Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support custom CA with s3 repository. Fixes #10560 #11161

Merged
merged 1 commit into from
Aug 16, 2023
Merged

feat: support custom CA with s3 repository. Fixes #10560 #11161

merged 1 commit into from
Aug 16, 2023

Conversation

nsimons
Copy link
Contributor

@nsimons nsimons commented Jun 2, 2023
edited
Loading

Fixes #10560

Motivation

Similarly to the linked issue, we are securing a local s3 repository with an internal CA and would need to get the TLS chain verification working.

Modifications

This PR introduces a new SecretKeySelector parameter to the artifact configuration, caSecret. This secret is automatically mounted to the workflow pod, then the init and wait (executor) containers are configuring their respective s3 clients to use this secret in the TLS connection with the s3 repository.

Documentation added to docs/configure-artifact-repository.md

Depends on a change in argoproj/pkg. We need to allow the caller to set/access HTTP Transport -related functionality in the s3 client. PR: argoproj/pkg#417

Verification

I didn't find a good place to put automatic tests, but I've been verifying with the following setup: https://gist.github.com/nsimons/d0b688dd99f15283af0136515a4aa149

Then running some sample workflows involving artifacts.

@nsimons nsimons mentioned this pull request Jun 2, 2023
Merged
@nsimons
Copy link
Contributor Author

nsimons commented Jun 2, 2023
edited
Loading

This PR will not build correctly without the argoproj/pkg changes in place. I'll update go.mod and set this ready when the other PR gets merged.

Any feedback is more than welcome!

@stale

This comment was marked as resolved.

Sign in to view
@stale stale bot added the problem/stale This has not had a response in some time label Jun 18, 2023
@stale

This comment was marked as resolved.

Sign in to view
@stale stale bot closed this Aug 13, 2023
@terrytangyuan terrytangyuan reopened this Aug 14, 2023
@terrytangyuan
Copy link
Member

Can you rebase and update argoproj/pkg?

@stale stale bot removed the problem/stale This has not had a response in some time label Aug 15, 2023
@tsaarni
feat: support custom CA with s3 repository
1a15c9c 
Signed-off-by: Niklas Simons <niklas.simons@est.tech>
@nsimons nsimons marked this pull request as ready for review August 15, 2023 10:20
@terrytangyuan terrytangyuan enabled auto-merge (squash) August 16, 2023 18:42
@terrytangyuan terrytangyuan merged commit 7b80ce1 into argoproj:master Aug 16, 2023
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

@jessesuen jessesuen Awaiting requested review from jessesuen

@alexec alexec Awaiting requested review from alexec

@sarabala1979 sarabala1979 Awaiting requested review from sarabala1979

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable TLS communication with ArtifactRepository using Custom CAs
2 participants
@nsimons @terrytangyuan