diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index e321f51c..1a569abb 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -405,6 +405,85 @@ local webhook_certs = [ }, ]; +// Manually trigger refresh of ArgoCD TLS certificate. Currently the operator +// will not do anything if it sees that the secret `syn-argocd-tls` exists +// even if the certificate stored in the secret expired or is expiring soon. +local tls_sa = kube.ServiceAccount('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, +}; +local tls_role = kube.Role('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + rules: [ { + apiGroups: [ '' ], + resources: [ 'secrets' ], + verbs: [ 'delete' ], + resourceNames: [ + 'syn-argocd-tls', + 'syn-argocd-ca', + ], + } ], +}; +local tls_rolebinding = kube.RoleBinding('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + subjects_: [ tls_sa ], + roleRef_: tls_role, +}; +local tls_cronjob = + local homedir = '/home/refresh'; + kube.CronJob('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + spec+: { + failedJobsHistoryLimit: 3, + // At 09:00 on the first day of the month every 4th month. + schedule: '0 9 1 */4 *', + jobTemplate+: { + spec+: { + template+: { + spec+: { + containers_: { + refresh: kube.Container('refresh') { + image: common.render_image('kubectl'), + command: [ + 'kubectl', + 'delete', + 'secret', + 'syn-argocd-tls', + 'syn-argocd-ca', + ], + env_: { + HOME: homedir, + }, + volumeMounts_+: { + home: { mountPath: homedir }, + }, + }, + }, + serviceAccountName: tls_sa.metadata.name, + volumes_+: { + home: { emptyDir: {} }, + }, + }, + }, + }, + }, + }, + }; + +local tls_refresh = [ + tls_sa, + tls_role, + tls_rolebinding, + tls_cronjob, +]; + { '00_vault_agent_config': vault_agent_config, '00_kapitan_plugin_config': kapitan_plugin_config, @@ -415,4 +494,5 @@ local webhook_certs = [ // as the upstream kustomize is broken. // 2023/02/19 sfe [if params.operator.conversion_webhook then '../10_operator_webhook_certs']: webhook_certs, + '10_refresh_argocd_tls': tls_refresh, } diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..3ff2188c --- /dev/null +++ b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + - syn-argocd-ca + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + - syn-argocd-ca + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..3ff2188c --- /dev/null +++ b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + - syn-argocd-ca + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + - syn-argocd-ca + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..3ff2188c --- /dev/null +++ b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + - syn-argocd-ca + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + - syn-argocd-ca + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..3ff2188c --- /dev/null +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + - syn-argocd-ca + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + - syn-argocd-ca + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10