Skip to main content
Argo CD provides three inbound TLS endpoints that should be configured with proper certificates. By default, these endpoints use automatically generated, self-signed certificates.

Quick Reference

Certificate Configuration

ComponentSecret NameHot ReloadDefault CertRequired SAN Entries
argocd-serverargocd-server-tls✅ YesSelf-signedExternal hostname (e.g., argocd.example.com)
argocd-repo-serverargocd-repo-server-tls❌ Restart requiredSelf-signedDNS:argocd-repo-server, DNS:argocd-repo-server.argocd.svc
argocd-dex-serverargocd-dex-server-tls❌ Restart requiredSelf-signedDNS:argocd-dex-server, DNS:argocd-dex-server.argocd.svc

Inter-Component TLS

ConnectionStrict TLS ParameterPlain Text ParameterDefault Behavior
argocd-serverargocd-repo-server--repo-server-strict-tls--repo-server-plaintextNon-validating TLS
argocd-serverargocd-dex-server--dex-server-strict-tls--dex-server-plaintextNon-validating TLS
argocd-application-controllerargocd-repo-server--repo-server-strict-tls--repo-server-plaintextNon-validating TLS
argocd-applicationset-controllerargocd-repo-server--repo-server-strict-tls--repo-server-plaintextNon-validating TLS
argocd-notifications-controllerargocd-repo-server--argocd-repo-server-strict-tls--argocd-repo-server-plaintextNon-validating TLS

Configuring argocd-server TLS

Inbound TLS Options

Configure TLS parameters for the API server:
ParameterDefaultDescription
--insecurefalseDisables TLS completely
--tlsminversion1.2Minimum TLS version offered to clients
--tlsmaxversion1.3Maximum TLS version offered to clients
--tlsciphersTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384Colon-separated list of cipher suites
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-server
  namespace: argocd
spec:
  template:
    spec:
      containers:
      - name: argocd-server
        command:
        - argocd-server
        - --tlsminversion=1.2
        - --tlsmaxversion=1.3

Certificate Priority

Argo CD determines which certificate to use in this order:
1

argocd-server-tls Secret

Recommended: Dedicated TLS secret for argocd-server
kubectl create -n argocd secret tls argocd-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem
This secret is safe to manage via third-party tools like cert-manager or Sealed Secrets.
2

argocd-secret Secret

Deprecated: Legacy location for TLS certificateOnly used if argocd-server-tls doesn’t exist. Not recommended for new deployments.
3

Auto-generated Certificate

If neither secret contains a certificate, Argo CD generates and persists a self-signed certificate in argocd-secret.
Argo CD automatically detects changes to argocd-server-tls without requiring a restart.

Using cert-manager

Automate certificate management with cert-manager: 
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: argocd-server-tls
  namespace: argocd
spec:
  secretName: argocd-server-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - argocd.example.com
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days

Configuring argocd-repo-server TLS

Inbound TLS Options

ParameterDefaultDescription
--disable-tlsfalseDisables TLS completely
--tlsminversion1.2Minimum TLS version
--tlsmaxversion1.3Maximum TLS version
--tlsciphersTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384Cipher suites

Certificate Configuration

Create the argocd-repo-server-tls secret: 
kubectl create -n argocd secret tls argocd-repo-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem
Important: The certificate must include the correct SAN entries:
  • DNS:argocd-repo-server
  • DNS:argocd-repo-server.argocd.svc
  • DNS:argocd-repo-server.argocd.svc.cluster.local

Self-Signed Certificates

If using a self-signed certificate, add the CA certificate: 
# Generate CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/CN=ArgoCD CA"

# Generate server certificate
openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr \
  -subj "/CN=argocd-repo-server" \
  -addext "subjectAltName=DNS:argocd-repo-server,DNS:argocd-repo-server.argocd.svc"

openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out tls.crt -days 365 \
  -extfile <(printf "subjectAltName=DNS:argocd-repo-server,DNS:argocd-repo-server.argocd.svc")
Unlike argocd-server, argocd-repo-server requires a pod restart to pick up certificate changes.

Enable Strict TLS Validation

By default, components use non-validating TLS connections to argocd-repo-server. To enable strict validation:
1

Create Persistent Certificate

Create the argocd-repo-server-tls secret as shown above.
2

Restart repo-server

kubectl rollout restart deployment argocd-repo-server -n argocd
3

Enable Strict TLS

Add --repo-server-strict-tls parameter to connecting components:
# For argocd-server
spec:
  containers:
  - name: argocd-server
    command:
    - argocd-server
    - --repo-server-strict-tls

# For argocd-application-controller
spec:
  containers:
  - name: argocd-application-controller
    command:
    - argocd-application-controller
    - --repo-server-strict-tls

# For argocd-applicationset-controller
spec:
  containers:
  - name: argocd-applicationset-controller
    command:
    - argocd-applicationset-controller
    - --repo-server-strict-tls

# For argocd-notifications-controller
spec:
  containers:
  - name: argocd-notifications-controller
    command:
    - argocd-notifications-controller
    - --argocd-repo-server-strict-tls
Certificate Expiry: Ensure certificates have adequate lifetime. When replacing certificates, all workloads must be restarted.

Configuring argocd-dex-server TLS

Inbound TLS Options

ParameterDefaultDescription
--disable-tlsfalseDisables TLS completely

Certificate Configuration

Create the argocd-dex-server-tls secret: 
kubectl create -n argocd secret tls argocd-dex-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem
Similar to repo-server, include correct SAN entries:
  • DNS:argocd-dex-server
  • DNS:argocd-dex-server.argocd.svc

Enable Strict TLS Validation

1

Create Certificate

Create the argocd-dex-server-tls secret.
2

Restart dex-server

kubectl rollout restart deployment argocd-dex-server -n argocd
3

Enable Strict TLS in argocd-server

spec:
  containers:
  - name: argocd-server
    command:
    - argocd-server
    - --dex-server-strict-tls

Service Mesh / mTLS Configuration

In service mesh environments with sidecar proxies (e.g., Istio, Linkerd), you may want to disable TLS between Argo CD components and let the mesh handle encryption.

Disable TLS to repo-server

1

Configure repo-server

Disable TLS and restrict to loopback:
spec:
  containers:
  - name: argocd-repo-server
    command:
    - argocd-repo-server
    - --disable-tls
    - --listen=127.0.0.1
Listening on localhost prevents direct network access while allowing sidecar communication.
2

Configure Clients

Set plaintext mode on all clients:
# argocd-server, argocd-application-controller, argocd-applicationset-controller
- --repo-server-plaintext

# argocd-notifications-controller
- --argocd-repo-server-plaintext
3

Configure Service Address

Point to sidecar proxy instead of direct service:
- --repo-server=localhost:8081

Disable TLS to dex-server

1

Configure dex-server

spec:
  containers:
  - name: argocd-dex-server
    command:
    - argocd-dex
    - rundex
    - --disable-tls
2

Configure argocd-server

spec:
  containers:
  - name: argocd-server
    command:
    - argocd-server
    - --dex-server-plaintext
    - --dex-server=localhost:5556

Complete Configuration Examples

Production Setup with cert-manager

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Internal PKI Setup

  1. Create internal CA 
    # Generate root CA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 \
  -out rootCA.crt -subj "/CN=ArgoCD Internal CA"
  2. Install CA as cluster resource 
    kubectl create secret generic argocd-ca \
  --from-file=ca.crt=rootCA.crt \
  -n argocd
  3. Configure cert-manager with internal CA 
    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: internal-ca
spec:
  ca:
    secretName: argocd-ca
  4. Request certificates Use the Certificate resources shown in previous examples.

Troubleshooting

Symptom: New certificate not being usedSolution:
  • For argocd-server: Wait up to 60 seconds (hot reload)
  • For argocd-repo-server and argocd-dex-server: Restart pods 
    kubectl rollout restart deployment argocd-repo-server -n argocd
kubectl rollout restart deployment argocd-dex-server -n argocd
Symptom: x509: certificate is valid for X, not YSolution: Ensure SAN entries match the DNS names used by clients:
# Check certificate SANs
kubectl get secret argocd-repo-server-tls -n argocd -o json | \
  jq -r '.data["tls.crt"]' | base64 -d | \
  openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
Symptom: x509: certificate signed by unknown authoritySolutions:
  1. Add ca.crt to the TLS secret
  2. Enable strict TLS validation with proper CA trust
  3. Or use --repo-server-plaintext if in service mesh
Check certificate status:
kubectl describe certificate argocd-server-tls -n argocd
kubectl get certificaterequest -n argocd
Common issues:
  • DNS not resolving for ACME challenges
  • Rate limiting from Let’s Encrypt
  • Incorrect issuer configuration

Best Practices

Use cert-manager

Automate certificate lifecycle management and rotation

Enable Strict TLS

Validate certificates for inter-component communication

Monitor Expiry

Set up alerts for certificates expiring within 30 days

Use Strong Ciphers

Configure TLS 1.2+ and modern cipher suites only
Never commit private keys to Git. Use secret management solutions like Sealed Secrets or External Secrets Operator.

Security Overview

Comprehensive security architecture and threat model

Secrets Management

Best practices for managing secrets

Signed Releases

Verify Argo CD artifacts and images

cert-manager

Kubernetes certificate management