Add GitHub Camo readme support for Status Badges when having non-public deployments

[tobiasehlert]

Summary

Add additional ingress (as for Generator-Git webhooks) to enable /api/badge calls to work for GitHub Camo service to collect Status Badges.

Motivation

When using any Status Badge pointing to an ArgoCD that is hosted behind firewalls and only accessible over for instance VPN, any badges that you place in a GitHub readme.md file are not working.

It would be really nice to have some type of endpoint supporting for /api/badge reachable but nothing else, so that the GitHub Camo (camo.githubusercontent.com) service could collect the image and present it on a readme.md file.

Proposal

I think it would be great to have some similar feature as the ingress on the applicationSet that allows webhook-calls from eg. GitHub towards /api/webhook to be delivered.

Except that the difference here would be only certain path to be delivered, in this case /api/badge.

Would be probably be something similar to this:
https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Generators-Git/#webhook-configuration

[crenshaw-dev]

That Ingress config would be heavily org-specific, no? Would it make sense to develop one for your environment and then add it as an example to Argo CD docs?

[agaudreault]

That is correct. In the current documentation, we do not provide any example of public ingresses for Argo CD. That depends on everyones infrastructure. People are also responsible to configure web application firewall and other security mechanism they deem necessary when exposing public endpoints for their instance.

However, the badge documentation could be improved to mention the need to use a public endpoint, and to configure statusbadge.url in the argo-cd to use that public endpoint.

[tobiasehlert]

Interesting, I wasn't aware of the statusbadge.url parameter!
Would definitely have been nice to see that there is that parameter available in the helm-chart readme or so :)

I've managed to get it to work with following config, where I use Tailscale as ingressClass using their funnel-service.

configs:
  cm:
    statusbadge.enabled: true
    statusbadge.url: https://argocd-funnel.example.ts.net/

applicationSet:
  ingress:
    enabled: true
    annotations:
      tailscale.com/funnel: "true"
    ingressClassName: tailscale
    hostname: argocd-funnel.example.ts.net
    tls: true
    extraPaths:
      - path: /api/badge
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              number: 443

[tobiasehlert]

The only "issue" with that is that there is a small thing not fully working on the application details page in the Status Badge section. When choosing Markdown for instance , the generated return is basically [image](link) where as both image and link have that statusbadge.url.

But since the statusbadge.url is only accessible on /api/badge the link doesn't work (I'd result in an 404 page not found), so I need to update the URL slightly before ingesting it into my readme.md files

[agaudreault]

@tobiasehlert are you willing to submit a doc PR to update https://argo-cd.readthedocs.io/en/stable/user-guide/status-badge/

However, the badge documentation could be improved to mention the need to use a public endpoint, and to configure statusbadge.url in the argo-cd to use that public endpoint.

[tobiasehlert]

@agaudreault, created #21529 to add a note to the docs page :)