Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support use of secrets for Route tls data #1547

Merged
merged 6 commits into from
Oct 3, 2024
Merged

feat: Support use of secrets for Route tls data #1547

merged 6 commits into from
Oct 3, 2024

Conversation

svghadi
Copy link
Collaborator

@svghadi svghadi commented Sep 25, 2024
edited
Loading

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:

Operator supports providing custom certificates for the routes using the .spec.<component>.route.tls field in ArgoCD CR. However, tls data needs to embedded directly into ArgoCD CR as plain text using .tls.key & .tls.certificate fields, which is not a good practice from a security point of view.
This PR introduces a new field externalCertificate which can used to reference a tls type secret for Route. The operator will read the data from the secret and populate it into route. In case of conflict where data is embedded in ArgoCD CR and also provided via secret, data from from secret will be used.
Example usage:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
spec:
  server:
    route:
      enabled: true
      tls:
        externalCertificate: 
          name: tls-data-secret
        termination: reencrypt
---
apiVersion: v1
kind: Secret
metadata:
  name: tls-data-secret
type: kubernetes.io/tls
data:
  tls.crt: <certifcate>
  tls.key: <key>

Changes:

  • Update Openshift API dep to use tls.externalCertificate field avaiable in latest versions
  • Add custom logic to map data from the secret referenced in .tls.externalCertificate to the Route object's tls.key and tls.certificate fields.
  • Modify existing tls secret watch handler to trigger reconciliation if the event generated is for a Secret referenced in ArgoCD CR.
  • Add unit and kuttl e2e test.

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

How to test changes / Special notes to the reviewer:

  1. Install the operator in Openshift env using
ARGOCD_REDIS_IMAGE=public.ecr.aws/docker/library/redis:6 make install run

Automated test

kubectl kuttl test ./tests/ocp/ --config ./tests/kuttl-tests.yaml --test 1-005_validate_route_tls

Manual test

  1. Create a tls type secret
apiVersion: v1
kind: Secret
metadata:
  name: tls-data-secret
type: kubernetes.io/tls
stringData:
  tls.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIFrjCCA5agAwIBAgIUbM9O0W6IdumLQodDCDqyckYDr2IwDQYJKoZIhvcNAQEL
    BQAwTTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAoMBFRlc3Qx
    DTALBgNVBAsMBFRlc3QxETAPBgNVBAMMCHRlc3QuY29tMCAXDTIzMTEyNjIyMTg0
    N1oYDzIxMjMxMTI3MjIxODQ3WjBNMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVGVz
    dDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDERMA8GA1UEAwwIdGVzdC5j
    b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbgAmnUjFux9u2Xzhi
    mno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2tN9UA
    ebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3xc0uz
    /sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWTmlsv
    ppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTRJ2o4
    MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8gbpUW
    nLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI7mPW
    12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aURRuQ
    C0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/1Qrq
    VBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjWcElw
    etcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNuUa2i
    5azKnIf439Cmfww7ImxIpOR5nQIDAQABo4GDMIGAMB0GA1UdDgQWBBQfe95iWKlT
    K6BGFov9JFXQTQN0ZjAfBgNVHSMEGDAWgBQfe95iWKlTK6BGFov9JFXQTQN0ZjAP
    BgNVHRMBAf8EBTADAQH/MC0GA1UdEQQmMCSCB3dlYmhvb2uCDndlYmhvb2stc2Vy
    dmVygglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggIBAH7Vv+Iar1UbF41c9I88
    oIu8iWfLVnAfe/64tULy77x4nfEQiukBJDoZ9m19KEVdPqsFzT6lFB7Fu1oc9A28
    5b1+PEynHcopNK41zF4n4FnIy9h8zJfaPYYCPPMT0v9LzuT5zyF5sXCz0o4KwQJ6
    zrggZme8udl9sWyDxZyFoFPLWtnQFY7vJ9LSM2Gt+XUIuYNwDkvGFs6RfBYJGarX
    qq7YHYj0H2x/us3KQCXGX5GzSmM9ewHvaScRpFcCdVwszKwWF0vMvdnh+3P72/Yy
    dQvZXyfNiwqaIdznJn/AjzR9K4dHfbY7wMm83WHwWyjzV6CybHbtWpoUIlZtW3TT
    gz6MP2z+BhOdMiQA33aO38J2TX/CMkEvkagEiZdS9t3xtpF2LOb5bRIdlENtZU0i
    LnhgWEpJmswxBtuJ0d/zcyUlvK7FYoJZB7pT3YX/321HXZVCKyw+xrinwQoI3RnX
    7u0TZ3MqtSKEwCyDWYRJDbs6XUX1G0q7jXBf1+3cd+lBdOZ4Kl5B4YSU9hcFxAuO
    4a1eFXBdmT8PnwoTizFvag3IgBXkf8PqcKNvSMU6UKcD5LYTwRGK3JVl1L79gkrb
    LmWEfOXFHgSlMIZkEs41TiopXy8p/LSera8NR86Q3mTZ7rRdEveOb6ZLJksRqaqr
    UVwpFuaKz5vTCD36Gmmy/u8y
    -----END CERTIFICATE-----
  tls.key: |-
    -----BEGIN PRIVATE KEY-----
    MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQDbgAmnUjFux9u2
    Xzhimno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2t
    N9UAebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3x
    c0uz/sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWT
    mlsvppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTR
    J2o4MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8g
    bpUWnLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI
    7mPW12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aU
    RRuQC0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/
    1QrqVBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjW
    cElwetcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNu
    Ua2i5azKnIf439Cmfww7ImxIpOR5nQIDAQABAoIB/2wImLfBvJLJy1n3g8kEPyQ0
    V4rbFJyTwEAOrj58Z5KQZYLdgr91xtt/acYOX+C0qrqhaaV338c14sVetXeGbS65
    BAzczeIURuol/q2pUhJX91+JR3Ps3RBDXImGLxBWj8jHPmd3mb99bx9nn9r3izWP
    8GjTyyWo64OcuHC3irI9pe/3olOiphlx0ng0IZDZdgTmIL+JRu/ptpTvY/IQDB6Z
    4rVDn79zj3X6RN2GO74aiaDtsLJAkyDs6zJliWJYnrQ2UwlE6PpKnXRT8fO1zntW
    WCnlM5ZSomX0TlpNV9kB9ToI48vkChE/UrCb0N5ufPJS2WU/HIgn4WoVA0wd1rqO
    OYfJB1IMY2RoWR9CXO0U51tCji+M83ATq+Fl0Xbxl8grn/q0PWlhmUvS9/Fe8aPA
    yVTkEjT2j7MQGtqAO7L+xTUfVfGpFkDUn+QkM8BgNcygagN5ViOfWDFgMgjaFLrd
    RZMh9kBi3Qjigj0NP4RaK4/ixURMT/FfwiRwEaH/1O1KXB3a0vanVuiXj5+oCrSE
    gRBXdRt2+5FOtli8asre7NLk9unTDY1iEiIsVY8nIV+zmWhf2mR5MB34EoTEIunb
    OaP9kbiJI6MctKoCsfsWNHfUDPsvriQevG65WETZ1/JKxxjxYlv/Xg702Cnk91Qv
    DPrdZCbunMTP3pk5KMECggEBAO0W6hWye+r6e8aBX431Vhv78FDE/suE4iWeCCbA
    to7gTnwWZfAB9ynp61bJDS7jXon7Vk0ExkB6nxNTIEj+Yn86M3+UjjuoadCL6hhL
    h6xpkc1h1mj5A4IR/yi7RQgHmjKGHURgKyFIwAMYPXNVYD1Ozn9DyGmhG4LcGVQS
    zfqclJu5oBCegAkf8EjIaDqMZGJZefxp8UYQy9FjAH1zzG/DXiEWgSPuwoeAu8Ep
    SCKsc8EbmxLl9HvJCwvrVaqfuUygLESc/hZZoUFN6fAOQst2B5FS/ZklUECCGiiW
    7/8nnL7wbILV+AcGYVQrUBij9CtUzBZpcMMkHREkmZeN6wkCggEBAO0B+C+kAoat
    UCfFG5I2Ds4Cro71AEpuWvEl6wtp5WKiZYuHR4ssGDUOshD4uLb44y4mqTphTiU+
    REV0RLQ/9mgFEmErK2glqkRKdskophbPTGQgwxgmfdQWe0Q42yuo47ljNZVEO201
    SxgpOrHlRYzOQ9XGJmuduKxnrarOYfEXJu1WiGbsiEtY/mrMOov6rcbNsZqsWYqG
    kmE5Msg1PsuFvlQ9ndVmE+pd3rEIhYxicD8pyFvonvi2uMmR8HmNShWKi1FZxq8e
    OlIgdsY4BuqnNUrnQprhm0hG5cGwcl5auL2+Jc5Uagm/egvtwxPhx+pVYcimKOL9
    CutpY7BeuvUCggEAC6UrfENXCNSizb4/Bkb9osQ+KolyhmaRgQ2BEv42OVBVKo0j
    FqXSERH3SDz508rBMv/QXloUrsgXFijoFg3AosUmEGcokU+VWvP0XJshH9vTmIXs
    tR0+Cd5+bO691kYhUcf6mggrNihPnhdLtWWFI53CUMfwiRertULAT7vYuC2Gsxtr
    /ET8vvX9pGWLkQyiRZ5lenttqWZbzH4TYRYV/YtYDUIAt9YbYfJ1xmgTrfhQezSy
    6ju3RXk7fKtjesz7mgLoCbq4VDq0y/NawTrCFyJF/uJXqHUHuxNo24OGaD722P4Q
    JmECHL44e5zhA0TSUmqI17T4H+2fK99jV+lVmQKCAQB2nTi3pw54ln56GOSOjS1l
    nuP7udQWbBppe7+ha7MYZQwLA34jwcKvsxYc9k2DjRYtf73L8OzqKLqERAcqaqSI
    NJmZNcC4k7keCmJelFBjNAYYSmk5SfJJVaMFZqsRs6mcm3Eyrf5LzpMxmVi9tW/U
    Y1qBv3R1AW9uIUlCJZ3QyfR6bYdAc3pWs0hI7MMUUTXtO/552W3KrUTPEZA/sJ4n
    v1yczmWSak7nSWltEkW8F3vzsJaMoOQGt3PNtZMzUinUlAzbfuG3vJoVhhfLZjjX
    8Szzur+Twfsz9f+Aqyzh2eeBVouXMpoLHOAY3jp2VdX2ihqxD6+AwoFXhdwVZaON
    AoIBAF0/qvwsFThhB9a1wnXuGx1OBY+9owIoinIF2qNcHuqeontxfLWBg1izelJg
    gxaATIMvpXgt7y5cBx6fLnylpLgl+TNXCrsrcLnXwJz0Neg/gcSZfcnqwhAhTio9
    iYLVJiK8wnh0pXONutGSasgq3tJLyrzT2+1L5jYKUaFkojIR16sHjo3/MJMPTHvL
    fF1DX7y6acz3JXrGJYQsqcrVodSfcGZK/RJQkdvrSdBRZYgWq+CBYViOxkN7cscr
    ruQ/DZH/ZCIxVckbuVsAMqdCqAO0gX83eEp7elfAVlnLhvxPluxISuXaJmhJNafr
    Xq+NinfrqOLJkIZ/u/PJu4KqN3M=
    -----END PRIVATE KEY-----
  1. Create ArgoCD CR reference the tls secret. Ensure the secret and CR are in same namespace
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
spec:
  server:
    route:
      enabled: true
      tls:
        externalCertificate: 
          name: tls-data-secret
        termination: reencrypt
  1. Check the tls.key & tls.certificate in server route. Values should be same as from the secret.
oc get route example-server  -o yaml

@svghadi
Use secret for route tls
8dcab68 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Add e2e test
a71edfb 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Fix lint and add gitleak ignore file
57b524b 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Update openshift api library to latest of 4.14
3b2817d 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Implement custom logic for externalCertificate from latest Route API …
9e9daf4 
…schema

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Update comment
c1ccc60 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
anandf
anandf reviewed Sep 27, 2024
View reviewed changes
go.mod Show resolved Hide resolved
iam-veeramalla
iam-veeramalla approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@iam-veeramalla iam-veeramalla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the changes locally, LGTM. Thanks @svghadi

@anandf
Copy link
Collaborator

anandf commented Oct 1, 2024

LGTM

anandf
anandf approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@anandf anandf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@svghadi svghadi merged commit af45780 into argoproj-labs:master Oct 3, 2024
7 checks passed
@svghadi svghadi deleted the route-tls-secret branch October 3, 2024 03:20
This was referenced Oct 28, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iam-veeramalla iam-veeramalla iam-veeramalla approved these changes

@anandf anandf anandf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@svghadi @anandf @iam-veeramalla