fix(argo-cd): Enable Redis authentication in the default installation (#2705)
This commit is contained in:
Marco Maurer (-Kilchhofer)
GitHub
parent
f9eb0b394c
commit
fcee9a6046
16 changed files with 352 additions and 14 deletions
|
|
@ -278,6 +278,39 @@ For full list of changes please check ArtifactHub [changelog].
|
|||
|
||||
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
|
||||
|
||||
### 6.10.0
|
||||
|
||||
This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
|
||||
|
||||
#### How to rotate Redis secret?
|
||||
|
||||
Upstream steps in the [FAQ] are not enough, since we chose a different approach.
|
||||
(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
|
||||
|
||||
Steps to roteate the secret when using the helm chart (bold step is additional to upstream):
|
||||
* Delete `argocd-redis` secret in the namespace where Argo CD is installed.
|
||||
```bash
|
||||
kubectl delete secret argocd-redis -n <argocd namesapce>
|
||||
```
|
||||
* **Perform a helm upgrade**
|
||||
```bash
|
||||
helm upgrade argocd argo/argo-cd --reuse-values --wait
|
||||
```
|
||||
* If you are running Redis in HA mode, restart Redis in HA.
|
||||
```bash
|
||||
kubectl rollout restart deployment argocd-redis-ha-haproxy
|
||||
kubectl rollout restart statefulset argocd-redis-ha-server
|
||||
```
|
||||
* If you are running Redis in non-HA mode, restart Redis.
|
||||
```bash
|
||||
kubectl rollout restart deployment argocd-redis
|
||||
```
|
||||
* Restart other components.
|
||||
```bash
|
||||
kubectl rollout restart deployment argocd-server argocd-repo-server
|
||||
kubectl rollout restart statefulset argocd-application-controller
|
||||
```
|
||||
|
||||
### 6.9.0
|
||||
ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9).
|
||||
|
||||
|
|
@ -1271,8 +1304,10 @@ The main options are listed here:
|
|||
|-----|------|---------|-------------|
|
||||
| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
|
||||
| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
|
||||
| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH |
|
||||
| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
|
||||
| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
|
||||
| redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. |
|
||||
| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
|
||||
| redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
|
||||
| redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter |
|
||||
|
|
@ -1316,6 +1351,29 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
|
|||
| externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations |
|
||||
| externalRedis.username | string | `""` | External Redis username |
|
||||
|
||||
### Redis secret-init
|
||||
|
||||
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
|
||||
If you use an External Redis (See Option 3 above), this Job is not deployed.
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| redisSecretInit.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
|
||||
| redisSecretInit.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Redis secret-init Job |
|
||||
| redisSecretInit.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Redis secret-init Job |
|
||||
| redisSecretInit.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Redis secret-init Job |
|
||||
| redisSecretInit.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
|
||||
| redisSecretInit.jobAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
|
||||
| redisSecretInit.name | string | `"redis-secret-init"` | Redis secret-init name |
|
||||
| redisSecretInit.podAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
|
||||
| redisSecretInit.podLabels | object | `{}` | Labels to be added to the Redis secret-init Job |
|
||||
| redisSecretInit.resources | object | `{}` | Resource limits and requests for Redis secret-init Job |
|
||||
| redisSecretInit.securityContext | object | `{}` | Redis secret-init Job pod-level security context |
|
||||
| redisSecretInit.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
|
||||
| redisSecretInit.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
|
||||
| redisSecretInit.serviceAccount.create | bool | `true` | Create a service account for the redis pod |
|
||||
| redisSecretInit.serviceAccount.name | string | `""` | Service account name for redis pod |
|
||||
|
||||
## ApplicationSet
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|
|
@ -1507,8 +1565,10 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
|
|||
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
|
||||
[CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
|
||||
[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
|
||||
[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
|
||||
[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
|
||||
[external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
|
||||
[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
|
||||
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
|
||||
[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
|
||||
[gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue