gitops-operator icon indicating copy to clipboard operation
gitops-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

Change default TLS termination for cluster ArgoCD instance to reencrypt

Open kincl opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe. When the gitops-operator is installed, by default the cluster ArgoCD instance uses self-signed certificates which can be an unexpected user experience if the default ingress router certificates are signed by a trusted CA. In the past I think this was necessary because the gitops-operator did not support the other kinds of ingress TLS termination (edge, reencrypt) but now that it does we should look at changing this default behavior.

Describe the solution you'd like The gitops-operator's gitopsservice controller should reconcile the default cluster ArgoCD instance to set the route TLS termination to reencrypt:

spec:
  server:
     route:
        enabled: true
        tls:
           termination: reencypt

Describe alternatives you've considered It is possible to manually change the ArgoCD spec after installation and set this but since the operator "owns" the ArgoCD instance ideally it should be done there.

kincl avatar Mar 29 '22 13:03 kincl

Can this be looked at? Still experiencing this in 4.13. Seems like a simple fix for an issue that is over a year old.

EDIT: actually, I think our issue may be relevant though slightly different. In our ArgoCD spec we have defined reencrypt for tls termination, but the managed route uses passthrough for some reason.

Alveel avatar Jun 29 '23 12:06 Alveel

The RFE in Jira is at: https://issues.redhat.com/browse/RFE-4045 and this feature was announced as done for the next release of OpenShift GitOps 1.13.0 🎉

kincl avatar Jul 08 '24 15:07 kincl

OpenShift GitOps 1.13.0 was GAed yesterday and the feature is now available to users.

From GitOps docs:

With this update, the route TLS termination is set as default to the reencrypt mode for both the default and user-defined Argo CD instances. TLS connections to the Argo CD instances now receive the default ingress certificate that is set in OpenShift Container Platform, instead of the self-signed Argo CD certificate generated by the Red Hat OpenShift GitOps Operator. You can modify the route TLS termination policy by configuring the .spec.server.route.tls field of the Argo CD CR. GITOPS-3918

svghadi avatar Jul 09 '24 06:07 svghadi