Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server ignores initial TLS cert #995

Open
mgoodness opened this issue Jan 9, 2019 · 5 comments
Open

Server ignores initial TLS cert #995

mgoodness opened this issue Jan 9, 2019 · 5 comments
Labels
Milestone

Comments

@mgoodness
Copy link
Contributor

@mgoodness mgoodness commented Jan 9, 2019

When I deploy Argo CD for the first time I create argocd-secret with the following manifest (sensitive data redacted):

apiVersion: v1
kind: Secret
metadata:
  annotations:
    certmanager.k8s.io/alt-names: argocd.sandbox113.us-east-1.tktm.io
    certmanager.k8s.io/common-name: argocd.sandbox113.us-east-1.tktm.io
    certmanager.k8s.io/issuer-kind: ClusterIssuer
    certmanager.k8s.io/issuer-name: tktm.io
  labels:
    app: argo-cd
    certmanager.k8s.io/certificate-name: argocd-server
    component: server
  name: argocd-secret
data:
  dex.ldap.bindPW: <base64>
  repo.password: <base64>
  repo.username: <base64>
  tls.crt: <base64>
  tls.key:  <base64>
type: Opaque

All pods start correctly and I'm able to authenticate with LDAP. Argo CD also connects to my repos using the provided credentials. But when I open the dashboard I get a self-signed TLS cert instead of the one I just provided. Running kubectl get secrets argocd-secret -o json|jq -r '.data."tls.crt"'|base64 -D|openssl x509 -noout -textshows that my cert has in fact been overwritten with a self-signed one.

I then have to re-apply my manifest, after which Argo CD will use my cert. (Note: before rc5 I had to delete the argocd-server pod for the cert to be used.)

I know the self-signed cert isn't supposed to be generated unless tls.cert and tls.key are empty, but it seems like it's being created regardless. Happy to provide logs & help troubleshoot.

@mgoodness mgoodness changed the title Server ignores initial TLS certs Server ignores initial TLS cert Jan 9, 2019
@jessesuen

This comment has been minimized.

Copy link
Contributor

@jessesuen jessesuen commented Jan 9, 2019

I took a closer look. It seems we consider the settings as “incomplete” when other fields like admin password are missing, and blindly clobber the tls.key/tls.crt. I am working on the fix.

@wreed4

This comment has been minimized.

Copy link

@wreed4 wreed4 commented Apr 25, 2019

This is still happening for me. Even if the cert exists before argo server is started, I need to kill the pod at least once for it not to initialize its own tls.

@jd0x

This comment has been minimized.

Copy link

@jd0x jd0x commented Jul 10, 2019

+1

Same issue mentioned above. The self-signed cert embedded below will overwrite my existing certificate requiring me to recreate my Ingress or patch the argocd-secret with my TLS crt and key.

Subject Alternative Names: localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local
Organization: Argo CD
Valid From: June 9, 2019
Valid To: June 8, 2020
Issuer: Argo CD
Serial Number: 
@alexec alexec reopened this Jul 10, 2019
@alexec alexec added the bug label Jul 10, 2019
@alexec

This comment has been minimized.

Copy link
Contributor

@alexec alexec commented Jul 10, 2019

It would be really useful to have repro steps.

@alexec alexec added the security label Jul 10, 2019
@stale

This comment has been minimized.

Copy link

@stale stale bot commented Sep 8, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 8, 2019
@alexmt alexmt closed this Sep 8, 2019
@alexmt alexmt reopened this Sep 8, 2019
@stale stale bot removed the wontfix label Sep 8, 2019
@alexec alexec added this to the v1.4 milestone Oct 4, 2019
@alexec alexec added the M label Oct 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.