Access the GitOps console through a domain name - Container Service for Kubernetes

To access the GitOps console of Distributed Cloud Container Platform for Kubernetes (ACK One) through a custom domain name, you can create a CNAME record to map the custom domain name to the default domain name of GitOps, and configure an SSL certificate. Then, you can use a CloudSSO account to access the GitOps console through https://${your-domain}.

Prerequisites

The kubeconfig file of the Fleet instance is obtained in the Distributed Cloud Container Platform for Kubernetes (ACK One) console and a kubectl client is connected to the Fleet instance.

Procedure

Log on to Alibaba Cloud DNS and create a CNAME record to map the custom domain name to the default domain name of GitOps.
The default domain name of GitOps is argocd.${your-fleet-id}.${region}.alicontainer.com.
- ${your-fleet-id}: Replace with the ID of your ACK One Fleet instance.
- ${region}: Replace with the region of your ACK One Fleet instance.
Install the SSL certificate in GitOps to allow your browser to trust the domain name.
After the certificate is downloaded, run the following command on the ACK One Fleet instance to create a Secret named argocd-server-tls:
```
kubectl create -n argocd secret tls argocd-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem
```
Note
When the certificate is about to expire, use a new SSL certificate to renew the Secret.
Replace the default SSO domain name in the argocd-cm file with the custom domain name and restart argocd-server for the modification to take effect.
Replace the variables in the following commands with the actual values and run the commands.
- ${your-fleet-id}: Replace with the ID of your ACK One Fleet instance.
- ${region}: Replace with the region of your ACK One Fleet instance.
- ${your-domain}: Replace with the custom domain name.
```
kubectl -nargocd get cm argocd-cm -oyaml > argocd-cm.yaml

# Example: sed -i "s|https://argocd.c9f382209eb004ec5a586************.cn-hangzhou.alicontainer.com|https://test.example.com|g" argocd-cm.yaml.
sed -i "s|https://argocd.${your-fleet-id}.${region}.alicontainer.com|https://${your-domain}|g" argocd-cm.yaml

kubectl -nargocd apply -f argocd-cm.yaml

kubectl -nargocd rollout restart deployment argocd-server
```
Add the custom domain name to the callback URL of the OAuth application in Resource Access Management (RAM).
1. Log on to the RAM console with your Alibaba Cloud account.
2. In the left-side navigation pane, choose Integrations > OAuth Preview.
3. On the Enterprise Applications tab, click the ackone-argo-cd-${your-fleet-id}@app.${your-uid}.onaliyun.com application. ${your-fleet-id}} indicates the ID of your ACK One Fleet instance and ${your-uid} indicates the ID of your Alibaba Cloud account.
4. In the Basic Information section, click Edit Basic Information and set Callback URL to https://${your-domain}/auth/callback. Replace ${your-domain} with the custom domain name.
Enter https://${your-domain} into the address bar of the browser and use a CloudSSO account to log on to the GitOps console. Replace ${your-domain} with the custom domain name.

References

For more information about how to use ACK One GitOps to release multi-cluster applications, see Best practice for ACK One GitOps.