Skip to content

Deploy cronjob which periodically refreshes the syn-argocd-tls secret #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 30, 2024
Merged

Deploy cronjob which periodically refreshes the syn-argocd-tls secret #200

merged 2 commits into from
Oct 30, 2024

Conversation

@simu
Copy link
Member

@simu simu commented Oct 30, 2024

Unfortunately, the argocd-operator currently doesn't refresh the certificate stored in secret syn-argocd-tls even when the certificate is expired or expires soon (cf. https://github.com/argoproj-labs/argocd-operator/blob/17e355a31b8e2bb7c2ad9a349818e2940bf22fd8/controllers/argocd/secret.go#L224-L257).

To circumvent the certificate expiring (the lifetime is hardcoded to 1 year), we deploy a CronJob which deletes the syn-argocd-tls secret every 4 months to force the operator to recreate it with a new certificate.

Checklist

  • The PR has a meaningful title. It will be used to auto-generate the
    changelog.
    The PR has a meaningful description that sums up the change. It will be
    linked in the changelog.
  • PR contains a single logical change (to build a better changelog).
  • Categorize the PR by adding one of the labels:
    bug, enhancement, documentation, change, breaking, dependency
    as they show up in the changelog.

@simu
Deploy cronjob which periodically refreshes the syn-argocd-tls secret
b05cffd 
Unfortunately, the argocd-operator currently doesn't refresh the
certificate stored in secret `syn-argocd-tls` even when the certificate
is expired or expires soon.

To circumvent the certificate expiring (the lifetime is hardcoded to 1
year), we deploy a CronJob which deletes the `syn-argocd-tls` secret
every 4 months to force the operator to recreate it with a new
certificate.
@simu simu added bug Something isn't working bump:patch labels Oct 30, 2024
@simu simu requested a review from a team October 30, 2024 15:57
@github-actions
Copy link

github-actions bot commented Oct 30, 2024
edited
Loading

🚀 This PR has been released as v8.5.21

Triggering workflows Release

🛠️ Auto tagging enabled with label bump:patch

@github-actions
Copy link

github-actions bot commented Oct 30, 2024

🚀 Merging this PR will release v8.5.21

Merging will trigger workflows Release

🛠️ Auto tagging enabled with label bump:patch

haasad
haasad reviewed Oct 30, 2024
View reviewed changes
Copy link
Member

@haasad haasad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Afaict the CA secrets also needs to be renewed manually

@simu @haasad
Also refresh syn-argocd-ca secret
3e39695 
Co-authored-by: Adrian Haas <11636405+haasad@users.noreply.github.com>
@simu simu force-pushed the fix/refresh-tls-secret branch from 8b673d4 to 3e39695 Compare October 30, 2024 16:20
@simu simu requested a review from haasad October 30, 2024 16:21
@simu simu merged commit 68da149 into master Oct 30, 2024
13 checks passed
@simu simu deleted the fix/refresh-tls-secret branch October 30, 2024 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haasad haasad haasad approved these changes

Assignees

No one assigned

Labels

bug Something isn't working bump:patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simu @haasad