feat(argo-cd): Support custom TLS certificates for Dex (#1477)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

charts/argo-cd/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v2.5.0
 kubeVersion: ">=1.22.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.10.0
+version: 5.11.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -23,8 +23,5 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Security]: Use recommended container security contexts by default"
+    - "[Added]: Added option to use custom TLS certs for Dex"
-    - "[Added]: Container security context for server UI extensions sidecar"
+    - "[Security]: TLS strict mode is enforced for custom Dex certificates"
-    - "[Fixed]: Redis metrics sidecar now uses correct configuration option"
-    - "[Removed]: ApplicationSet securityContext in favor of global.securityContext"
-    - "[Removed]: Notification securityContext in favor of global.securityContext"

charts/argo-cd/README.md

@@ -735,6 +735,12 @@ server:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | dex.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
+| dex.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-dex-server-tls secret |
+| dex.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. |
+| dex.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) |
+| dex.certificateSecret.enabled | bool | `false` | Create argocd-dex-server-tls secret |
+| dex.certificateSecret.key | string | `""` | Certificate private key |
+| dex.certificateSecret.labels | object | `{}` | Labels to be added to argocd-dex-server-tls secret |
 | dex.containerPortGrpc | int | `5557` | Container port for gRPC access |
 | dex.containerPortHttp | int | `5556` | Container port for HTTP access |
 | dex.containerPortMetrics | int | `5558` | Container port for metrics access |

charts/argo-cd/templates/_helpers.tpl

@@ -198,7 +198,8 @@ repo.server: "{{ include "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServe
 redis.server: {{ . | quote }}
 {{- end }}
 {{- if .Values.dex.enabled }}
-server.dex.server: {{ include "argo-cd.dex.server" . }}
+server.dex.server: {{ include "argo-cd.dex.server" . | quote }}
+server.dex.server.strict.tls: {{ .Values.dex.certificateSecret.enabled | toString }}
 {{- end }}
 {{- range $component := tuple "controller" "server" "reposerver" }}
 {{ $component }}.log.format: {{ $.Values.global.logging.format | quote }}

charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml

@@ -0,0 +1,24 @@
+{{- if and .Values.dex.enabled .Values.dex.certificateSecret.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-dex-server-tls
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }}
+    {{- with .Values.dex.certificateSecret.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.dex.certificateSecret.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  {{- with .Values.dex.certificateSecret.ca }}
+  ca.crt: {{ . | b64enc | quote }}
+  {{- end }}
+  tls.crt: {{ .Values.dex.certificateSecret.crt | b64enc | quote }}
+  tls.key: {{ .Values.dex.certificateSecret.key | b64enc | quote }}
+{{- end }}

charts/argo-cd/templates/dex/deployment.yaml

@@ -13,6 +13,9 @@ spec:
     metadata:
       annotations:
         checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
+        {{- if .Values.dex.certificateSecret.enabled }}
+        checksum/dex-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-dex-server-tls.yaml") . | sha256sum }}
+        {{- end }}
         {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.dex.podAnnotations) }}
         {{- range $key, $value := . }}
         {{ $key }}: {{ $value | quote }}

charts/argo-cd/values.yaml

@@ -840,6 +840,23 @@ dex:
   # - secretRef:
   #     name: secret-name
 
+  # TLS certificate configuration via Secret
+  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-dex-server
+  ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart Dex automatically without extra controllers.
+  certificateSecret:
+    # -- Create argocd-dex-server-tls secret
+    enabled: false
+    # -- Labels to be added to argocd-dex-server-tls secret
+    labels: {}
+    # -- Annotations to be added to argocd-dex-server-tls secret
+    annotations: {}
+    # -- Certificate authority. Required for self-signed certificates.
+    ca: ''
+    # -- Certificate private key
+    key: ''
+    # -- Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc)
+    crt: ''
+
   # -- Annotations to be added to the Dex server pods
   podAnnotations: {}