode internally.
• No network policy is needed for DNS-01 (Cloudflare) challenges.