Skip to content

Commit

Permalink
feat: add TLS config option to HTTP template. Fixes #7390 (#7929)
Browse files Browse the repository at this point in the history
Signed-off-by: Rohan Kumar <[email protected]>
  • Loading branch information
rohankmr414 authored Mar 16, 2022
1 parent 013fa25 commit 057c334
Show file tree
Hide file tree
Showing 5 changed files with 127 additions and 22 deletions.
14 changes: 7 additions & 7 deletions test/e2e/agent_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,19 +37,19 @@ spec:
- - name: one
template: http
arguments:
parameters: [{name: url, value: "http://httpstat.us/200?sleep=5000"}]
parameters: [{name: url, value: "https://httpstat.us/200?sleep=5000"}]
- name: two
template: http
arguments:
parameters: [{name: url, value: "http://httpstat.us/200?sleep=5000"}]
parameters: [{name: url, value: "https://httpstat.us/200?sleep=5000"}]
- name: three
template: http
arguments:
parameters: [{name: url, value: "http://httpstat.us/200?sleep=5000"}]
parameters: [{name: url, value: "https://httpstat.us/200?sleep=5000"}]
- name: four
template: http
arguments:
parameters: [{name: url, value: "http://httpstat.us/200?sleep=5000"}]
parameters: [{name: url, value: "https://httpstat.us/200?sleep=5000"}]
- name: http
inputs:
parameters:
Expand Down Expand Up @@ -102,15 +102,15 @@ spec:
- - name: http-status-is-201-fails
template: http-status-is-201
arguments:
parameters: [{name: url, value: "http://httpstat.us/200"}]
parameters: [{name: url, value: "https://httpstat.us/200"}]
- name: http-status-is-201-succeeds
template: http-status-is-201
arguments:
parameters: [{name: url, value: "http://httpstat.us/201"}]
parameters: [{name: url, value: "https://httpstat.us/201"}]
- name: http-body-contains-google-fails
template: http-body-contains-google
arguments:
parameters: [{name: url, value: "http://httpstat.us/200"}]
parameters: [{name: url, value: "https://httpstat.us/200"}]
- name: http-body-contains-google-succeeds
template: http-body-contains-google
arguments:
Expand Down
1 change: 1 addition & 0 deletions test/e2e/manifests/minimal/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ resources:
- https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_eventbus.yaml
- https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_eventsources.yaml
- https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_sensors.yaml
- ../mixins/argo-workflows-agent-ca-certificates.yaml

patchesStrategicMerge:
- ../mixins/argo-server-deployment.yaml
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# You can use the following command to generate a self-signed certificate:
# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
# also see: https://stackoverflow.com/a/10176685
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-agent-ca-certificates
stringData:
customcert.pem: >
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
3 changes: 3 additions & 0 deletions workflow/common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,9 @@ const (
ServiceAccountTokenVolumeName = "exec-sa-token" //nolint:gosec
SecretVolMountPath = "/argo/secret"

// CACertificatesVolumeMountName is the name of the secret that contains the CA certificates.
CACertificatesVolumeMountName = "argo-workflows-agent-ca-certificates"

// ArgoProgressPath defines the path to a file used for self reporting progress
ArgoProgressPath = "/var/run/argo/progress"

Expand Down
100 changes: 85 additions & 15 deletions workflow/controller/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,42 @@ func assessAgentPodStatus(pod *apiv1.Pod) (wfv1.WorkflowPhase, string) {
return newPhase, message
}

func (woc *wfOperationCtx) secretExists(ctx context.Context, name string) (bool, error) {
_, err := woc.controller.kubeclientset.CoreV1().Secrets(woc.wf.Namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil {
if apierr.IsNotFound(err) {
return false, nil
}
return false, err
}
return true, nil
}

func (woc *wfOperationCtx) getCertVolumeMount(ctx context.Context, name string) (*apiv1.Volume, *apiv1.VolumeMount, error) {
exists, err := woc.secretExists(ctx, name)
if err != nil {
return nil, nil, fmt.Errorf("failed to check if secret %s exists: %v", name, err)
}
if exists {
certVolume := &apiv1.Volume{
Name: name,
VolumeSource: apiv1.VolumeSource{
Secret: &apiv1.SecretVolumeSource{
SecretName: name,
},
}}

certVolumeMount := &apiv1.VolumeMount{
Name: name,
MountPath: "/etc/ssl/certs/ca-certificates/",
ReadOnly: true,
}

return certVolume, certVolumeMount, nil
}
return nil, nil, nil
}

func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, error) {
podName := woc.getAgentPodName()
log := woc.log.WithField("podName", podName)
Expand All @@ -88,6 +124,11 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
}
}

certVolume, certVolumeMount, err := woc.getCertVolumeMount(ctx, common.CACertificatesVolumeMountName)
if err != nil {
return nil, err
}

pluginSidecars := woc.getExecutorPlugins()
envVars := []apiv1.EnvVar{
{Name: common.EnvVarWorkflowName, Value: woc.wf.Name},
Expand All @@ -111,6 +152,46 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
// Intentionally randomize the name so that plugins cannot determine it.
tokenVolumeName := fmt.Sprintf("kube-api-access-%s", rand.String(5))

var podVolumes []apiv1.Volume
var podVolumeMounts []apiv1.VolumeMount
if certVolume != nil && certVolumeMount != nil {
podVolumes = []apiv1.Volume{
{
Name: tokenVolumeName,
VolumeSource: apiv1.VolumeSource{
Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
},
},
*certVolume,
}

podVolumeMounts = []apiv1.VolumeMount{
{
Name: tokenVolumeName,
MountPath: common.ServiceAccountTokenMountPath,
ReadOnly: true,
},
*certVolumeMount,
}
} else {
podVolumes = []apiv1.Volume{
{
Name: tokenVolumeName,
VolumeSource: apiv1.VolumeSource{
Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
},
},
}

podVolumeMounts = []apiv1.VolumeMount{
{
Name: tokenVolumeName,
MountPath: common.ServiceAccountTokenMountPath,
ReadOnly: true,
},
}
}

pod := &apiv1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
Expand All @@ -136,14 +217,8 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
},
ServiceAccountName: serviceAccountName,
AutomountServiceAccountToken: pointer.BoolPtr(false),
Volumes: []apiv1.Volume{
{
Name: tokenVolumeName,
VolumeSource: apiv1.VolumeSource{
Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
},
},
},
Volumes: podVolumes,

Containers: append(
pluginSidecars,
apiv1.Container{
Expand All @@ -153,6 +228,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
Image: woc.controller.executorImage(),
ImagePullPolicy: woc.controller.executorImagePullPolicy(),
Env: envVars,

SecurityContext: &apiv1.SecurityContext{
Capabilities: &apiv1.Capabilities{
Drop: []apiv1.Capability{"ALL"},
Expand All @@ -172,13 +248,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
"memory": resource.MustParse(env.LookupEnvStringOr("ARGO_AGENT_MEMORY_LIMIT", "256M")),
},
},
VolumeMounts: []apiv1.VolumeMount{
{
Name: tokenVolumeName,
MountPath: common.ServiceAccountTokenMountPath,
ReadOnly: true,
},
},
VolumeMounts: podVolumeMounts,
},
),
},
Expand Down

0 comments on commit 057c334

Please sign in to comment.