All Products
Search

This Product

    Container Service for Kubernetes:Access the GitOps console through a custom domain name

    Document Center

    Container Service for Kubernetes:Access the GitOps console through a custom domain name

    Last Updated:Mar 26, 2026

    To access the Argo CD GitOps console of ACK One through a custom domain name, point your domain to the Argo CD server's load balancer IP, install an SSL certificate, and update the single sign-on (SSO) configuration. After setup, log in with a CloudSSO account at https://${your-domain}.

    Prerequisites

    Before you begin, ensure that you have:

    • A kubeconfig file for the Fleet instance, obtained from the ACK One console

    • A kubectl client connected to the Fleet instance

    • A custom domain name and a valid SSL certificate (.pem and .key files) for that domain

    Configure the custom domain

    Step 1: Get the Argo CD server load balancer IP

    Run the following command to get the load balancer IP assigned to the Argo CD server:

    kubectl get svc -nargocd argocd-server -ojsonpath='{.status.loadBalancer.ingress[0].ip}'

    Step 2: Create a DNS A record

    In Alibaba Cloud DNS, add a DNS A record that maps your custom domain name to the load balancer IP from Step 1.

    Step 3: Install the SSL certificate

    Create a Kubernetes Secret named argocd-server-tls in the argocd namespace using your certificate files:

    kubectl create -n argocd secret tls argocd-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem

    Replace /path/to/cert.pem and /path/to/key.pem with the actual paths to your certificate files.

    Note

    When the certificate is about to expire, use a new SSL certificate to renew the Secret.

    Step 4: Update the SSO domain in the Argo CD ConfigMap

    Update argocd-cm with your custom domain URL, then restart the Argo CD server Deployment for the change to take effect:

    kubectl patch cm -nargocd argocd-cm --type=merge -p '{"data":{"url":"https://${your-domain}"}}'
kubectl -nargocd rollout restart deployment argocd-server

    Replace ${your-domain} with your custom domain name.

    Step 5: Update the OAuth callback URL in RAM

    The OAuth flow requires the callback URL registered in Resource Access Management (RAM) to match the domain used to access the console. If these don't match, login fails with a redirect error.

    1. Log in to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > OAuth Preview.

    3. On the Enterprise Applications tab, click the application named ackone-argo-cd-${your-fleet-id}@app.${your-uid}.onaliyun.com.

      • ${your-fleet-id}: the ID of your ACK One Fleet instance

      • ${your-uid}: your Alibaba Cloud account ID

    4. In the Basic Information section, click Edit Basic Information and set Callback URL to:

      https://${your-domain}/auth/callback

      Replace ${your-domain} with your custom domain name.

    Step 6: Verify access

    Open https://${your-domain} in a browser and log in with a CloudSSO account.

    What's next