Skip to content

Commit

Permalink
use self-signed cert for argocd server (#352)
Browse files Browse the repository at this point in the history
Signed-off-by: Manabu McCloskey <[email protected]>
  • Loading branch information
nabuskey authored Aug 5, 2024
1 parent f82ac2c commit 71fefc7
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 28 deletions.
3 changes: 2 additions & 1 deletion globals/project.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ import "fmt"
const (
ProjectName string = "idpbuilder"

NginxNamespace string = "ingress-nginx"
NginxNamespace string = "ingress-nginx"
ArgoCDNamespace string = "argocd"

SelfSignedCertSecretName = "idpbuilder-cert"
SelfSignedCertCMName = "idpbuilder-cert"
Expand Down
55 changes: 37 additions & 18 deletions pkg/build/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,32 @@ import (
)

const (
certificateOrgName = "cnoe.io"
certificateOrgName = "cnoe.io"
certificateValidLength = time.Hour * 8766
argocdTLSSecretName = "argocd-server-tls"
)

var (
certificateValidLength = time.Hour * 8766 // one year
)
func createCertificateAndKeySecret(ctx context.Context, kubeClient client.Client, name, namespace string, cert, key []byte) error {
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Type: corev1.SecretTypeTLS,
Data: map[string][]byte{
corev1.TLSCertKey: cert,
corev1.TLSPrivateKeyKey: key,
},
}
err := kubeClient.Create(ctx, secret)
if err != nil {
if k8serrors.IsAlreadyExists(err) {
return nil
}
return err
}
return nil
}

func createIngressCertificateSecret(ctx context.Context, kubeClient client.Client, cert []byte) error {
secret := &corev1.Secret{
Expand Down Expand Up @@ -86,20 +106,9 @@ func getOrCreateIngressCertificateAndKey(ctx context.Context, kubeClient client.
return nil, nil, cErr
}

secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Type: corev1.SecretTypeTLS,
StringData: map[string]string{
corev1.TLSPrivateKeyKey: string(privateKey),
corev1.TLSCertKey: string(cert),
},
}
cErr = kubeClient.Create(ctx, secret)
cErr = createCertificateAndKeySecret(ctx, kubeClient, name, namespace, cert, privateKey)
if cErr != nil {
return nil, nil, fmt.Errorf("creating secret %s: %w", secret.Name, err)
return nil, nil, fmt.Errorf("creating secret %s: %w", name, err)
}
return cert, privateKey, nil
} else {
Expand Down Expand Up @@ -178,6 +187,10 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
return nil, err
}

if err := k8s.EnsureNamespace(ctx, kubeclient, globals.ArgoCDNamespace); err != nil {
return nil, err
}

sans := []string{
globals.DefaultHostName,
globals.DefaultSANWildcard,
Expand All @@ -190,7 +203,7 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
}

logger.V(1).Info("Creating/getting certificate", "host", config.Host, "sans", sans)
cert, _, err := getOrCreateIngressCertificateAndKey(ctx, kubeclient, globals.SelfSignedCertSecretName, globals.NginxNamespace, sans)
cert, privateKey, err := getOrCreateIngressCertificateAndKey(ctx, kubeclient, globals.SelfSignedCertSecretName, globals.NginxNamespace, sans)
if err != nil {
return nil, err
}
Expand All @@ -200,5 +213,11 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
if err != nil {
return nil, err
}

logger.V(1).Info("Creating secret for ArgoCD server", "host", config.Host)
err = createCertificateAndKeySecret(ctx, kubeclient, argocdTLSSecretName, globals.ArgoCDNamespace, cert, privateKey)
if err != nil {
return nil, err
}
return cert, nil
}
7 changes: 2 additions & 5 deletions pkg/controllers/localbuild/argo.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"embed"

"github.com/cnoe-io/idpbuilder/api/v1alpha1"
"github.com/cnoe-io/idpbuilder/globals"
"github.com/cnoe-io/idpbuilder/pkg/k8s"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
Expand All @@ -14,10 +15,6 @@ import (
//go:embed resources/argo/*
var installArgoFS embed.FS

const (
argocdNamespace string = "argocd"
)

func RawArgocdInstallResources(templateData any, config v1alpha1.PackageCustomization, scheme *runtime.Scheme) ([][]byte, error) {
return k8s.BuildCustomizedManifests(config.FilePath, "resources/argo", installArgoFS, scheme, templateData)
}
Expand All @@ -27,7 +24,7 @@ func (r *LocalbuildReconciler) ReconcileArgo(ctx context.Context, req ctrl.Reque
name: "Argo CD",
resourcePath: "resources/argo",
resourceFS: installArgoFS,
namespace: argocdNamespace,
namespace: globals.ArgoCDNamespace,
monitoredResources: map[string]schema.GroupVersionKind{
"argocd-server": {
Group: "apps",
Expand Down
3 changes: 2 additions & 1 deletion pkg/controllers/localbuild/argo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (

argov1alpha1 "github.com/cnoe-io/argocd-api/api/argo/application/v1alpha1"
"github.com/cnoe-io/idpbuilder/api/v1alpha1"
"github.com/cnoe-io/idpbuilder/globals"
"github.com/cnoe-io/idpbuilder/pkg/k8s"
"github.com/cnoe-io/idpbuilder/pkg/util"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -137,7 +138,7 @@ func TestArgoCDAppAnnotation(t *testing.T) {
for i := range cases {
c := cases[i]
fClient := new(fakeKubeClient)
fClient.On("List", ctx, mock.Anything, []client.ListOption{client.InNamespace(argocdNamespace)}).
fClient.On("List", ctx, mock.Anything, []client.ListOption{client.InNamespace(globals.ArgoCDNamespace)}).
Run(func(args mock.Arguments) {
apps := args.Get(1).(*argov1alpha1.ApplicationList)
apps.Items = c.listApps
Expand Down
6 changes: 3 additions & 3 deletions pkg/controllers/localbuild/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ func (r *LocalbuildReconciler) reconcileEmbeddedApp(ctx context.Context, appName
app := &argov1alpha1.Application{
ObjectMeta: metav1.ObjectMeta{
Name: appName,
Namespace: argocdNamespace,
Namespace: globals.ArgoCDNamespace,
},
}

Expand Down Expand Up @@ -542,7 +542,7 @@ func (r *LocalbuildReconciler) reconcileGitRepo(ctx context.Context, resource *v

func (r *LocalbuildReconciler) requestArgoCDAppRefresh(ctx context.Context) error {
apps := &argov1alpha1.ApplicationList{}
err := r.Client.List(ctx, apps, client.InNamespace(argocdNamespace))
err := r.Client.List(ctx, apps, client.InNamespace(globals.ArgoCDNamespace))
if err != nil {
return fmt.Errorf("listing argocd apps for refresh: %w", err)
}
Expand All @@ -559,7 +559,7 @@ func (r *LocalbuildReconciler) requestArgoCDAppRefresh(ctx context.Context) erro

func (r *LocalbuildReconciler) requestArgoCDAppSetRefresh(ctx context.Context) error {
appsets := &argov1alpha1.ApplicationSetList{}
err := r.Client.List(ctx, appsets, client.InNamespace(argocdNamespace))
err := r.Client.List(ctx, appsets, client.InNamespace(globals.ArgoCDNamespace))
if err != nil {
return fmt.Errorf("listing argocd apps for refresh: %w", err)
}
Expand Down

0 comments on commit 71fefc7

Please sign in to comment.