From b05cffd5bcfa719811c5ce2a8d3b90d34fa74e53 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Wed, 30 Oct 2024 16:55:15 +0100 Subject: [PATCH 1/2] Deploy cronjob which periodically refreshes the `syn-argocd-tls` secret Unfortunately, the argocd-operator currently doesn't refresh the certificate stored in secret `syn-argocd-tls` even when the certificate is expired or expires soon. To circumvent the certificate expiring (the lifetime is hardcoded to 1 year), we deploy a CronJob which deletes the `syn-argocd-tls` secret every 4 months to force the operator to recreate it with a new certificate. --- component/argocd.jsonnet | 76 +++++++++++++++ .../30_argocd/10_refresh_argocd_tls.yaml | 93 +++++++++++++++++++ .../30_argocd/10_refresh_argocd_tls.yaml | 93 +++++++++++++++++++ .../30_argocd/10_refresh_argocd_tls.yaml | 93 +++++++++++++++++++ .../30_argocd/10_refresh_argocd_tls.yaml | 93 +++++++++++++++++++ 5 files changed, 448 insertions(+) create mode 100644 tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml create mode 100644 tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml create mode 100644 tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml create mode 100644 tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index e321f51c..6e4bfcca 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -405,6 +405,81 @@ local webhook_certs = [ }, ]; +// Manually trigger refresh of ArgoCD TLS certificate. Currently the operator +// will not do anything if it sees that the secret `syn-argocd-tls` exists +// even if the certificate stored in the secret expired or is expiring soon. +local tls_sa = kube.ServiceAccount('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, +}; +local tls_role = kube.Role('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + rules: [ { + apiGroups: [ '' ], + resources: [ 'secrets' ], + verbs: [ 'delete' ], + resourceNames: [ 'syn-argocd-tls' ], + } ], +}; +local tls_rolebinding = kube.RoleBinding('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + subjects_: [ tls_sa ], + roleRef_: tls_role, +}; +local tls_cronjob = + local homedir = '/home/refresh'; + kube.CronJob('syn-argocd-tls-refresher') { + metadata+: { + namespace: params.namespace, + }, + spec+: { + failedJobsHistoryLimit: 3, + // At 09:00 on the first day of the month every 4th month. + schedule: '0 9 1 */4 *', + jobTemplate+: { + spec+: { + template+: { + spec+: { + containers_: { + refresh: kube.Container('refresh') { + image: common.render_image('kubectl'), + command: [ + 'kubectl', + 'delete', + 'secret', + 'syn-argocd-tls', + ], + env_: { + HOME: homedir, + }, + volumeMounts_+: { + home: { mountPath: homedir }, + }, + }, + }, + serviceAccountName: tls_sa.metadata.name, + volumes_+: { + home: { emptyDir: {} }, + }, + }, + }, + }, + }, + }, + }; + +local tls_refresh = [ + tls_sa, + tls_role, + tls_rolebinding, + tls_cronjob, +]; + { '00_vault_agent_config': vault_agent_config, '00_kapitan_plugin_config': kapitan_plugin_config, @@ -415,4 +490,5 @@ local webhook_certs = [ // as the upstream kustomize is broken. // 2023/02/19 sfe [if params.operator.conversion_webhook then '../10_operator_webhook_certs']: webhook_certs, + '10_refresh_argocd_tls': tls_refresh, } diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..d9dfe71c --- /dev/null +++ b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..d9dfe71c --- /dev/null +++ b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..d9dfe71c --- /dev/null +++ b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml new file mode 100644 index 00000000..d9dfe71c --- /dev/null +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +rules: + - apiGroups: + - '' + resourceNames: + - syn-argocd-tls + resources: + - secrets + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: syn-argocd-tls-refresher +subjects: + - kind: ServiceAccount + name: syn-argocd-tls-refresher + namespace: syn +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: syn-argocd-tls-refresher + name: syn-argocd-tls-refresher + namespace: syn +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: syn-argocd-tls-refresher + spec: + containers: + - args: [] + command: + - kubectl + - delete + - secret + - syn-argocd-tls + env: + - name: HOME + value: /home/refresh + image: docker.io/bitnami/kubectl + imagePullPolicy: IfNotPresent + name: refresh + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /home/refresh + name: home + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: syn-argocd-tls-refresher + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: home + schedule: 0 9 1 */4 * + successfulJobsHistoryLimit: 10 From 3e396954549a93818c0472170f3c2f9f7b2a039e Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Wed, 30 Oct 2024 17:15:37 +0100 Subject: [PATCH 2/2] Also refresh syn-argocd-ca secret Co-authored-by: Adrian Haas <11636405+haasad@users.noreply.github.com> --- component/argocd.jsonnet | 6 +++++- .../argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml | 2 ++ .../argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml | 2 ++ .../argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml | 2 ++ .../argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml | 2 ++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index 6e4bfcca..1a569abb 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -421,7 +421,10 @@ local tls_role = kube.Role('syn-argocd-tls-refresher') { apiGroups: [ '' ], resources: [ 'secrets' ], verbs: [ 'delete' ], - resourceNames: [ 'syn-argocd-tls' ], + resourceNames: [ + 'syn-argocd-tls', + 'syn-argocd-ca', + ], } ], }; local tls_rolebinding = kube.RoleBinding('syn-argocd-tls-refresher') { @@ -453,6 +456,7 @@ local tls_cronjob = 'delete', 'secret', 'syn-argocd-tls', + 'syn-argocd-ca', ], env_: { HOME: homedir, diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml index d9dfe71c..3ff2188c 100644 --- a/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml +++ b/tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -20,6 +20,7 @@ rules: - '' resourceNames: - syn-argocd-tls + - syn-argocd-ca resources: - secrets verbs: @@ -69,6 +70,7 @@ spec: - delete - secret - syn-argocd-tls + - syn-argocd-ca env: - name: HOME value: /home/refresh diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml index d9dfe71c..3ff2188c 100644 --- a/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml +++ b/tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -20,6 +20,7 @@ rules: - '' resourceNames: - syn-argocd-tls + - syn-argocd-ca resources: - secrets verbs: @@ -69,6 +70,7 @@ spec: - delete - secret - syn-argocd-tls + - syn-argocd-ca env: - name: HOME value: /home/refresh diff --git a/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml index d9dfe71c..3ff2188c 100644 --- a/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml +++ b/tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -20,6 +20,7 @@ rules: - '' resourceNames: - syn-argocd-tls + - syn-argocd-ca resources: - secrets verbs: @@ -69,6 +70,7 @@ spec: - delete - secret - syn-argocd-tls + - syn-argocd-ca env: - name: HOME value: /home/refresh diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml index d9dfe71c..3ff2188c 100644 --- a/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml @@ -20,6 +20,7 @@ rules: - '' resourceNames: - syn-argocd-tls + - syn-argocd-ca resources: - secrets verbs: @@ -69,6 +70,7 @@ spec: - delete - secret - syn-argocd-tls + - syn-argocd-ca env: - name: HOME value: /home/refresh