Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert #629

Open
upr-kmd opened this issue Dec 14, 2023 · 1 comment
Open

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert #629

upr-kmd opened this issue Dec 14, 2023 · 1 comment

Comments

@upr-kmd
Copy link

upr-kmd commented Dec 14, 2023

Is your feature request related to a problem? Please describe.
ArgoCD object doesn't use argocd-server-tls secret in openshift-gitops namespace for the openshift-gitops-server route.
Currently the TLS certificate has to be embedded inside the ArgoCD CR to make it deploy a TLS cert for the openshift-gitops-server route. This is counterproductive. Openshift-gitops operator should always use secrets instead of embedded certificates.

Describe the solution you'd like
The current setup according to the openshift-gitops documentation is:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          certificate: |
            -----BEGIN CERTIFICATE-----
            ---                         <======= Add the custom-cert here
            -----END CERTIFICATE-----
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            ---                        <======= Add the key here
            -----END RSA PRIVATE KEY-----
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Instead, it should be:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          secret: <secret-name>
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Describe alternatives you've considered
N/A

Additional context
N/A
@ctrought
Copy link

OCP 4.16 is supposed to have a new field added to Route API "externalCertificate". I don't know the exact design details, but I assume the intention is to allow referencing a secret natively. Again assuming this is implemented, ArgoCD should be able to easily expose the field in the spec.server.route.tls.externalCertificate,

https://docs.openshift.com/container-platform/4.16/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls-externalcertificate

For now we've been overcoming this by leveraging either cert-manager combined with cert-manager routes and configuring the cert via annotations.
https://github.com/cert-manager/openshift-routes

The other option, and probably more stable would be simply using the ingress in ArgoCD CR as a means for configuring the route which does let you specify the TLS secret and OCP will generate the route + embed the certificate automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@upr-kmd @ctrought