argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard
verified publisher icon argoproj

Add --tls-certificate-secret-name parameter to server command. Fixes #5582

Open chtcvl opened this issue 3 years ago • 5 comments

Signed-off-by: vladimir ivanov [email protected]

Fixes #5582

Add --tls-certificate-secret-name parameter to server command. Since server runs on localhost:2746, get an error in the UI "certificate is valid for ... not for localhost". Therefore the merge request set InsecureSkipVerify on TLSconfig for grpc client on the gateway.

Tested to to work with secret provided by cert-manager (added to manifests).

chtcvl avatar Aug 24 '22 16:08 chtcvl

Interesting. Thanks for the addition. Just wondering if we should support the case in which somebody doesn't want the InsecureSkipVerify? (Don't want to add more unnecessary work but not sure what others think)

This InsecureSkipVerify is for communication within the same instance of argo-server application - between grpc client and server goroutines, so don't expect this requirement.

chtcvl avatar Sep 01 '22 02:09 chtcvl

Interesting. Thanks for the addition. Just wondering if we should support the case in which somebody doesn't want the InsecureSkipVerify? (Don't want to add more unnecessary work but not sure what others think)

This InsecureSkipVerify is for communication within the same instance of argo-server application - between grpc client and server goroutines, so don't expect this requirement.

Oh, I see…

juliev0 avatar Sep 01 '22 05:09 juliev0

Details

Great. As far as I can tell, that will propagate into all of the various manifests. You'll need to run "make codegen -B STATIC_FILES=false" and "git diff" and check in whatever changed (which you can see here).

juliev0 avatar Sep 01 '22 05:09 juliev0

@sarabala1979 @terrytangyuan Are either of you able to review and merge this PR?

juliev0 avatar Sep 13 '22 15:09 juliev0

I am not familiar with this. Maybe @alexec @sarabala1979?

terrytangyuan avatar Sep 13 '22 15:09 terrytangyuan

Hi, This PR enforces users of the manifests to have the cert-manger CRD's installed. Is this the intention?

To use the new manifests (while happy with a self signed cert). Had to add the following to kustomize:

patchesStrategicMerge:
  - |-
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: argo-workflows-issuer
    $patch: delete
  - |-
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: argo-server-cert
    $patch: delete

Piroddi avatar Oct 02 '22 08:10 Piroddi

patchesStrategicMerge:

  • |- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: argo-workflows-issuer $patch: delete
  • |- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: argo-server-cert $patch: delete

This was a huge issue for me as well.

allemp avatar Oct 03 '22 08:10 allemp