argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Additional self-signed certificate for gRPC should be configured in a yaml file.

Open Tibor17 opened this issue 3 years ago • 0 comments

Description

I've got the following error due to Argocd server uses self-signed TLS certificate and the Argocd Image Updater has no configuration ability to include the same certificate when argocd.insecure: "false" is set by default.

Please try to find the way how we can add the certificate. The certificate is necessary due to the gRPC protocol. If we generate our own self-signed certificate, anyway we would need to add our own certificate without ignoring certificate verification.

time="2022-09-17T23:15:51Z" level=error msg="error while communicating with ArgoCD" argocd_server=argocd-server grpc_web=true grpc_webroot= insecure=false plaintext=false
time="2022-09-17T23:15:51Z" level=error msg="Error: rpc error: code = Unknown desc = Post \"https://argocd-server:443/application.ApplicationService/List\": x509: certificate signed by unknown authority"

Although, setting argocd.insecure: "true" in argocd-image-updater-config.yaml works for me finally, still it is a bad workaround. I could not find any configuration field in order to attach self-sined certificate.

To Reproduce argocd-image-updater-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-image-updater-config
    app.kubernetes.io/part-of: argocd-image-updater
  name: argocd-image-updater-config
  namespace: argocd
data:
  applications_api: "argocd"
  argocd.server_addr: "argocd-server"
  argocd.grpc_web: "true"
  argocd.insecure: "true"

argocd-rbac-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow
    p, role:image-updater, applications, get, */*, allow
    p, role:image-updater, applications, update, */*, allow
    g, image-updater, role:image-updater
    g, system:cluster-admins, role:admin
    g, cluster-admins, role:admin

argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  accounts.image-updater: apiKey
  accounts.admin: apiKey

argocd-cmd-params-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cmd-params-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cmd-params-cm
  namespace: argocd
data:
  server.insecure: "false"
  server.log.level: "debug"
  server.disable.auth: "false"
  controller.repo.server.timeout.seconds: "60"
  controller.repo.server.plaintext: "false"
  reposerver.log.level: "debug"

Expected behavior I would like you to introduce a new data field in argocd-image-updater-secret.yaml in order to support the certificate. After container rollout, the container should update the register of certificates.

Version argocd image updater version: v0.12.0+aee153d

argocd-server version: v2.4.11+3d9e9f2

Logs already available

Related issue with the workaround.

Tibor17 avatar Sep 19 '22 23:09 Tibor17