Skip to main content
Ravi Singh
  1. Posts/
  2. Learning ArgoCD/
  3. Getting Started/

Local DNS via Traefik Ingress (`ravikrs.local`)

·1098 words·6 mins
Argocd Kubernetes Gitops
Ravi Singh
Author
Ravi Singh
Software engineer with 15+ years building backend systems and cloud platforms across fintech, automotive, and academia. I write about the things I build, debug, and learn — so I don’t forget them.
Table of Contents
Learning ArgoCD - This article is part of a series.
Part 1: Installing ArgoCD on Rancher Desktop (Local)
Part 1: Helm Chart Managed by ArgoCD
Part 1: Cert Manager - TLS via ArgoCD
Part 1: Gotcha: argocd-repo-server CrashLoopBackOff (copyutil "Already exists")
Part 1: eu-prod Environment: Minikube with its own ArgoCD
Part 2: Deploying a Sample App via ArgoCD
Part 2: ApplicationSet - Auto-Discover Services from Git
Part 2: Sync Waves: Cluster-Complete Bootstrap
Part 2: Stakater Reloader: Why We Added It, and Why We Removed It
Part 2: eu-staging Environment: k3d with its own ArgoCD
Part 3: This Article
Part 3: App-of-Apps Bootstrap Pattern
Part 3: Debugging: Traefik 404 on Minikube (Rancher Desktop Port Conflict)
Part 3: eu-staging Environment: Minikube with its own ArgoCD
Part 3: Gateway API: HTTPRoute + Gateway on eu-dev-rancher
Part 4: App-of-Apps vs ApplicationSet - When to Use Which
Part 4: Minikube Profile Management
Part 4: Repo Structure and Naming Conventions
Part 4: GitHub Webhook for Instant Sync
Part 5: Postmortem: Stale App Paths and Gateway Resource Conflicts

Local DNS via Traefik Ingress (ravikrs.local)
#

What We Set Up
#

A local DNS convention using /etc/hosts so all cluster services are reachable via hostname - no kubectl port-forward needed. Traefik (bundled with Rancher Desktop k3s) is the single ingress entrypoint.

URLService
http://argocd.ravikrs.localArgoCD UI
http://sample-app.ravikrs.localnginx sample app

How It Works
#

1
2

Browser → /etc/hosts resolves ravikrs.local → 127.0.0.1
       → Traefik (port 80) → routes by hostname → backend Service

Rancher Desktop binds the k3s Traefik LoadBalancer to 127.0.0.1:80 on your Mac. Any hostname you point at 127.0.0.1 in /etc/hosts will reach Traefik, which then routes to the correct Service based on the host: rule in the Ingress manifest.

Files in This Repo
#

1
2
3
4
5
6
7

argocd/
  argocd-ingress.yaml          # Ingress for ArgoCD UI (applied manually)

config/sample-app/
  base/
    ingress.yaml               # Ingress for sample-app (managed by ArgoCD)
    kustomization.yaml         # updated to include ingress.yaml

The ArgoCD ingress is applied manually (ArgoCD can’t manage its own setup). The sample-app ingress is committed into the Kustomize base - ArgoCD will deploy it automatically on the next sync.

Step-by-Step Instructions
#

1. Verify Traefik’s External IP
#

1

kubectl get svc -n kube-system traefik

Expected output - look at EXTERNAL-IP:

1
2

NAME      TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)
traefik   LoadBalancer   10.43.11.246   192.168.5.15   80:31833/TCP,443:32094/TCP

Important: The EXTERNAL-IP shown (192.168.5.15) is Rancher Desktop’s internal VM IP. Your Mac can ping it but Chrome cannot reach TCP port 80 on it - that IP is not forwarded to the Mac host. Always use 127.0.0.1 in /etc/hosts regardless of what EXTERNAL-IP shows.

2. Add /etc/hosts Entries
#

Open /etc/hosts with sudo:

1

sudo nano /etc/hosts

Add these lines at the end - always use 127.0.0.1, not the EXTERNAL-IP from step 1:

1
2
3

127.0.0.1   ravikrs.local
127.0.0.1   argocd.ravikrs.local
127.0.0.1   sample-app.ravikrs.local

Save and exit (Ctrl+X, then Y).

Verify DNS resolution works:

1
2

ping -c 1 argocd.ravikrs.local
# Should resolve to 127.0.0.1

3. Configure ArgoCD to Serve Plain HTTP
#

By default, argocd-server enforces TLS. Traefik will route HTTP (port 80) to it, so we need ArgoCD to accept plain HTTP connections. This is done via a ConfigMap flag - no deployment edits needed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Set server.insecure=true in the ArgoCD params ConfigMap
kubectl patch configmap argocd-cmd-params-cm -n argocd \
  --type merge \
  -p '{"data":{"server.insecure":"true"}}'

# Restart argocd-server to pick up the new config
kubectl rollout restart deployment argocd-server -n argocd

# Wait for the rollout to complete
kubectl rollout status deployment argocd-server -n argocd

Why argocd-cmd-params-cm? This is the supported ArgoCD way to set server flags. It survives ArgoCD upgrades - unlike patching the Deployment’s args directly.

4. Apply the ArgoCD Ingress
#

The Ingress manifest is at argocd/argocd-ingress.yaml in this repo. Apply it manually:

1

kubectl apply -f argocd/argocd-ingress.yaml

Verify it was created:

1

kubectl get ingress -n argocd

Expected:

1
2

NAME                    CLASS     HOSTS                    ADDRESS     PORTS   AGE
argocd-server-ingress   traefik   argocd.ravikrs.local     127.0.0.1   80      10s

5. Test ArgoCD in the Browser
#

Open: http://argocd.ravikrs.local

You should see the ArgoCD login page. Login with admin and the password from the initial install.

If you see a connection refused or Traefik 404 error, check:

  • kubectl get pods -n argocd - all pods Running?
  • kubectl describe ingress argocd-server-ingress -n argocd - any events/errors?
  • kubectl logs -n kube-system -l app.kubernetes.io/name=traefik - Traefik routing logs

6. Push the sample-app Ingress to Git
#

The sample-app Ingress (config/sample-app/base/ingress.yaml) is already committed into the Kustomize base. Push to GitHub and ArgoCD will sync it automatically.

1
2
3

git add config/sample-app/base/ingress.yaml config/sample-app/base/kustomization.yaml
git commit -m "add Traefik ingress for sample-app at sample-app.ravikrs.local"
git push

After ArgoCD syncs (up to 3 minutes, or force with argocd app sync sample-app), verify:

1

kubectl get ingress -n sample-app

Then open: http://sample-app.ravikrs.local

Pattern for Future Apps
#

Whenever you add a new app, follow this pattern:

  1. Add an ingress.yaml to config/<app>/base/ (copy from config/sample-app/base/ingress.yaml, update name, host, and port)
  2. Add - ingress.yaml to the app’s kustomization.yaml
  3. Add 127.0.0.1 <app>.ravikrs.local to /etc/hosts
  4. Commit and push - ArgoCD deploys the Ingress automatically

Commands Reference
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Check Traefik service and its external IP
kubectl get svc -n kube-system traefik

# List all Ingress resources across namespaces
kubectl get ingress -A

# Describe an Ingress (see Traefik routing events)
kubectl describe ingress <name> -n <namespace>

# Check ArgoCD server logs (useful if UI is unreachable)
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-server

# Check Traefik logs (useful if routing fails)
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik

# Revert ArgoCD to TLS mode (undo insecure flag)
kubectl patch configmap argocd-cmd-params-cm -n argocd \
  --type merge \
  -p '{"data":{"server.insecure":"false"}}'
kubectl rollout restart deployment argocd-server -n argocd

Gotchas
#

  • ArgoCD redirects HTTP → HTTPS by default. Without the server.insecure flag, Traefik routes to port 80 but ArgoCD immediately redirects the browser to https://argocd.ravikrs.local, which won’t work for plain HTTP ingress. The ConfigMap patch above disables this.
  • /etc/hosts is local only. Changes take effect immediately on your Mac but apply only to your machine. Other team members need to add the entries themselves.
  • Traefik ingressClassName: traefik is required. k3s ships with Traefik as the default IngressClass. Without specifying it, some k3s versions ignore the Ingress.
  • ArgoCD manages sample-app Ingress, not its own. The argocd/argocd-ingress.yaml file is intentionally outside of config/ so ArgoCD doesn’t try to manage it. Apply it manually after any fresh ArgoCD install.
  • Port 80 must be free on your Mac. Rancher Desktop binds 127.0.0.1:80 to Traefik. If something else (Apache, nginx, another dev server) is using port 80, Traefik won’t bind and all ingresses will fail.
  • EXTERNAL-IP from kubectl get svc traefik is the VM IP, not the Mac host IP. On Rancher Desktop (macOS), Traefik’s external IP (e.g. 192.168.5.15) is on the Lima VM’s private network. Your Mac can ping it (ICMP routing is set up) but TCP port 80 is not forwarded from that IP to the Mac host. Always use 127.0.0.1 in /etc/hosts.
  • This behaviour changed in Rancher Desktop since ~2022. Older Rancher Desktop versions (QEMU + older Lima networking) made the VM IP directly reachable on TCP ports - you could put 192.168.x.x in /etc/hosts and it worked in the browser. Newer versions switched to socket_vmnet + Apple Virtualization framework, which no longer forwards TCP ports from the VM IP to the Mac host. Only 127.0.0.1 is explicitly forwarded now. If you followed an older guide or blog post that used the VM IP directly, this is why it no longer works.
Learning ArgoCD - This article is part of a series.
Part 1: Installing ArgoCD on Rancher Desktop (Local)
Part 1: Helm Chart Managed by ArgoCD
Part 1: Cert Manager - TLS via ArgoCD
Part 1: Gotcha: argocd-repo-server CrashLoopBackOff (copyutil "Already exists")
Part 1: eu-prod Environment: Minikube with its own ArgoCD
Part 2: Deploying a Sample App via ArgoCD
Part 2: ApplicationSet - Auto-Discover Services from Git
Part 2: Sync Waves: Cluster-Complete Bootstrap
Part 2: Stakater Reloader: Why We Added It, and Why We Removed It
Part 2: eu-staging Environment: k3d with its own ArgoCD
Part 3: This Article
Part 3: App-of-Apps Bootstrap Pattern
Part 3: Debugging: Traefik 404 on Minikube (Rancher Desktop Port Conflict)
Part 3: eu-staging Environment: Minikube with its own ArgoCD
Part 3: Gateway API: HTTPRoute + Gateway on eu-dev-rancher
Part 4: App-of-Apps vs ApplicationSet - When to Use Which
Part 4: Minikube Profile Management
Part 4: Repo Structure and Naming Conventions
Part 4: GitHub Webhook for Instant Sync
Part 5: Postmortem: Stale App Paths and Gateway Resource Conflicts
Deploying a Sample App via ArgoCD