feat: specify listen address from env / command line (#11846)

* feat: specify listen address from env / command line

Signed-off-by: Eldar Yusupov <eldar.yusupov@workato.com>

* Make listen addrs configurable through ConfigMap

Signed-off-by: Eldar Yusupov <eldar.yusupov@workato.com>

* Update autogenerated manifests

Signed-off-by: Eldar Yusupov <eldar.yusupov@workato.com>

---------

Signed-off-by: Eldar Yusupov <eldar.yusupov@workato.com>

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -72,7 +72,9 @@ func NewCommand() *cobra.Command {
 	var (
 		parallelismLimit                  int64
 		listenPort                        int
+		listenHost                        string
 		metricsPort                       int
+		metricsHost                       string
 		otlpAddress                       string
 		cacheSrc                          func() (*reposervercache.Cache, error)
 		tlsConfigCustomizer               tls.ConfigCustomizer
@@ -150,7 +152,7 @@ func NewCommand() *cobra.Command {
 			}
 
 			grpc := server.CreateGRPC()
-			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
+			listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
 			errors.CheckError(err)
 
 			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
@@ -176,7 +178,7 @@ func NewCommand() *cobra.Command {
 				return nil
 			})
 			http.Handle("/metrics", metricsServer.GetHandler())
-			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
+			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf("%s:%d", metricsHost, metricsPort), nil)) }()
 			go func() { errors.CheckError(askPassServer.Run(askpass.SocketPath)) }()
 
 			if gpg.IsGPGEnabled() {
@@ -207,7 +209,9 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", int64(env.ParseNumFromEnv("ARGOCD_REPO_SERVER_PARALLELISM_LIMIT", 0, 0, math.MaxInt32)), "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
+	command.Flags().StringVar(&listenHost, "address", env.StringFromEnv("ARGOCD_REPO_SERVER_LISTEN_ADDRESS", common.DefaultAddressRepoServer), "Listen on given address for incoming connections")
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
+	command.Flags().StringVar(&metricsHost, "metrics-address", env.StringFromEnv("ARGOCD_REPO_SERVER_METRICS_LISTEN_ADDRESS", common.DefaultAddressRepoServerMetrics), "Listen on given address for metrics")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
 	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_REPO_SERVER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	command.Flags().BoolVar(&disableTLS, "disable-tls", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_TLS", false), "Disable TLS on the gRPC endpoint")

cmd/argocd-server/commands/argocd_server.go

@@ -49,7 +49,9 @@ func NewCommand() *cobra.Command {
 	var (
 		redisClient              *redis.Client
 		insecure                 bool
+		listenHost               string
 		listenPort               int
+		metricsHost              string
 		metricsPort              int
 		otlpAddress              string
 		glogLevel                int
@@ -167,7 +169,9 @@ func NewCommand() *cobra.Command {
 			argoCDOpts := server.ArgoCDServerOpts{
 				Insecure:              insecure,
 				ListenPort:            listenPort,
+				ListenHost:            listenHost,
 				MetricsPort:           metricsPort,
+				MetricsHost:           metricsHost,
 				Namespace:             namespace,
 				BaseHRef:              baseHRef,
 				RootPath:              rootPath,
@@ -226,7 +230,9 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&disableAuth, "disable-auth", env.ParseBoolFromEnv("ARGOCD_SERVER_DISABLE_AUTH", false), "Disable client authentication")
 	command.Flags().BoolVar(&enableGZip, "enable-gzip", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_GZIP", false), "Enable GZIP compression")
 	command.AddCommand(cli.NewVersionCmd(cliName))
+	command.Flags().StringVar(&listenHost, "address", env.StringFromEnv("ARGOCD_SERVER_LISTEN_ADDRESS", common.DefaultAddressAPIServer), "Listen on given address")
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
+	command.Flags().StringVar(&metricsHost, env.StringFromEnv("ARGOCD_SERVER_METRICS_LISTEN_ADDRESS", "metrics-address"), common.DefaultAddressAPIServerMetrics, "Listen for metrics on given address")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
 	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_SERVER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")

cmd/argocd/commands/admin/dashboard.go

@@ -35,7 +35,7 @@ func NewDashboardCommand() *cobra.Command {
 	}
 	initialize.InitCommand(cmd)
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
-	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAPIServer, "Listen on given address")
+	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAdminDashboard, "Listen on given address")
 	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionGZip)), "Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none)")
 	return cmd
 }

common/common.go

@@ -53,7 +53,11 @@ const (
 
 // DefaultAddressAPIServer for ArgoCD components
 const (
-	DefaultAddressAPIServer = "localhost"
+	DefaultAddressAdminDashboard    = "localhost"
+	DefaultAddressAPIServer         = "0.0.0.0"
+	DefaultAddressAPIServerMetrics  = "0.0.0.0"
+	DefaultAddressRepoServer        = "0.0.0.0"
+	DefaultAddressRepoServerMetrics = "0.0.0.0"
 )
 
 // Default paths on the pod's file system

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -61,6 +61,10 @@ data:
   controller.kubectl.parallelism.limit: "20"
 
   ## Server properties
+  # Listen on given address for incoming connections (default "0.0.0.0")
+  server.listen.address: "0.0.0.0"
+  # Listen on given address for metrics (default "0.0.0.0")
+  server.metrics.listen.address: "0.0.0.0"
   # Run server without TLS
   server.insecure: "false"
   # Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / (default "/")
@@ -110,6 +114,10 @@ data:
   server.enable.proxy.extension: "false"
 
   ## Repo-server properties
+  # Listen on given address for incoming connections (default "0.0.0.0")
+  reposerver.listen.address: "0.0.0.0"
+  # Listen on given address for metrics (default "0.0.0.0")
+  reposerver.metrics.listen.address: "0.0.0.0"
   # Set the logging format. One of: text|json (default "text")
   reposerver.log.format: "text"
   # Set the logging level. One of: debug|info|warn|error (default "info")

docs/operator-manual/server-commands/argocd-repo-server.md

@@ -13,13 +13,15 @@ argocd-repo-server [flags]
 ### Options
 
 ```
+      --address string                                 Listen on given address for incoming connections (default "0.0.0.0")
       --allow-oob-symlinks                             Allow out-of-bounds symlinks in repositories (not recommended)
       --default-cache-expiration duration              Cache expiration default (default 24h0m0s)
       --disable-tls                                    Disable TLS on the gRPC endpoint
   -h, --help                                           help for argocd-repo-server
       --logformat string                               Set the logging format. One of: text|json (default "text")
       --loglevel string                                Set the logging level. One of: debug|info|warn|error (default "info")
       --max-combined-directory-manifests-size string   Max combined size of manifest files in a directory-type Application (default "10M")
+      --metrics-address string                         Listen on given address for metrics (default "0.0.0.0")
       --metrics-port int                               Start metrics server on given port (default 8084)
       --otlp-address string                            OpenTelemetry collector address to send traces to
       --parallelismlimit int                           Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.

docs/operator-manual/server-commands/argocd-server.md

@@ -13,6 +13,7 @@ argocd-server [flags]
 ### Options
 
 ```
+      --address string                                Listen on given address (default "0.0.0.0")
       --app-state-cache-expiration duration           Cache expiration for app state (default 1h0m0s)
       --application-namespaces strings                List of additional namespaces where application resources can be managed in
       --as string                                     Username to impersonate for the operation
@@ -41,6 +42,7 @@ argocd-server [flags]
       --logformat string                              Set the logging format. One of: text|json (default "text")
       --login-attempts-expiration duration            Cache expiration for failed login attempts (default 24h0m0s)
       --loglevel string                               Set the logging level. One of: debug|info|warn|error (default "info")
+      --metrics-address string                        Listen for metrics on given address (default "0.0.0.0")
       --metrics-port int                              Start metrics on given port (default 8083)
   -n, --namespace string                              If present, the namespace scope for this CLI request
       --oidc-cache-expiration duration                Cache expiration for OIDC state (default 3m0s)

docs/operator-manual/tls.md

@@ -224,7 +224,10 @@ to not use TLS at all.
 In this case, you will need to:
 
 * Configure `argocd-repo-server` with TLS on the gRPC API disabled by specifying
-  the `--disable-tls` parameter to the pod container's startup arguments
+  the `--disable-tls` parameter to the pod container's startup arguments.
+  Also, consider restricting listening addresses to the loopback interface by specifying
+  `--listen 127.0.0.1` parameter, so that insecure endpoint is not exposed on
+  the pod's network interfaces, but still available to the side-car container.
 * Configure `argocd-server` and `argocd-application-controller` to not use TLS
   for connections to the `argocd-repo-server` by specifying the parameter
   `--repo-server-plaintext` to the pod container's startup arguments

manifests/base/repo-server/argocd-repo-server-deployment.yaml

@@ -48,6 +48,18 @@ spec:
                 name: argocd-cmd-params-cm
                 key: reposerver.parallelism.limit
                 optional: true
+          - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: reposerver.listen.address
+                optional: true
+          - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: reposerver.metrics.listen.address
+                optional: true
           - name: ARGOCD_REPO_SERVER_DISABLE_TLS
             valueFrom:
               configMapKeyRef:

manifests/base/server/argocd-server-deployment.yaml

@@ -197,6 +197,18 @@ spec:
                 name: argocd-cmd-params-cm
                 key: server.http.cookie.maxnumber
                 optional: true
+        - name: ARGOCD_SERVER_LISTEN_ADDRESS
+          valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.listen.address
+                optional: true
+        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
+          valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.metrics.listen.address
+                optional: true
         - name: ARGOCD_SERVER_OTLP_ADDRESS
           valueFrom:
               configMapKeyRef:

manifests/core-install.yaml

@@ -16956,6 +16956,18 @@ spec:
               key: reposerver.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_REPO_SERVER_DISABLE_TLS
           valueFrom:
             configMapKeyRef:

manifests/ha/install.yaml

@@ -18400,6 +18400,18 @@ spec:
               key: reposerver.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_REPO_SERVER_DISABLE_TLS
           valueFrom:
             configMapKeyRef:
@@ -18818,6 +18830,18 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_SERVER_OTLP_ADDRESS
           valueFrom:
             configMapKeyRef:

manifests/ha/namespace-install.yaml

@@ -2013,6 +2013,18 @@ spec:
               key: reposerver.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_REPO_SERVER_DISABLE_TLS
           valueFrom:
             configMapKeyRef:
@@ -2431,6 +2443,18 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_SERVER_OTLP_ADDRESS
           valueFrom:
             configMapKeyRef:

manifests/install.yaml

@@ -17469,6 +17469,18 @@ spec:
               key: reposerver.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_REPO_SERVER_DISABLE_TLS
           valueFrom:
             configMapKeyRef:
@@ -17880,6 +17892,18 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_SERVER_OTLP_ADDRESS
           valueFrom:
             configMapKeyRef:

manifests/namespace-install.yaml

@@ -1082,6 +1082,18 @@ spec:
               key: reposerver.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_REPO_SERVER_DISABLE_TLS
           valueFrom:
             configMapKeyRef:
@@ -1493,6 +1505,18 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: server.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_SERVER_OTLP_ADDRESS
           valueFrom:
             configMapKeyRef:

server/server.go

@@ -202,7 +202,9 @@ type ArgoCDServerOpts struct {
 	Insecure              bool
 	StaticAssetsDir       string
 	ListenPort            int
+	ListenHost            string
 	MetricsPort           int
+	MetricsHost           string
 	Namespace             string
 	DexServerAddr         string
 	DexTLSConfig          *dex.DexTLSConfig
@@ -216,7 +218,6 @@ type ArgoCDServerOpts struct {
 	TLSConfigCustomizer   tlsutil.ConfigCustomizer
 	XFrameOptions         string
 	ContentSecurityPolicy string
-	ListenHost            string
 	ApplicationNamespaces []string
 	EnableProxyExtension  bool
 }
@@ -447,7 +448,7 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 		httpsS.Handler = &bug21955Workaround{handler: httpsS.Handler}
 	}
 
-	metricsServ := metrics.NewMetricsServer(a.ListenHost, a.MetricsPort)
+	metricsServ := metrics.NewMetricsServer(a.MetricsHost, a.MetricsPort)
 	if a.RedisClient != nil {
 		cacheutil.CollectMetrics(a.RedisClient, metricsServ)
 	}