From 71fefc7e458b4a41886a60cff4ae12eee60e1538 Mon Sep 17 00:00:00 2001
From: Manabu McCloskey <manabu.mccloskey@gmail.com>
Date: Mon, 5 Aug 2024 10:19:24 -0700
Subject: [PATCH] use self-signed cert for argocd server (#352)

Signed-off-by: Manabu McCloskey <manabu.mccloskey@gmail.com>
---
 globals/project.go                       |  3 +-
 pkg/build/tls.go                         | 55 ++++++++++++++++--------
 pkg/controllers/localbuild/argo.go       |  7 +--
 pkg/controllers/localbuild/argo_test.go  |  3 +-
 pkg/controllers/localbuild/controller.go |  6 +--
 5 files changed, 46 insertions(+), 28 deletions(-)

diff --git a/globals/project.go b/globals/project.go
index 38d385b0..f19e8096 100644
--- a/globals/project.go
+++ b/globals/project.go
@@ -5,7 +5,8 @@ import "fmt"
 const (
 	ProjectName string = "idpbuilder"
 
-	NginxNamespace string = "ingress-nginx"
+	NginxNamespace  string = "ingress-nginx"
+	ArgoCDNamespace string = "argocd"
 
 	SelfSignedCertSecretName = "idpbuilder-cert"
 	SelfSignedCertCMName     = "idpbuilder-cert"
diff --git a/pkg/build/tls.go b/pkg/build/tls.go
index 84751023..b19a504b 100644
--- a/pkg/build/tls.go
+++ b/pkg/build/tls.go
@@ -25,12 +25,32 @@ import (
 )
 
 const (
-	certificateOrgName = "cnoe.io"
+	certificateOrgName     = "cnoe.io"
+	certificateValidLength = time.Hour * 8766
+	argocdTLSSecretName    = "argocd-server-tls"
 )
 
-var (
-	certificateValidLength = time.Hour * 8766 // one year
-)
+func createCertificateAndKeySecret(ctx context.Context, kubeClient client.Client, name, namespace string, cert, key []byte) error {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Type: corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       cert,
+			corev1.TLSPrivateKeyKey: key,
+		},
+	}
+	err := kubeClient.Create(ctx, secret)
+	if err != nil {
+		if k8serrors.IsAlreadyExists(err) {
+			return nil
+		}
+		return err
+	}
+	return nil
+}
 
 func createIngressCertificateSecret(ctx context.Context, kubeClient client.Client, cert []byte) error {
 	secret := &corev1.Secret{
@@ -86,20 +106,9 @@ func getOrCreateIngressCertificateAndKey(ctx context.Context, kubeClient client.
 				return nil, nil, cErr
 			}
 
-			secret := &corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      name,
-					Namespace: namespace,
-				},
-				Type: corev1.SecretTypeTLS,
-				StringData: map[string]string{
-					corev1.TLSPrivateKeyKey: string(privateKey),
-					corev1.TLSCertKey:       string(cert),
-				},
-			}
-			cErr = kubeClient.Create(ctx, secret)
+			cErr = createCertificateAndKeySecret(ctx, kubeClient, name, namespace, cert, privateKey)
 			if cErr != nil {
-				return nil, nil, fmt.Errorf("creating secret %s: %w", secret.Name, err)
+				return nil, nil, fmt.Errorf("creating secret %s: %w", name, err)
 			}
 			return cert, privateKey, nil
 		} else {
@@ -178,6 +187,10 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
 		return nil, err
 	}
 
+	if err := k8s.EnsureNamespace(ctx, kubeclient, globals.ArgoCDNamespace); err != nil {
+		return nil, err
+	}
+
 	sans := []string{
 		globals.DefaultHostName,
 		globals.DefaultSANWildcard,
@@ -190,7 +203,7 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
 	}
 
 	logger.V(1).Info("Creating/getting certificate", "host", config.Host, "sans", sans)
-	cert, _, err := getOrCreateIngressCertificateAndKey(ctx, kubeclient, globals.SelfSignedCertSecretName, globals.NginxNamespace, sans)
+	cert, privateKey, err := getOrCreateIngressCertificateAndKey(ctx, kubeclient, globals.SelfSignedCertSecretName, globals.NginxNamespace, sans)
 	if err != nil {
 		return nil, err
 	}
@@ -200,5 +213,11 @@ func setupSelfSignedCertificate(ctx context.Context, logger logr.Logger, kubecli
 	if err != nil {
 		return nil, err
 	}
+
+	logger.V(1).Info("Creating secret for ArgoCD server", "host", config.Host)
+	err = createCertificateAndKeySecret(ctx, kubeclient, argocdTLSSecretName, globals.ArgoCDNamespace, cert, privateKey)
+	if err != nil {
+		return nil, err
+	}
 	return cert, nil
 }
diff --git a/pkg/controllers/localbuild/argo.go b/pkg/controllers/localbuild/argo.go
index 10e11f0d..bf21aa1d 100644
--- a/pkg/controllers/localbuild/argo.go
+++ b/pkg/controllers/localbuild/argo.go
@@ -5,6 +5,7 @@ import (
 	"embed"
 
 	"github.com/cnoe-io/idpbuilder/api/v1alpha1"
+	"github.com/cnoe-io/idpbuilder/globals"
 	"github.com/cnoe-io/idpbuilder/pkg/k8s"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -14,10 +15,6 @@ import (
 //go:embed resources/argo/*
 var installArgoFS embed.FS
 
-const (
-	argocdNamespace string = "argocd"
-)
-
 func RawArgocdInstallResources(templateData any, config v1alpha1.PackageCustomization, scheme *runtime.Scheme) ([][]byte, error) {
 	return k8s.BuildCustomizedManifests(config.FilePath, "resources/argo", installArgoFS, scheme, templateData)
 }
@@ -27,7 +24,7 @@ func (r *LocalbuildReconciler) ReconcileArgo(ctx context.Context, req ctrl.Reque
 		name:         "Argo CD",
 		resourcePath: "resources/argo",
 		resourceFS:   installArgoFS,
-		namespace:    argocdNamespace,
+		namespace:    globals.ArgoCDNamespace,
 		monitoredResources: map[string]schema.GroupVersionKind{
 			"argocd-server": {
 				Group:   "apps",
diff --git a/pkg/controllers/localbuild/argo_test.go b/pkg/controllers/localbuild/argo_test.go
index 99f787eb..98c800a4 100644
--- a/pkg/controllers/localbuild/argo_test.go
+++ b/pkg/controllers/localbuild/argo_test.go
@@ -6,6 +6,7 @@ import (
 
 	argov1alpha1 "github.com/cnoe-io/argocd-api/api/argo/application/v1alpha1"
 	"github.com/cnoe-io/idpbuilder/api/v1alpha1"
+	"github.com/cnoe-io/idpbuilder/globals"
 	"github.com/cnoe-io/idpbuilder/pkg/k8s"
 	"github.com/cnoe-io/idpbuilder/pkg/util"
 	"github.com/stretchr/testify/assert"
@@ -137,7 +138,7 @@ func TestArgoCDAppAnnotation(t *testing.T) {
 	for i := range cases {
 		c := cases[i]
 		fClient := new(fakeKubeClient)
-		fClient.On("List", ctx, mock.Anything, []client.ListOption{client.InNamespace(argocdNamespace)}).
+		fClient.On("List", ctx, mock.Anything, []client.ListOption{client.InNamespace(globals.ArgoCDNamespace)}).
 			Run(func(args mock.Arguments) {
 				apps := args.Get(1).(*argov1alpha1.ApplicationList)
 				apps.Items = c.listApps
diff --git a/pkg/controllers/localbuild/controller.go b/pkg/controllers/localbuild/controller.go
index 046fa78e..97091bea 100644
--- a/pkg/controllers/localbuild/controller.go
+++ b/pkg/controllers/localbuild/controller.go
@@ -230,7 +230,7 @@ func (r *LocalbuildReconciler) reconcileEmbeddedApp(ctx context.Context, appName
 	app := &argov1alpha1.Application{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      appName,
-			Namespace: argocdNamespace,
+			Namespace: globals.ArgoCDNamespace,
 		},
 	}
 
@@ -542,7 +542,7 @@ func (r *LocalbuildReconciler) reconcileGitRepo(ctx context.Context, resource *v
 
 func (r *LocalbuildReconciler) requestArgoCDAppRefresh(ctx context.Context) error {
 	apps := &argov1alpha1.ApplicationList{}
-	err := r.Client.List(ctx, apps, client.InNamespace(argocdNamespace))
+	err := r.Client.List(ctx, apps, client.InNamespace(globals.ArgoCDNamespace))
 	if err != nil {
 		return fmt.Errorf("listing argocd apps for refresh: %w", err)
 	}
@@ -559,7 +559,7 @@ func (r *LocalbuildReconciler) requestArgoCDAppRefresh(ctx context.Context) erro
 
 func (r *LocalbuildReconciler) requestArgoCDAppSetRefresh(ctx context.Context) error {
 	appsets := &argov1alpha1.ApplicationSetList{}
-	err := r.Client.List(ctx, appsets, client.InNamespace(argocdNamespace))
+	err := r.Client.List(ctx, appsets, client.InNamespace(globals.ArgoCDNamespace))
 	if err != nil {
 		return fmt.Errorf("listing argocd apps for refresh: %w", err)
 	}