Skip to content

Commit

Permalink
Take the latest changes from master branch (argoproj-labs#1406)
Browse files Browse the repository at this point in the history
* fix: don't change the default policy to reencrypt if the TLS secret is present (argoproj-labs#1401)

Signed-off-by: Chetan Banavikalmutt <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>

* Add SeccompProfile for PodSecurityStandards "restricted" to avoid Pod Security Violations on restricted namespaces (argoproj-labs#1288)

* Add SeccompProfile for PSA restricted

It is necessary to set the seccompProfile to RuntimeDefault to meet the
PodSecurityStandards of restricted, which will be a common default in
clusters.
Otherwise the workloads will be evaluated as baseline and rejected, if
not set otherwise in the namespace metadata.

* fix: failing test

Signed-off-by: iam-veeramalla <[email protected]>

---------

Signed-off-by: iam-veeramalla <[email protected]>
Co-authored-by: iam-veeramalla <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>

* Rebase master with 0.10.0 and 0.9.1 releases (argoproj-labs#1403)

* argocd-operator v0.10.0 release (argoproj-labs#1343)

* fix typo in metadata (argoproj-labs#1354)

* update replaces version number for 0.10.0 to 0.9.1 (argoproj-labs#1365)

* update make deploy manifests

* rebase with 0.9.1

* fix bundle manifest control plane

* make bundle

Signed-off-by: Anand Francis Joseph <[email protected]>

---------

Signed-off-by: Chetan Banavikalmutt <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>
Signed-off-by: iam-veeramalla <[email protected]>
Co-authored-by: Chetan Banavikalmutt <[email protected]>
Co-authored-by: Krzysztof Ostrowski <[email protected]>
Co-authored-by: iam-veeramalla <[email protected]>
Co-authored-by: Regina Scott <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>
  • Loading branch information
5 people committed Jun 7, 2024
1 parent cdf3832 commit 74e1e59
Show file tree
Hide file tree
Showing 34 changed files with 73,583 additions and 32 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= 0.9.0
VERSION ?= 0.10.0

# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
Expand Down
8 changes: 4 additions & 4 deletions bundle/manifests/argocd-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ metadata:
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/argoproj-labs/argocd-operator
support: Argo CD
name: argocd-operator.v0.9.0
name: argocd-operator.v0.10.0
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -1889,7 +1889,7 @@ spec:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: ENABLE_CONVERSION_WEBHOOK
value: "true"
image: quay.io/argoprojlabs/argocd-operator:v0.9.0
image: quay.io/argoprojlabs/argocd-operator:v0.10.0
livenessProbe:
httpGet:
path: /healthz
Expand Down Expand Up @@ -1979,8 +1979,8 @@ spec:
maturity: alpha
provider:
name: Argo CD Community
replaces: argocd-operator.v0.7.0
version: 0.9.0
replaces: argocd-operator.v0.9.1
version: 0.10.0
webhookdefinitions:
- admissionReviewVersions:
- v1alpha1
Expand Down
2 changes: 1 addition & 1 deletion common/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ const (
ArgoCDDefaultExportJobImage = "quay.io/argoprojlabs/argocd-operator-util"

// ArgoCDDefaultExportJobVersion is the export job container image tag to use when not specified.
ArgoCDDefaultExportJobVersion = "sha256:6f80965a2bef1c80875be0995b18d9be5a6ad4af841cbc170ed3c60101a7deb2" // 0.5.0
ArgoCDDefaultExportJobVersion = "sha256:823c307ea39de913e2bca0e2a7139fb3ea5b4a7462e82ad7450fd4c38b68e7e4" // 0.10.0

// ArgoCDDefaultExportLocalCapicity is the default capacity to use for local export.
ArgoCDDefaultExportLocalCapicity = "2Gi"
Expand Down
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ kind: Kustomization
images:
- name: controller
newName: quay.io/argoprojlabs/argocd-operator
newTag: v0.9.0
newTag: v0.10.0
Original file line number Diff line number Diff line change
Expand Up @@ -1419,5 +1419,5 @@ spec:
maturity: alpha
provider:
name: Argo CD Community
replaces: argocd-operator.v0.7.0
version: 0.8.0
replaces: argocd-operator.v0.9.1
version: 0.10.0
22 changes: 22 additions & 0 deletions controllers/argocd/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -497,6 +497,9 @@ func (r *ReconcileArgoCD) reconcileRedisDeployment(cr *argoproj.ArgoCD, useTLS b
},
RunAsNonRoot: boolPtr(true),
RunAsUser: int64Ptr(999),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Expand Down Expand Up @@ -659,6 +662,9 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Expand Down Expand Up @@ -695,6 +701,10 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
"ALL",
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Expand Down Expand Up @@ -760,6 +770,9 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
RunAsNonRoot: boolPtr(true),
RunAsUser: int64Ptr(1000),
FSGroup: int64Ptr(1000),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
}
AddSeccompProfileForOpenShift(r.Client, &deploy.Spec.Template.Spec)

Expand Down Expand Up @@ -866,6 +879,9 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Expand Down Expand Up @@ -960,6 +976,9 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: repoServerVolumeMounts,
}}
Expand Down Expand Up @@ -1201,6 +1220,9 @@ func (r *ReconcileArgoCD) reconcileServerDeployment(cr *argoproj.ArgoCD, useTLSF
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Expand Down
9 changes: 9 additions & 0 deletions controllers/argocd/deployment_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1125,6 +1125,9 @@ func TestReconcileArgoCD_reconcileServerDeployment(t *testing.T) {
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: serverDefaultVolumeMounts(),
},
Expand Down Expand Up @@ -1364,6 +1367,9 @@ func TestReconcileArgoCD_reconcileServerDeploymentWithInsecure(t *testing.T) {
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: serverDefaultVolumeMounts(),
},
Expand Down Expand Up @@ -1468,6 +1474,9 @@ func TestReconcileArgoCD_reconcileServerDeploymentChangedToInsecure(t *testing.T
},
},
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: serverDefaultVolumeMounts(),
},
Expand Down
19 changes: 15 additions & 4 deletions controllers/argocd/route.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"strings"

routev1 "github.com/openshift/api/route/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
Expand Down Expand Up @@ -231,13 +232,23 @@ func (r *ReconcileArgoCD) reconcileServerRoute(cr *argoproj.ArgoCD) error {
Termination: routev1.TLSTerminationEdge,
}
} else {
// Server is using TLS configure reencrypt.
route.Spec.Port = &routev1.RoutePort{
TargetPort: intstr.FromString("https"),
}
route.Spec.TLS = &routev1.TLSConfig{
InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
Termination: routev1.TLSTerminationReencrypt,

isTLSSecretFound := argoutil.IsObjectFound(r.Client, cr.Namespace, common.ArgoCDServerTLSSecretName, &corev1.Secret{})
// Since Passthrough was the default policy in the previous versions of the operator, we don't want to
// break users who have already configured a TLS secret for Passthrough.
if cr.Spec.Server.Route.TLS == nil && isTLSSecretFound && route.Spec.TLS != nil && route.Spec.TLS.Termination == routev1.TLSTerminationPassthrough {
route.Spec.TLS = &routev1.TLSConfig{
InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
Termination: routev1.TLSTerminationPassthrough,
}
} else {
route.Spec.TLS = &routev1.TLSConfig{
InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
Termination: routev1.TLSTerminationReencrypt,
}
}
}

Expand Down
37 changes: 34 additions & 3 deletions controllers/argocd/route_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -497,16 +497,18 @@ func TestReconcileRouteTLSConfig(t *testing.T) {
logf.SetLogger(ZapLogger(true))

tt := []struct {
name string
want routev1.TLSTerminationType
updateArgoCD func(cr *argoproj.ArgoCD)
name string
want routev1.TLSTerminationType
updateArgoCD func(cr *argoproj.ArgoCD)
createResources func(k8sClient client.Client, cr *argoproj.ArgoCD)
}{
{
name: "should set the default termination policy to renencrypt",
want: routev1.TLSTerminationReencrypt,
updateArgoCD: func(cr *argoproj.ArgoCD) {
cr.Spec.Server.Route.Enabled = true
},
createResources: func(k8sClient client.Client, cr *argoproj.ArgoCD) {},
},
{
name: "shouldn't overwrite the TLS config if it's already configured",
Expand All @@ -517,6 +519,34 @@ func TestReconcileRouteTLSConfig(t *testing.T) {
Termination: routev1.TLSTerminationEdge,
}
},
createResources: func(k8sClient client.Client, cr *argoproj.ArgoCD) {},
},
{
// We don't want to change the default value to reencrypt if the user has already
// configured a TLS secret for passthrough (previous default value).
name: "shouldn't overwrite if the Route was previously configured with passthrough",
want: routev1.TLSTerminationPassthrough,
updateArgoCD: func(cr *argoproj.ArgoCD) {
cr.Spec.Server.Route.Enabled = true
},
createResources: func(k8sClient client.Client, cr *argoproj.ArgoCD) {
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: common.ArgoCDServerTLSSecretName,
Namespace: cr.Namespace,
},
}
err := k8sClient.Create(context.Background(), secret)
assert.NoError(t, err)

// create a Route with passthrough policy.
route := newRouteWithSuffix("server", cr)
route.Spec.TLS = &routev1.TLSConfig{
Termination: routev1.TLSTerminationPassthrough,
}
err = k8sClient.Create(context.Background(), route)
assert.NoError(t, err)
},
},
}

Expand All @@ -531,6 +561,7 @@ func TestReconcileRouteTLSConfig(t *testing.T) {
fakeClient := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
reconciler := makeTestReconciler(fakeClient, sch)

test.createResources(fakeClient, argoCD)
req := reconcile.Request{
NamespacedName: testNamespacedName(testArgoCDName),
}
Expand Down
25 changes: 16 additions & 9 deletions controllers/argocd/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
Expand Down Expand Up @@ -210,7 +211,7 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyService(cr *argoproj.ArgoCD) erro
return r.Client.Delete(context.TODO(), svc)
}

if ensureAutoTLSAnnotation(svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS()) {
if ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS()) {
return r.Client.Update(context.TODO(), svc)
}
return nil // Service found, do nothing
Expand All @@ -220,7 +221,7 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyService(cr *argoproj.ArgoCD) erro
return nil //return as Ha is not enabled do nothing
}

ensureAutoTLSAnnotation(svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS())
ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS())

svc.Spec.Selector = map[string]string{
common.ArgoCDKeyName: nameWithSuffix("redis-ha-haproxy", cr),
Expand Down Expand Up @@ -266,7 +267,7 @@ func (r *ReconcileArgoCD) reconcileRedisService(cr *argoproj.ArgoCD) error {
if !cr.Spec.Redis.IsEnabled() {
return r.Client.Delete(context.TODO(), svc)
}
if ensureAutoTLSAnnotation(svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS()) {
if ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS()) {
return r.Client.Update(context.TODO(), svc)
}
if cr.Spec.HA.Enabled {
Expand All @@ -279,7 +280,7 @@ func (r *ReconcileArgoCD) reconcileRedisService(cr *argoproj.ArgoCD) error {
return nil //return as Ha is enabled do nothing
}

ensureAutoTLSAnnotation(svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS())
ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRedisServerTLSSecretName, cr.Spec.Redis.WantsAutoTLS())

svc.Spec.Selector = map[string]string{
common.ArgoCDKeyName: nameWithSuffix("redis", cr),
Expand Down Expand Up @@ -308,7 +309,7 @@ func (r *ReconcileArgoCD) reconcileRedisService(cr *argoproj.ArgoCD) error {
//
// When this method returns true, the svc resource will need to be updated on
// the cluster.
func ensureAutoTLSAnnotation(svc *corev1.Service, secretName string, enabled bool) bool {
func ensureAutoTLSAnnotation(k8sClient client.Client, svc *corev1.Service, secretName string, enabled bool) bool {
var autoTLSAnnotationName, autoTLSAnnotationValue string

// We currently only support OpenShift for automatic TLS
Expand All @@ -323,6 +324,12 @@ func ensureAutoTLSAnnotation(svc *corev1.Service, secretName string, enabled boo
if autoTLSAnnotationName != "" {
val, ok := svc.Annotations[autoTLSAnnotationName]
if enabled {
// Don't request a TLS certificate from the OpenShift Service CA if the secret already exists.
isTLSSecretFound := argoutil.IsObjectFound(k8sClient, svc.Namespace, secretName, &corev1.Secret{})
if !ok && isTLSSecretFound {
log.Info(fmt.Sprintf("skipping AutoTLS on service %s since the TLS secret is already present", svc.Name))
return false
}
if !ok || val != secretName {
log.Info(fmt.Sprintf("requesting AutoTLS on service %s", svc.ObjectMeta.Name))
svc.Annotations[autoTLSAnnotationName] = autoTLSAnnotationValue
Expand All @@ -348,7 +355,7 @@ func (r *ReconcileArgoCD) reconcileRepoService(cr *argoproj.ArgoCD) error {
if !cr.Spec.Repo.IsEnabled() {
return r.Client.Delete(context.TODO(), svc)
}
if ensureAutoTLSAnnotation(svc, common.ArgoCDRepoServerTLSSecretName, cr.Spec.Repo.WantsAutoTLS()) {
if ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRepoServerTLSSecretName, cr.Spec.Repo.WantsAutoTLS()) {
return r.Client.Update(context.TODO(), svc)
}
return nil // Service found, do nothing
Expand All @@ -358,7 +365,7 @@ func (r *ReconcileArgoCD) reconcileRepoService(cr *argoproj.ArgoCD) error {
return nil
}

ensureAutoTLSAnnotation(svc, common.ArgoCDRepoServerTLSSecretName, cr.Spec.Repo.WantsAutoTLS())
ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDRepoServerTLSSecretName, cr.Spec.Repo.WantsAutoTLS())

svc.Spec.Selector = map[string]string{
common.ArgoCDKeyName: nameWithSuffix("repo-server", cr),
Expand Down Expand Up @@ -417,7 +424,7 @@ func (r *ReconcileArgoCD) reconcileServerService(cr *argoproj.ArgoCD) error {
if !cr.Spec.Server.IsEnabled() {
return r.Client.Delete(context.TODO(), svc)
}
if ensureAutoTLSAnnotation(svc, common.ArgoCDServerTLSSecretName, cr.Spec.Server.WantsAutoTLS()) {
if ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDServerTLSSecretName, cr.Spec.Server.WantsAutoTLS()) {
return r.Client.Update(context.TODO(), svc)
}
return nil // Service found, do nothing
Expand All @@ -427,7 +434,7 @@ func (r *ReconcileArgoCD) reconcileServerService(cr *argoproj.ArgoCD) error {
return nil
}

ensureAutoTLSAnnotation(svc, common.ArgoCDServerTLSSecretName, cr.Spec.Server.WantsAutoTLS())
ensureAutoTLSAnnotation(r.Client, svc, common.ArgoCDServerTLSSecretName, cr.Spec.Server.WantsAutoTLS())

svc.Spec.Ports = []corev1.ServicePort{
{
Expand Down
Loading

0 comments on commit 74e1e59

Please sign in to comment.