Install with Argo CD

  3 minute read  

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD can be used to manage the deployment of Envoy Gateway on Kubernetes clusters.

Before you begin

Envoy Gateway is typically deployed in a Kubernetes cluster. If you don’t have one yet, you can use kind to create a local cluster for testing purposes.

Argo CD must be installed in your Kubernetes cluster, and the argocd CLI must be available on your local machine. If you haven’t set it up yet, you can follow the official installation guide to install Argo CD.

Install with Argo CD

Create a new Argo CD Application that pulls the Envoy Gateway Helm chart as its source.

cat <<EOF | kubectl apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: envoy-gateway
  namespace: argocd
spec:
  project: default
  source:
    chart: gateway-helm
    repoURL: docker.io/envoyproxy
    targetRevision: v1.3.2
  destination:
    namespace: envoy-gateway-system
    server: https://kubernetes.default.svc
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true
    automated:
      prune: true
      selfHeal: true
EOF

Note:

  • Set ServerSideApply to true to enable Kubernetes server-side apply. This helps avoid the 262,144-byte annotation size limit.
  • For simplicity, we apply the Application resource directly to the cluster. In a production environment, it’s recommended to store this configuration in a Git repository and manage it using another Argo CD Application that uses Git as its source — following a GitOps workflow.

Wait for Envoy Gateway to become available:

kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available

Install the GatewayClass, Gateway, HTTPRoute and example app:

kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v1.3.2/quickstart.yaml -n default

Note: quickstart.yaml defines that Envoy Gateway will listen for traffic on port 80 on its globally-routable IP address, to make it easy to use browsers to test Envoy Gateway. When Envoy Gateway sees that its Listener is using a privileged port (<1024), it will map this internally to an unprivileged port, so that Envoy Gateway doesn’t need additional privileges. It’s important to be aware of this mapping, since you may need to take it into consideration when debugging.

Helm chart customizations

You can customize the Envoy Gateway installation by using the Helm chart values.

Below is an example of how to customize the Envoy Gateway installation by using the valuesObject field in the Argo CD Application.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: envoy-gateway
  namespace: argocd
spec:
  project: default
  source:
    helm:
      valuesObject:
        deployment:
          envoyGateway:
            resources:
              limits:
                cpu: 700m
                memory: 256Mi
    chart: gateway-helm
    path: gateway-helm
    repoURL: docker.io/envoyproxy
    targetRevision: v1.3.2
  destination:
    namespace: envoy-gateway-system
    server: https://kubernetes.default.svc
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true
    automated:
      prune: true
      selfHeal: true

Argo CD supports multiple ways of specifying Helm chart values, you can find more details in the Argo CD documentation.

Open Ports

These are the ports used by Envoy Gateway and the managed Envoy Proxy.

Envoy Gateway

Envoy GatewayAddressPortConfigurable
Xds EnvoyProxy Server0.0.0.018000No
Xds RateLimit Server0.0.0.018001No
Admin Server127.0.0.119000Yes
Metrics Server0.0.0.019001No
Health Check127.0.0.18081No

EnvoyProxy

Envoy ProxyAddressPort
Admin Server127.0.0.119000
Stats0.0.0.019001
Shutdown Manager0.0.0.019002
Readiness0.0.0.019003