DevFW-CICD/argocd-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(argo-cd): Enable Redis authentication in the default installation (#2705)

Browse source
This commit is contained in:
Marco Maurer (-Kilchhofer) 2024-05-21 18:36:32 +02:00 committed by GitHub
parent f9eb0b394c
commit fcee9a6046
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 352 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

19
charts/argo-cd/templates/_helpers.tpl
View file

@ -86,6 +86,25 @@ Create the name of the redis service account to use
{{- end -}}
{{- end -}}
{{/*
Create Redis secret-init name
*/}}
{{- define "argo-cd.redisSecretInit.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the Redis secret-init service account to use
*/}}
{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
{{- if .Values.redisSecretInit.serviceAccount.create -}}
{{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redis.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.redisSecretInit.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd server name and version as used by the chart label.
*/}}

8
charts/argo-cd/templates/argocd-application-controller/deployment.yaml
View file

@ -199,15 +199,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:

8
charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
View file

@ -198,15 +198,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:

2
charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml
View file

@ -2,7 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argo-cd.redis.fullname" . }}
name: argocd-redis
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}

8
charts/argo-cd/templates/argocd-repo-server/deployment.yaml
View file

@ -175,15 +175,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:

8
charts/argo-cd/templates/argocd-server/deployment.yaml
View file

@ -243,15 +243,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:

54
charts/argo-cd/templates/redis-secret-init/job.yaml Normal file
View file

@ -0,0 +1,54 @@
{{- if not .Values.externalRedis.host }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
{{- range $key, $value := .Values.redisSecretInit.jobAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
spec:
template:
metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redisSecretInit.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redisSecretInit.podAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{ toYaml . | nindent 8 }}
{{- end }}
containers:
- command:
- argocd
- admin
- redis-initial-password
image: {{ default .Values.global.image.repository .Values.redisSecretInit.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.redisSecretInit.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redisSecretInit.image.imagePullPolicy }}
name: secret-init
resources:
{{- toYaml .Values.redisSecretInit.resources | nindent 10 }}
{{- with .Values.redisSecretInit.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.redisSecretInit.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
{{- end }}

27
charts/argo-cd/templates/redis-secret-init/role.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if not .Values.externalRedis.host }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- argocd-redis
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
{{- end }}

19
charts/argo-cd/templates/redis-secret-init/rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if not .Values.externalRedis.host }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "argo-cd.redisSecretInit.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
{{- end }}

16
charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if not .Values.externalRedis.host }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.redisSecretInit.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
{{- range $key, $value := .Values.redisSecretInit.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }}
{{- end }}

8
charts/argo-cd/templates/redis/deployment.yaml
View file

@ -65,8 +65,14 @@ spec:
- ""
- --appendonly
- "no"
{{- with (concat .Values.global.env .Values.redis.env) }}
- --requirepass $(REDIS_PASSWORD)
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: argocd-redis
key: auth
{{- with (concat .Values.global.env .Values.redis.env) }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.redis.envFrom }}

2
charts/argo-cd/templates/redis/health-configmap.yaml
View file

@ -11,6 +11,7 @@ data:
redis_liveness.sh: |
response=$(
redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \
-p {{ .Values.redis.containerPorts.redis }} \
ping
@ -23,6 +24,7 @@ data:
redis_readiness.sh: |
response=$(
redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \
-p {{ .Values.redis.containerPorts.redis }} \
ping