search

redhat-developer / gitops-operator

An operator that gets you an ArgoCD for cluster configuration out-of-the-box on OpenShift along with the UI for visualizing environments.
Apache License 2.0
144 stars 272 forks source link

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert #629

Open upr-kmd opened 8 months ago

upr-kmd commented 8 months ago

Is your feature request related to a problem? Please describe. ArgoCD object doesn't use argocd-server-tls secret in openshift-gitops namespace for the openshift-gitops-server route. Currently the TLS certificate has to be embedded inside the ArgoCD CR to make it deploy a TLS cert for the openshift-gitops-server route. This is counterproductive. Openshift-gitops operator should always use secrets instead of embedded certificates.

Describe the solution you'd like The current setup according to the openshift-gitops documentation is:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          certificate: |
            -----BEGIN CERTIFICATE-----
            ---                         <======= Add the custom-cert here
            -----END CERTIFICATE-----
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            ---                        <======= Add the key here
            -----END RSA PRIVATE KEY-----
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Instead, it should be:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          secret: <secret-name>
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Describe alternatives you've considered N/A

Additional context N/A

ctrought commented 3 months ago

OCP 4.16 is supposed to have a new field added to Route API "externalCertificate". I don't know the exact design details, but I assume the intention is to allow referencing a secret natively. Again assuming this is implemented, ArgoCD should be able to easily expose the field in the spec.server.route.tls.externalCertificate,

https://docs.openshift.com/container-platform/4.16/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls-externalcertificate

For now we've been overcoming this by leveraging either cert-manager combined with cert-manager routes and configuring the cert via annotations. https://github.com/cert-manager/openshift-routes

The other option, and probably more stable would be simply using the ingress in ArgoCD CR as a means for configuring the route which does let you specify the TLS secret and OCP will generate the route + embed the certificate automatically.