From c93550224b4381be59cc5448f5871757de5dad3c Mon Sep 17 00:00:00 2001 From: Karl Parry <88431088+karlparry@users.noreply.github.com> Date: Tue, 29 Nov 2022 21:14:17 +0000 Subject: [PATCH] feat(argo-cd): Add Repo Server strict TLS cert support (#1673) Signed-off-by: Karl Parry --- charts/argo-cd/Chart.yaml | 4 ++-- charts/argo-cd/README.md | 6 +++++ charts/argo-cd/templates/_helpers.tpl | 1 + .../argocd-repo-server-tls.yaml | 24 +++++++++++++++++++ charts/argo-cd/values.yaml | 17 +++++++++++++ 5 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls.yaml diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 7152bd9f..719090f6 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.5.3 kubeVersion: ">=1.22.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 5.14.3 +version: 5.15.0 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -23,4 +23,4 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Changed]: Update to app version 2.5.3" + - "[Added]: Ability to deploy argocd-repo-server-server-tls secret and configure Strict TLS for Repo Server" diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index a1e4a6aa..d592025e 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -522,6 +522,12 @@ NAME: my-release | repoServer.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the repo server [HPA] | | repoServer.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the repo server [HPA] | | repoServer.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the repo server [HPA] | +| repoServer.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-repo-server-tls secret | +| repoServer.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. | +| repoServer.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) | +| repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret | +| repoServer.certificateSecret.key | string | `""` | Certificate private key | +| repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret | | repoServer.clusterAdminAccess.enabled | bool | `false` | Enable RBAC for local cluster deployments | | repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource | | repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource | diff --git a/charts/argo-cd/templates/_helpers.tpl b/charts/argo-cd/templates/_helpers.tpl index 5bdbd871..bdfa010b 100644 --- a/charts/argo-cd/templates/_helpers.tpl +++ b/charts/argo-cd/templates/_helpers.tpl @@ -194,6 +194,7 @@ Argo Params Default Configuration Presets */}} {{- define "argo-cd.config.params.presets" -}} repo.server: "{{ include "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}" +server.repo.server.strict.tls: {{ .Values.repoServer.certificateSecret.enabled | toString }} {{- with include "argo-cd.redis.server" . }} redis.server: {{ . | quote }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls.yaml b/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls.yaml new file mode 100644 index 00000000..7efa2051 --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.repoServer.enabled .Values.repoServer.certificateSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-repo-server-tls + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }} + {{- with .Values.repoServer.certificateSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.repoServer.certificateSecret.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: kubernetes.io/tls +data: + {{- with .Values.repoServer.certificateSecret.ca }} + ca.crt: {{ . | b64enc | quote }} + {{- end }} + tls.crt: {{ .Values.repoServer.certificateSecret.crt | b64enc | quote }} + tls.key: {{ .Values.repoServer.certificateSecret.key | b64enc | quote }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 641caa2f..63da9ea1 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1982,6 +1982,23 @@ repoServer: # cpu: 10m # memory: 64Mi + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-repo-server + ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers. + certificateSecret: + # -- Create argocd-repo-server-tls secret + enabled: false + # -- Annotations to be added to argocd-repo-server-tls secret + annotations: {} + # -- Labels to be added to argocd-repo-server-tls secret + labels: {} + # -- Certificate authority. Required for self-signed certificates. + ca: '' + # -- Certificate private key + key: '' + # -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) + crt: '' + ## Repo server service configuration service: # -- Repo server service annotations