Revert the edge termination policy back to Redirect

Signed-off-by: Chetan Banavikalmutt <chetanrns1997@gmail.com>
argoproj-labs · May 20, 2024 · 7509196 · 7509196
1 parent 26be68b
commit 7509196
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 12 deletions.
diff --git a/api/v1alpha1/argocd_types.go b/api/v1alpha1/argocd_types.go
@@ -960,10 +960,12 @@ func (argocd *ArgoCD) IsDeletionFinalizerPresent() bool {
 	return false
 }
 
-// WantsAutoTLS returns true if user configured a route with reencryption
-// termination policy.
+// WantsAutoTLS returns true if:
+// 1. user has configured a route with reencrypt.
+// 2. user has not configured TLS and we default to reencrypt.
 func (s *ArgoCDServerSpec) WantsAutoTLS() bool {
-	return s.Route.TLS != nil && s.Route.TLS.Termination == routev1.TLSTerminationReencrypt
+	return s.Route.TLS == nil ||
+		(s.Route.TLS != nil && s.Route.TLS.Termination == routev1.TLSTerminationReencrypt)
 }
 
 // WantsAutoTLS returns true if the repository server configuration has set

diff --git a/api/v1beta1/argocd_types.go b/api/v1beta1/argocd_types.go
@@ -991,10 +991,10 @@ func (argocd *ArgoCD) IsDeletionFinalizerPresent() bool {
 	return false
 }
 
-// WantsAutoTLS returns true if user configured a route with reencryption
-// termination policy.
+// WantsAutoTLS returns true if the user has configured a route with reencrypt or we default to reencrypt.
 func (s *ArgoCDServerSpec) WantsAutoTLS() bool {
-	return s.Route.TLS != nil && s.Route.TLS.Termination == routev1.TLSTerminationReencrypt
+	return s.Route.TLS == nil ||
+		(s.Route.TLS != nil && s.Route.TLS.Termination == routev1.TLSTerminationReencrypt)
 }
 
 // WantsAutoTLS returns true if the repository server configuration has set

diff --git a/controllers/argocd/route.go b/controllers/argocd/route.go
@@ -236,7 +236,7 @@ func (r *ReconcileArgoCD) reconcileServerRoute(cr *argoproj.ArgoCD) error {
 			TargetPort: intstr.FromString("https"),
 		}
 		route.Spec.TLS = &routev1.TLSConfig{
-			InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyNone,
+			InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 			Termination:                   routev1.TLSTerminationReencrypt,
 		}
 	}

diff --git a/controllers/argocd/route_test.go b/controllers/argocd/route_test.go
@@ -98,7 +98,7 @@ func TestReconcileRouteSetsInsecure(t *testing.T) {
 
 	wantTLSConfig := &routev1.TLSConfig{
 		Termination:                   routev1.TLSTerminationReencrypt,
-		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyNone,
+		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 	}
 	if diff := cmp.Diff(wantTLSConfig, loaded.Spec.TLS); diff != "" {
 		t.Fatalf("failed to reconcile route:\n%s", diff)
@@ -203,7 +203,7 @@ func TestReconcileRouteUnsetsInsecure(t *testing.T) {
 
 	wantTLSConfig = &routev1.TLSConfig{
 		Termination:                   routev1.TLSTerminationReencrypt,
-		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyNone,
+		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 	}
 	if diff := cmp.Diff(wantTLSConfig, loaded.Spec.TLS); diff != "" {
 		t.Fatalf("failed to reconcile route:\n%s", diff)
@@ -281,7 +281,7 @@ func TestReconcileRouteApplicationSetTlsTermination(t *testing.T) {
 					Enabled: true,
 					TLS: &routev1.TLSConfig{
 						Termination:                   routev1.TLSTerminationPassthrough,
-						InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyNone,
+						InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 					},
 				},
 			},
@@ -312,7 +312,7 @@ func TestReconcileRouteApplicationSetTlsTermination(t *testing.T) {
 	fatalIfError(t, err, "failed to load route %q: %s", testArgoCDName+"-server", err)
 
 	wantTLSConfig := &routev1.TLSConfig{
-		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyNone,
+		InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 		Termination:                   routev1.TLSTerminationPassthrough,
 	}
 	if diff := cmp.Diff(wantTLSConfig, loaded.Spec.TLS); diff != "" {

diff --git a/docs/usage/routes.md b/docs/usage/routes.md
@@ -48,7 +48,7 @@ $ kubectl get secret argocd-cluster -n argocd -ojsonpath='{.data.admin\.password
 
 ## Setting TLS modes for routes
 
-You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR.
+By default, the operator creates the Argo CD server route with `reencrypt` termination policy. You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR.
 
 ### TLS edge termination mode