DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security - Redis authentication - cherry pick from https://github.com/argoproj/argo-helm-ghsa-4j3q-9h77-jq5x (#74)

Browse source
This commit is contained in:
ilia-medvedev-codefresh 2024-05-15 12:26:37 +03:00 committed by GitHub
parent aee4c58124
commit f98f2f4d4a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
17 changed files with 288 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
charts/argo-cd/Chart.yaml
View file

@ -1,9 +1,9 @@
apiVersion: v2 apiVersion: v2
appVersion: v2.10-2024.3.29-1dcc54e29 appVersion: v2.10-2024.5.14-9315e75e1
kubeVersion: ">=1.23.0-0" kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd name: argo-cd
version: 6.7.18-2-cap-2.10-2024.3.29-1dcc54e29 version: 6.7.18-3-cap-2.10-2024.5.14-9315e75e1
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources: sources:
@ -27,4 +27,6 @@ annotations:
url: https://argoproj.github.io/argo-helm/pgp_keys.asc url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: changed - kind: changed
description: Upgrade argo-cd to v2.10-2024.3.29-1dcc54e29 description: Upgrade argo-cd to v2.10-2024.5.14-9315e75e1
- kind: changed
description: Fix for security vulnerability GHSA-9766-5277-j5hr - Redis authentication

25
charts/argo-cd/README.md
View file

@ -1342,8 +1342,10 @@ The main options are listed here:
|-----|------|---------|-------------| |-----|------|---------|-------------|
| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. | | redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. | | redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH |
| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context | | redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment | | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
| redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. |
| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
| redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter | | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
| redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter | | redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter |
@ -1387,6 +1389,29 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations | | externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations |
| externalRedis.username | string | `""` | External Redis username | | externalRedis.username | string | `""` | External Redis username |
### Redis secret-init
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
If you use an External Redis (See Option 3 above), this Job is not deployed.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| redisSecretInit.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
| redisSecretInit.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Redis secret-init Job |
| redisSecretInit.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Redis secret-init Job |
| redisSecretInit.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Redis secret-init Job |
| redisSecretInit.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| redisSecretInit.jobAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
| redisSecretInit.name | string | `"redis-secret-init"` | Redis secret-init name |
| redisSecretInit.podAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
| redisSecretInit.podLabels | object | `{}` | Labels to be added to the Redis secret-init Job |
| redisSecretInit.resources | object | `{}` | Resource limits and requests for Redis secret-init Job |
| redisSecretInit.securityContext | object | `{}` | Redis secret-init Job pod-level security context |
| redisSecretInit.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| redisSecretInit.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| redisSecretInit.serviceAccount.create | bool | `true` | Create a service account for the redis pod |
| redisSecretInit.serviceAccount.name | string | `""` | Service account name for redis pod |
## ApplicationSet ## ApplicationSet
| Key | Type | Default | Description | | Key | Type | Default | Description |

13
charts/argo-cd/README.md.gotmpl
View file

@ -719,6 +719,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
{{- end }} {{- end }}
{{- end }} {{- end }}
### Redis secret-init
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
If you use an External Redis (See Option 3 above), this Job is not deployed.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "redisSecretInit" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
## ApplicationSet ## ApplicationSet
| Key | Type | Default | Description | | Key | Type | Default | Description |

19
charts/argo-cd/templates/_helpers.tpl
View file

@ -86,6 +86,25 @@ Create the name of the redis service account to use
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Create Redis secret-init name
*/}}
{{- define "argo-cd.redisSecretInit.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the Redis secret-init service account to use
*/}}
{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
{{- if .Values.redisSecretInit.serviceAccount.create -}}
{{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redis.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.redisSecretInit.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/* {{/*
Create argocd server name and version as used by the chart label. Create argocd server name and version as used by the chart label.
*/}} */}}

8
charts/argo-cd/templates/argocd-application-controller/deployment.yaml
View file

@ -199,15 +199,19 @@ spec:
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username key: redis-username
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password key: redis-password
optional: true optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

8
charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
View file

@ -198,15 +198,19 @@ spec:
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username key: redis-username
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password key: redis-password
optional: true optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

2
charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml
View file

@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "argo-cd.redis.fullname" . }} name: argocd-redis
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}

8
charts/argo-cd/templates/argocd-repo-server/deployment.yaml
View file

@ -179,15 +179,19 @@ spec:
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username key: redis-username
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password key: redis-password
optional: true optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

8
charts/argo-cd/templates/argocd-server/deployment.yaml
View file

@ -243,15 +243,19 @@ spec:
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username key: redis-username
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password key: redis-password
optional: true optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

8
charts/argo-cd/templates/event-reporter/statefulset.yaml
View file

@ -159,15 +159,19 @@ spec:
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username key: redis-username
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password key: redis-password
optional: true optional: true
{{- else }}
key: auth
{{- end }}
- name: EVENT_REPORTER_SHARDING_ALGORITHM - name: EVENT_REPORTER_SHARDING_ALGORITHM
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

55
charts/argo-cd/templates/redis-secret-init/job.yaml Normal file
View file

@ -0,0 +1,55 @@
{{- if not .Values.externalRedis.host }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
{{- range $key, $value := .Values.redisSecretInit.jobAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
spec:
template:
metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redisSecretInit.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redisSecretInit.podAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{ toYaml . | nindent 8 }}
{{- end }}
containers:
- command:
- argocd
- admin
- redis-initial-password
image: {{ default .Values.global.image.repository .Values.redisSecretInit.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.redisSecretInit.image.tag }}
#image: argocd:GHSA-9766-5277-j5hr
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redisSecretInit.image.imagePullPolicy }}
name: secret-init
resources:
{{- toYaml .Values.redisSecretInit.resources | nindent 10 }}
{{- with .Values.redisSecretInit.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.redisSecretInit.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
{{- end }}

27
charts/argo-cd/templates/redis-secret-init/role.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if not .Values.externalRedis.host }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- argocd-redis
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
{{- end }}

19
charts/argo-cd/templates/redis-secret-init/rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if not .Values.externalRedis.host }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
{{- end }}

16
charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if not .Values.externalRedis.host }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.redisSecretInit.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
{{- range $key, $value := .Values.redisSecretInit.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
{{- end }}

8
charts/argo-cd/templates/redis/deployment.yaml
View file

@ -65,8 +65,14 @@ spec:
- "" - ""
- --appendonly - --appendonly
- "no" - "no"
{{- with (concat .Values.global.env .Values.redis.env) }} - --requirepass $(REDIS_PASSWORD)
env: env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: argocd-redis
key: auth
{{- with (concat .Values.global.env .Values.redis.env) }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- with .Values.redis.envFrom }} {{- with .Values.redis.envFrom }}

2
charts/argo-cd/templates/redis/health-configmap.yaml
View file

@ -11,6 +11,7 @@ data:
redis_liveness.sh: | redis_liveness.sh: |
response=$( response=$(
redis-cli \ redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \ -h localhost \
-p {{ .Values.redis.containerPorts.redis }} \ -p {{ .Values.redis.containerPorts.redis }} \
ping ping
@ -23,6 +24,7 @@ data:
redis_readiness.sh: | redis_readiness.sh: |
response=$( response=$(
redis-cli \ redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \ -h localhost \
-p {{ .Values.redis.containerPorts.redis }} \ -p {{ .Values.redis.containerPorts.redis }} \
ping ping

69
charts/argo-cd/values.yaml
View file

@ -1554,6 +1554,12 @@ redis-ha:
containerSecurityContext: containerSecurityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
# -- Configures redis-ha with AUTH
auth: true
# -- Existing Secret to use for redis-ha authentication.
# By default the redis-secret-init Job is generating this Secret.
existingSecret: argocd-redis
# -- Whether the Redis server pods should be forced to run on separate nodes. # -- Whether the Redis server pods should be forced to run on separate nodes.
hardAntiAffinity: true hardAntiAffinity: true
@ -1601,6 +1607,69 @@ externalRedis:
# -- External Redis Secret annotations # -- External Redis Secret annotations
secretAnnotations: {} secretAnnotations: {}
redisSecretInit:
# -- Redis secret-init name
name: redis-secret-init
image:
# -- Repository to use for the Redis secret-init Job
# @default -- `""` (defaults to global.image.repository)
repository: "" # defaults to global.image.repository
# -- Tag to use for the Redis secret-init Job
# @default -- `""` (defaults to global.image.tag)
tag: "" # defaults to global.image.tag
# -- Image pull policy for the Redis secret-init Job
# @default -- `""` (defaults to global.image.imagePullPolicy)
imagePullPolicy: "" # IfNotPresent
# -- Secrets with credentials to pull images from a private registry
# @default -- `[]` (defaults to global.imagePullSecrets)
imagePullSecrets: []
# -- Annotations to be added to the Redis secret-init Job
jobAnnotations: {}
# -- Annotations to be added to the Redis secret-init Job
podAnnotations: {}
# -- Labels to be added to the Redis secret-init Job
podLabels: {}
# -- Resource limits and requests for Redis secret-init Job
resources: {}
# limits:
# cpu: 200m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 64Mi
# -- Application controller container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# -- Redis secret-init Job pod-level security context
securityContext: {}
serviceAccount:
# -- Create a service account for the redis pod
create: true
# -- Service account name for redis pod
name: ""
# -- Annotations applied to created service account
annotations: {}
# -- Automount API credentials for the Service Account
automountServiceAccountToken: true
## Server ## Server
server: server:
# -- Argo CD server name # -- Argo CD server name