gitops-operator icon indicating copy to clipboard operation
gitops-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert

Open upr-kmd opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. ArgoCD object doesn't use argocd-server-tls secret in openshift-gitops namespace for the openshift-gitops-server route. Currently the TLS certificate has to be embedded inside the ArgoCD CR to make it deploy a TLS cert for the openshift-gitops-server route. This is counterproductive. Openshift-gitops operator should always use secrets instead of embedded certificates.

Describe the solution you'd like The current setup according to the openshift-gitops documentation is:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          certificate: |
            -----BEGIN CERTIFICATE-----
            ---                         <======= Add the custom-cert here
            -----END CERTIFICATE-----
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            ---                        <======= Add the key here
            -----END RSA PRIVATE KEY-----
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Instead, it should be:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          secret: <secret-name>
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Describe alternatives you've considered N/A

Additional context N/A

upr-kmd avatar Dec 14 '23 17:12 upr-kmd

OCP 4.16 is supposed to have a new field added to Route API "externalCertificate". I don't know the exact design details, but I assume the intention is to allow referencing a secret natively. Again assuming this is implemented, ArgoCD should be able to easily expose the field in the spec.server.route.tls.externalCertificate,

https://docs.openshift.com/container-platform/4.16/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls-externalcertificate

For now we've been overcoming this by leveraging either cert-manager combined with cert-manager routes and configuring the cert via annotations. https://github.com/cert-manager/openshift-routes

The other option, and probably more stable would be simply using the ingress in ArgoCD CR as a means for configuring the route which does let you specify the TLS secret and OCP will generate the route + embed the certificate automatically.

ctrought avatar May 17 '24 19:05 ctrought

ArgoCD operator should work with older versions of OCP as well. So it may not be a good idea to depend on the latest OCP 4.16 feature for the implementation.

anandf avatar Sep 25 '24 06:09 anandf