Simplify TLS configuration

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
2024-01-21 21:49:45 +01:00 · 2024-01-21 21:49:45 +01:00 · f26e3f0d44
commit f26e3f0d44
parent 5dd79c9962
6 changed files with 73 additions and 25 deletions
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -125,7 +125,9 @@ Please review your setup and adjust to new configuration options:
 * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
 * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
 * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
+* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
 * additional hostnames and routing can be provided via `extraHosts` configuration section
+* additional TLS secrets can be provided via `extraTls` configuration section

 ### 5.53.0

@ -767,29 +769,31 @@ NAME: my-release
 | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
 | server.ingress.annotations | object | `{}` | Additional ingress annotations |
 | server.ingress.enabled | bool | `true` | Enable an ingress resource for the Argo CD server |
-| server.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
+| server.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
 | server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
 | server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
+| server.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration |
 | server.ingress.hostname | string | `"argocd.server.local"` | Argo CD server hostname |
 | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
 | server.ingress.labels | object | `{}` | Additional ingress labels |
 | server.ingress.path | string | `"/"` | The path to Argo CD server |
 | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| server.ingress.tls | list | `[]` | Ingress TLS configuration |
+| server.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingress.hostname` |
 | server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] |
 | server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
 | server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
 | server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] |
-| server.ingressGrpc.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
+| server.ingressGrpc.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
 | server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] |
 | server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
+| server.ingressGrpc.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration for dedicated [gRPC-ingress] |
 | server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] |
 | server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] |
 | server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB |
 | server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] |
 | server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] |
 | server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] |
+| server.ingressGrpc.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` |
 | server.initContainers | list | `[]` | Init containers to add to the server pod |
 | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container |
 | server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
@ -1194,12 +1198,13 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.webhook.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record |
 | applicationSet.webhook.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
 | applicationSet.webhook.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
+| applicationSet.webhook.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration |
 | applicationSet.webhook.ingress.hostname | string | `""` | Argo CD ApplicationSet hostname |
 | applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
 | applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels |
 | applicationSet.webhook.ingress.path | string | `"/api/webhook"` | List of ingress paths |
 | applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration |
+| applicationSet.webhook.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` |

 ## Notifications

--- a/charts/argo-cd/README.md.gotmpl
+++ b/charts/argo-cd/README.md.gotmpl
@ -124,7 +124,10 @@ Please review your setup and adjust to new configuration options:
 * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
 * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
 * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
+* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
 * additional hostnames and routing can be provided via `extraHosts` configuration section
+* additional TLS secrets can be provided via `extraTls` configuration section
+

 ### 5.53.0

--- a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
@ -50,8 +50,15 @@ spec:
    {{- with .Values.applicationSet.webhook.ingress.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- with .Values.applicationSet.webhook.ingress.tls }}
+  {{- if or .Values.applicationSet.webhook.ingress.tls .Values.applicationSet.webhook.ingress.extraTls }}
  tls:
-    {{- toYaml . | nindent 4 }}
-  {{- end -}}
-{{- end -}}
+    {{- if .Values.applicationSet.webhook.ingress.tls }}
+    - hosts:
+      - {{ .Values.applicationSet.webhook.ingress.hostname }}
+      secretName: {{ printf "%s-tls" .Values.applicationSet.webhook.ingress.hostname }}
+    {{- end }}
+    {{- with .Values.applicationSet.webhook.ingress.extraTls }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
+++ b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
@ -51,8 +51,15 @@ spec:
    {{- with .Values.server.ingressGrpc.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- with .Values.server.ingressGrpc.tls }}
+  {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }}
  tls:
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.server.ingressGrpc.tls }}
+    - hosts:
+      - {{ $hostname }}
+      secretName: {{ printf "%s-tls" $hostname }}
+    {{- end }}
+    {{- with .Values.server.ingressGrpc.tls }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/ingress.yaml
+++ b/charts/argo-cd/templates/argocd-server/ingress.yaml
@ -63,8 +63,15 @@ spec:
    {{- with .Values.server.ingress.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- with .Values.server.ingress.tls }}
+  {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
  tls:
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.server.ingress.tls }}
+    - hosts:
+      - {{ .Values.server.ingress.hostname }}
+      secretName: argocd-server-tls
+    {{- end }}
+    {{- with .Values.server.ingress.extraTls }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -1900,6 +1900,7 @@ server:
    # -- Automount API credentials for the Service Account
    automountServiceAccountToken: true

+  # Argo CD server ingress configuration
  ingress:
    # -- Enable an ingress resource for the Argo CD server
    enabled: true #false
@ -1915,7 +1916,7 @@ server:
    ingressClassName: ""

    # -- Argo CD server hostname
-    ## Hostname must be provided if Ingress is enabled
+    ## NOTE: Hostname must be provided if Ingress is enabled
    hostname: argocd.server.local

    # -- The path to Argo CD server
@ -1925,7 +1926,13 @@ server:
    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix

+    # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
+    ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
+    ## You can create this secret via `certificate` or `certificateSecret` option
+    tls: false
+
    # -- The list of additional hostnames to be covered by ingress record
+    # @default -- `[]` (See [values.yaml])
    extraHosts: []
      # - name: argocd.server.local
      #   path: /
@ -1953,14 +1960,15 @@ server:
      #           port:
      #             name: http

-    # -- Ingress TLS configuration
-    tls: []
-      # - secretName: your-certificate-name
-      #   hosts:
-      #     - argocd.example.com
+    # -- Additional TLS configuration
+    # @default -- `[]` (See [values.yaml])
+    extraTls: []
+      # - hosts:
+      #   - argocd.example.com
+      #   secretName: your-certificate-name

-  # dedicated ingress for gRPC as documented at
-  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
+  # Dedicated ingress for gRPC as documented at
+  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
  ingressGrpc:
    # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress]
    enabled: false
@ -1994,7 +2002,12 @@ server:
    # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix

+    # -- Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname`
+    ## TLS certificate will be retrieved from a TLS secret with name: `<hostname>-tls`
+    tls: false
+
    # -- The list of additional hostnames to be covered by ingress record
+    # @default -- `[]` (See [values.yaml])
    extraHosts: []
      # - name: grpc.argocd.server.local
      #   path: /
@ -2022,8 +2035,9 @@ server:
      #           port:
      #             name: http

-    # -- Ingress TLS configuration for dedicated [gRPC-ingress]
-    tls: []
+    # -- Additional TLS configuration for dedicated [gRPC-ingress]
+    # @default -- `[]` (See [values.yaml])
+    extraTls: []
      # - secretName: your-certificate-name
      #   hosts:
      #     - argocd.example.com
@ -2723,6 +2737,10 @@ applicationSet:
      # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
      pathType: Prefix

+      # -- Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname`
+      ## TLS certificate will be retrieved from a TLS secret with name: `<hostname>-tls`
+      tls: false
+
      # -- The list of additional hostnames to be covered by ingress record
      extraHosts: []
      # - name: argocd.server.local
@ -2751,8 +2769,9 @@ applicationSet:
        #           port:
        #             name: http

-      # -- Ingress TLS configuration
-      tls: []
+      # -- Additional ingress TLS configuration
+      # @default -- `[]` (See [values.yaml])
+      extraTls: []
        # - secretName: argocd-applicationset-tls
        #   hosts:
        #     - argocd-applicationset.example.com