Skip to content

Deploy cronjob which periodically refreshes the syn-argocd-tls secret #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 30, 2024
Merged

Deploy cronjob which periodically refreshes the syn-argocd-tls secret #200

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b05cffd
Deploy cronjob which periodically refreshes the `syn-argocd-tls` secret
simu Oct 30, 2024
3e39695
Also refresh syn-argocd-ca secret
simu Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions component/argocd.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,85 @@ local webhook_certs = [
},
];

// Manually trigger refresh of ArgoCD TLS certificate. Currently the operator
// will not do anything if it sees that the secret `syn-argocd-tls` exists
// even if the certificate stored in the secret expired or is expiring soon.
local tls_sa = kube.ServiceAccount('syn-argocd-tls-refresher') {
metadata+: {
namespace: params.namespace,
},
};
local tls_role = kube.Role('syn-argocd-tls-refresher') {
metadata+: {
namespace: params.namespace,
},
rules: [ {
apiGroups: [ '' ],
resources: [ 'secrets' ],
verbs: [ 'delete' ],
resourceNames: [
'syn-argocd-tls',
'syn-argocd-ca',
],
} ],
};
local tls_rolebinding = kube.RoleBinding('syn-argocd-tls-refresher') {
metadata+: {
namespace: params.namespace,
},
subjects_: [ tls_sa ],
roleRef_: tls_role,
};
local tls_cronjob =
local homedir = '/home/refresh';
kube.CronJob('syn-argocd-tls-refresher') {
metadata+: {
namespace: params.namespace,
},
spec+: {
failedJobsHistoryLimit: 3,
// At 09:00 on the first day of the month every 4th month.
schedule: '0 9 1 */4 *',
jobTemplate+: {
spec+: {
template+: {
spec+: {
containers_: {
refresh: kube.Container('refresh') {
image: common.render_image('kubectl'),
command: [
'kubectl',
'delete',
'secret',
'syn-argocd-tls',
'syn-argocd-ca',
],
env_: {
HOME: homedir,
},
volumeMounts_+: {
home: { mountPath: homedir },
},
},
},
serviceAccountName: tls_sa.metadata.name,
volumes_+: {
home: { emptyDir: {} },
},
},
},
},
},
},
};

local tls_refresh = [
tls_sa,
tls_role,
tls_rolebinding,
tls_cronjob,
];

{
'00_vault_agent_config': vault_agent_config,
'00_kapitan_plugin_config': kapitan_plugin_config,
Expand All @@ -415,4 +494,5 @@ local webhook_certs = [
// as the upstream kustomize is broken.
// 2023/02/19 sfe
[if params.operator.conversion_webhook then '../10_operator_webhook_certs']: webhook_certs,
'10_refresh_argocd_tls': tls_refresh,
}
95 changes: 95 additions & 0 deletions tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
rules:
- apiGroups:
- ''
resourceNames:
- syn-argocd-tls
- syn-argocd-ca
resources:
- secrets
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: syn-argocd-tls-refresher
subjects:
- kind: ServiceAccount
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: batch/v1
kind: CronJob
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 3
jobTemplate:
spec:
completions: 1
parallelism: 1
template:
metadata:
labels:
name: syn-argocd-tls-refresher
spec:
containers:
- args: []
command:
- kubectl
- delete
- secret
- syn-argocd-tls
- syn-argocd-ca
env:
- name: HOME
value: /home/refresh
image: docker.io/bitnami/kubectl
imagePullPolicy: IfNotPresent
name: refresh
ports: []
stdin: false
tty: false
volumeMounts:
- mountPath: /home/refresh
name: home
imagePullSecrets: []
initContainers: []
restartPolicy: OnFailure
serviceAccountName: syn-argocd-tls-refresher
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: home
schedule: 0 9 1 */4 *
successfulJobsHistoryLimit: 10
95 changes: 95 additions & 0 deletions tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
rules:
- apiGroups:
- ''
resourceNames:
- syn-argocd-tls
- syn-argocd-ca
resources:
- secrets
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: syn-argocd-tls-refresher
subjects:
- kind: ServiceAccount
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: batch/v1
kind: CronJob
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 3
jobTemplate:
spec:
completions: 1
parallelism: 1
template:
metadata:
labels:
name: syn-argocd-tls-refresher
spec:
containers:
- args: []
command:
- kubectl
- delete
- secret
- syn-argocd-tls
- syn-argocd-ca
env:
- name: HOME
value: /home/refresh
image: docker.io/bitnami/kubectl
imagePullPolicy: IfNotPresent
name: refresh
ports: []
stdin: false
tty: false
volumeMounts:
- mountPath: /home/refresh
name: home
imagePullSecrets: []
initContainers: []
restartPolicy: OnFailure
serviceAccountName: syn-argocd-tls-refresher
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: home
schedule: 0 9 1 */4 *
successfulJobsHistoryLimit: 10
95 changes: 95 additions & 0 deletions tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
rules:
- apiGroups:
- ''
resourceNames:
- syn-argocd-tls
- syn-argocd-ca
resources:
- secrets
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: syn-argocd-tls-refresher
subjects:
- kind: ServiceAccount
name: syn-argocd-tls-refresher
namespace: syn
---
apiVersion: batch/v1
kind: CronJob
metadata:
annotations: {}
labels:
name: syn-argocd-tls-refresher
name: syn-argocd-tls-refresher
namespace: syn
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 3
jobTemplate:
spec:
completions: 1
parallelism: 1
template:
metadata:
labels:
name: syn-argocd-tls-refresher
spec:
containers:
- args: []
command:
- kubectl
- delete
- secret
- syn-argocd-tls
- syn-argocd-ca
env:
- name: HOME
value: /home/refresh
image: docker.io/bitnami/kubectl
imagePullPolicy: IfNotPresent
name: refresh
ports: []
stdin: false
tty: false
volumeMounts:
- mountPath: /home/refresh
name: home
imagePullSecrets: []
initContainers: []
restartPolicy: OnFailure
serviceAccountName: syn-argocd-tls-refresher
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: home
schedule: 0 9 1 */4 *
successfulJobsHistoryLimit: 10
Loading
Loading