From f26e3f0d4453da1e47626cdfd2ef40039ed0c1d0 Mon Sep 17 00:00:00 2001 From: Petr Drastil Date: Sun, 21 Jan 2024 21:49:45 +0100 Subject: [PATCH] Simplify TLS configuration Signed-off-by: Petr Drastil --- charts/argo-cd/README.md | 15 ++++--- charts/argo-cd/README.md.gotmpl | 3 ++ .../webhook-ingress.yaml | 15 +++++-- .../templates/argocd-server/ingress-grpc.yaml | 11 ++++- .../templates/argocd-server/ingress.yaml | 11 ++++- charts/argo-cd/values.yaml | 43 +++++++++++++------ 6 files changed, 73 insertions(+), 25 deletions(-) diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index d89fe457..b39890c5 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -125,7 +125,9 @@ Please review your setup and adjust to new configuration options: * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname +* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `-tls` secret when `tls: true` * additional hostnames and routing can be provided via `extraHosts` configuration section +* additional TLS secrets can be provided via `extraTls` configuration section ### 5.53.0 @@ -767,29 +769,31 @@ NAME: my-release | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.ingress.annotations | object | `{}` | Additional ingress annotations | | server.ingress.enabled | bool | `true` | Enable an ingress resource for the Argo CD server | -| server.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | +| server.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record | | server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | | server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| server.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration | | server.ingress.hostname | string | `"argocd.server.local"` | Argo CD server hostname | | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | | server.ingress.labels | object | `{}` | Additional ingress labels | | server.ingress.path | string | `"/"` | The path to Argo CD server | | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingress.tls | list | `[]` | Ingress TLS configuration | +| server.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingress.hostname` | | server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] | | server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | | server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | | server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] | -| server.ingressGrpc.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | +| server.ingressGrpc.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record | | server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] | | server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| server.ingressGrpc.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration for dedicated [gRPC-ingress] | | server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] | | server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] | | server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB | | server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] | | server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] | | server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] | +| server.ingressGrpc.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` | | server.initContainers | list | `[]` | Init containers to add to the server pod | | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container | | server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | @@ -1194,12 +1198,13 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.webhook.ingress.extraHosts | list | `[]` | The list of additional hostnames to be covered by ingress record | | applicationSet.webhook.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | | applicationSet.webhook.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| applicationSet.webhook.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration | | applicationSet.webhook.ingress.hostname | string | `""` | Argo CD ApplicationSet hostname | | applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource | | applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels | | applicationSet.webhook.ingress.path | string | `"/api/webhook"` | List of ingress paths | | applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration | +| applicationSet.webhook.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` | ## Notifications diff --git a/charts/argo-cd/README.md.gotmpl b/charts/argo-cd/README.md.gotmpl index 4a0361d1..fd21acbe 100644 --- a/charts/argo-cd/README.md.gotmpl +++ b/charts/argo-cd/README.md.gotmpl @@ -124,7 +124,10 @@ Please review your setup and adjust to new configuration options: * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname +* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `-tls` secret when `tls: true` * additional hostnames and routing can be provided via `extraHosts` configuration section +* additional TLS secrets can be provided via `extraTls` configuration section + ### 5.53.0 diff --git a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml index 04951d3d..628f63b5 100644 --- a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml @@ -50,8 +50,15 @@ spec: {{- with .Values.applicationSet.webhook.ingress.extraRules }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.applicationSet.webhook.ingress.tls }} + {{- if or .Values.applicationSet.webhook.ingress.tls .Values.applicationSet.webhook.ingress.extraTls }} tls: - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- end -}} + {{- if .Values.applicationSet.webhook.ingress.tls }} + - hosts: + - {{ .Values.applicationSet.webhook.ingress.hostname }} + secretName: {{ printf "%s-tls" .Values.applicationSet.webhook.ingress.hostname }} + {{- end }} + {{- with .Values.applicationSet.webhook.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml index 3d72d7ff..2a98def4 100644 --- a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml @@ -51,8 +51,15 @@ spec: {{- with .Values.server.ingressGrpc.extraRules }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.server.ingressGrpc.tls }} + {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }} tls: - {{- toYaml . | nindent 4 }} + {{- if .Values.server.ingressGrpc.tls }} + - hosts: + - {{ $hostname }} + secretName: {{ printf "%s-tls" $hostname }} + {{- end }} + {{- with .Values.server.ingressGrpc.tls }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/ingress.yaml b/charts/argo-cd/templates/argocd-server/ingress.yaml index 5b195644..64bb3fe6 100644 --- a/charts/argo-cd/templates/argocd-server/ingress.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress.yaml @@ -63,8 +63,15 @@ spec: {{- with .Values.server.ingress.extraRules }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.server.ingress.tls }} + {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} tls: - {{- toYaml . | nindent 4 }} + {{- if .Values.server.ingress.tls }} + - hosts: + - {{ .Values.server.ingress.hostname }} + secretName: argocd-server-tls + {{- end }} + {{- with .Values.server.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index d7bab3e6..7553f3ff 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1900,6 +1900,7 @@ server: # -- Automount API credentials for the Service Account automountServiceAccountToken: true + # Argo CD server ingress configuration ingress: # -- Enable an ingress resource for the Argo CD server enabled: true #false @@ -1915,7 +1916,7 @@ server: ingressClassName: "" # -- Argo CD server hostname - ## Hostname must be provided if Ingress is enabled + ## NOTE: Hostname must be provided if Ingress is enabled hostname: argocd.server.local # -- The path to Argo CD server @@ -1925,7 +1926,13 @@ server: # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls` + ## You can create this secret via `certificate` or `certificateSecret` option + tls: false + # -- The list of additional hostnames to be covered by ingress record + # @default -- `[]` (See [values.yaml]) extraHosts: [] # - name: argocd.server.local # path: / @@ -1953,14 +1960,15 @@ server: # port: # name: http - # -- Ingress TLS configuration - tls: [] - # - secretName: your-certificate-name - # hosts: - # - argocd.example.com + # -- Additional TLS configuration + # @default -- `[]` (See [values.yaml]) + extraTls: [] + # - hosts: + # - argocd.example.com + # secretName: your-certificate-name - # dedicated ingress for gRPC as documented at - # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ + # Dedicated ingress for gRPC as documented at + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts ingressGrpc: # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] enabled: false @@ -1994,7 +2002,12 @@ server: # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` + ## TLS certificate will be retrieved from a TLS secret with name: `-tls` + tls: false + # -- The list of additional hostnames to be covered by ingress record + # @default -- `[]` (See [values.yaml]) extraHosts: [] # - name: grpc.argocd.server.local # path: / @@ -2022,8 +2035,9 @@ server: # port: # name: http - # -- Ingress TLS configuration for dedicated [gRPC-ingress] - tls: [] + # -- Additional TLS configuration for dedicated [gRPC-ingress] + # @default -- `[]` (See [values.yaml]) + extraTls: [] # - secretName: your-certificate-name # hosts: # - argocd.example.com @@ -2723,6 +2737,10 @@ applicationSet: # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret with name: `-tls` + tls: false + # -- The list of additional hostnames to be covered by ingress record extraHosts: [] # - name: argocd.server.local @@ -2751,8 +2769,9 @@ applicationSet: # port: # name: http - # -- Ingress TLS configuration - tls: [] + # -- Additional ingress TLS configuration + # @default -- `[]` (See [values.yaml]) + extraTls: [] # - secretName: argocd-applicationset-tls # hosts: # - argocd-applicationset.example.com