Skip to content

Commit c935502

Browse files
karlparrykarlparry
authored
feat(argo-cd): Add Repo Server strict TLS cert support (argoproj#1673)
Signed-off-by: Karl Parry <[email protected]>
1 parent a918b83 commit c935502

File tree

5 files changed

+50
-2
lines changed

5 files changed

+50
-2
lines changed

charts/argo-cd/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ appVersion: v2.5.3
33
kubeVersion: ">=1.22.0-0"
44
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
55
name: argo-cd
6-
version: 5.14.3
6+
version: 5.15.0
77
home: https://github.com/argoproj/argo-helm
88
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
99
sources:
@@ -23,4 +23,4 @@ dependencies:
2323
condition: redis-ha.enabled
2424
annotations:
2525
artifacthub.io/changes: |
26-
- "[Changed]: Update to app version 2.5.3"
26+
- "[Added]: Ability to deploy argocd-repo-server-server-tls secret and configure Strict TLS for Repo Server"

charts/argo-cd/README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -522,6 +522,12 @@ NAME: my-release
522522
| repoServer.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the repo server [HPA] |
523523
| repoServer.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the repo server [HPA] |
524524
| repoServer.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the repo server [HPA] |
525+
| repoServer.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-repo-server-tls secret |
526+
| repoServer.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. |
527+
| repoServer.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) |
528+
| repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret |
529+
| repoServer.certificateSecret.key | string | `""` | Certificate private key |
530+
| repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret |
525531
| repoServer.clusterAdminAccess.enabled | bool | `false` | Enable RBAC for local cluster deployments |
526532
| repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource |
527533
| repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource |

charts/argo-cd/templates/_helpers.tpl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,7 @@ Argo Params Default Configuration Presets
194194
*/}}
195195
{{- define "argo-cd.config.params.presets" -}}
196196
repo.server: "{{ include "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}"
197+
server.repo.server.strict.tls: {{ .Values.repoServer.certificateSecret.enabled | toString }}
197198
{{- with include "argo-cd.redis.server" . }}
198199
redis.server: {{ . | quote }}
199200
{{- end }}

charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls.yaml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{{- if and .Values.repoServer.enabled .Values.repoServer.certificateSecret.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: argocd-repo-server-tls
6+
labels:
7+
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }}
8+
{{- with .Values.repoServer.certificateSecret.labels }}
9+
{{- toYaml . | nindent 4 }}
10+
{{- end }}
11+
{{- with .Values.repoServer.certificateSecret.annotations }}
12+
annotations:
13+
{{- range $key, $value := . }}
14+
{{ $key }}: {{ $value | quote }}
15+
{{- end }}
16+
{{- end }}
17+
type: kubernetes.io/tls
18+
data:
19+
{{- with .Values.repoServer.certificateSecret.ca }}
20+
ca.crt: {{ . | b64enc | quote }}
21+
{{- end }}
22+
tls.crt: {{ .Values.repoServer.certificateSecret.crt | b64enc | quote }}
23+
tls.key: {{ .Values.repoServer.certificateSecret.key | b64enc | quote }}
24+
{{- end }}

charts/argo-cd/values.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1982,6 +1982,23 @@ repoServer:
19821982
# cpu: 10m
19831983
# memory: 64Mi
19841984

1985+
# TLS certificate configuration via Secret
1986+
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-repo-server
1987+
## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers.
1988+
certificateSecret:
1989+
# -- Create argocd-repo-server-tls secret
1990+
enabled: false
1991+
# -- Annotations to be added to argocd-repo-server-tls secret
1992+
annotations: {}
1993+
# -- Labels to be added to argocd-repo-server-tls secret
1994+
labels: {}
1995+
# -- Certificate authority. Required for self-signed certificates.
1996+
ca: ''
1997+
# -- Certificate private key
1998+
key: ''
1999+
# -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc)
2000+
crt: ''
2001+
19852002
## Repo server service configuration
19862003
service:
19872004
# -- Repo server service annotations

0 commit comments

Comments
 (0)