DevFW-CICD/argocd-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(argo-cd): Enable Redis authentication in the default installation (#2705)

Browse source
This commit is contained in:
Marco Maurer (-Kilchhofer) 2024-05-21 18:36:32 +02:00 committed by GitHub
parent f9eb0b394c
commit fcee9a6046
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 352 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

48
charts/argo-cd/README.md.gotmpl
View file

@ -278,6 +278,39 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 6.10.0
This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
#### How to rotate Redis secret?
Upstream steps in the [FAQ] are not enough, since we chose a different approach.
(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
Steps to roteate the secret when using the helm chart (bold step is additional to upstream):
* Delete `argocd-redis` secret in the namespace where Argo CD is installed.
```bash
kubectl delete secret argocd-redis -n <argocd namesapce>
```
* **Perform a helm upgrade**
```bash
helm upgrade argocd argo/argo-cd --reuse-values --wait
```
* If you are running Redis in HA mode, restart Redis in HA.
```bash
kubectl rollout restart deployment argocd-redis-ha-haproxy
kubectl rollout restart statefulset argocd-redis-ha-server
```
* If you are running Redis in non-HA mode, restart Redis.
```bash
kubectl rollout restart deployment argocd-redis
```
* Restart other components.
```bash
kubectl rollout restart deployment argocd-server argocd-repo-server
kubectl rollout restart statefulset argocd-application-controller
```
### 6.9.0
ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9).
@ -722,6 +755,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
{{- end }}
{{- end }}
### Redis secret-init
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
If you use an External Redis (See Option 3 above), this Job is not deployed.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "redisSecretInit" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
## ApplicationSet
| Key | Type | Default | Description |
@ -750,8 +796,10 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
[CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
[external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
[gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/