From abd4dadb5e68b6e32e80b73659d1bbd6c37422d3 Mon Sep 17 00:00:00 2001 From: Yuan Tang Date: Thu, 6 Oct 2022 13:12:18 -0400 Subject: [PATCH] Revert "Add --tls-certificate-secret-name parameter to server command. Fixes #5582 (#9423)" This reverts commit ff6aab34ecbb5c0de26e36108cd1201c1e1ae2f5. --- Makefile | 3 --- README.md | 1 - cmd/argo/commands/server.go | 7 +++---- docs/cli/argo_server.md | 1 - .../argo-server/argo-server-certificate.yaml | 20 ------------------ .../argo-server/argo-server-deployment.yaml | 4 +--- manifests/base/argo-server/kustomization.yaml | 1 - manifests/quick-start-minimal.yaml | 21 ------------------- manifests/quick-start-mysql.yaml | 21 ------------------- manifests/quick-start-postgres.yaml | 21 ------------------- server/apiserver/argoserver.go | 5 +---- 11 files changed, 5 insertions(+), 100 deletions(-) delete mode 100644 manifests/base/argo-server/argo-server-certificate.yaml diff --git a/Makefile b/Makefile index 6fe84e903c91..daa3824da53c 100644 --- a/Makefile +++ b/Makefile @@ -423,9 +423,6 @@ test: server/static/files.go .PHONY: install install: githooks kubectl get ns $(KUBE_NAMESPACE) || kubectl create ns $(KUBE_NAMESPACE) - # install cert-manager if Certificate CRD is not available - kubectl get ns cert-manager || kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml - kubectl wait --for=condition=Ready pods --all --namespace cert-manager kubectl config set-context --current --namespace=$(KUBE_NAMESPACE) @echo "installing PROFILE=$(PROFILE)" kubectl kustomize --load-restrictor=LoadRestrictionsNone test/e2e/manifests/$(PROFILE) | sed 's|quay.io/argoproj/|$(IMAGE_NAMESPACE)/|' | sed 's/namespace: argo/namespace: $(KUBE_NAMESPACE)/' | kubectl -n $(KUBE_NAMESPACE) apply --prune -l app.kubernetes.io/part-of=argo -f - diff --git a/README.md b/README.md index bfce3dd34f72..3034c42f9c04 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,6 @@ The following commands install Argo Workflows as well as some commmonly used com ```bash kubectl create ns argo -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo-workflows/master/manifests/quick-start-postgres.yaml ``` diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go index 65b9a4b21197..bb91edc767d9 100644 --- a/cmd/argo/commands/server.go +++ b/cmd/argo/commands/server.go @@ -46,7 +46,7 @@ func NewServerCommand() *cobra.Command { baseHRef string secure bool tlsCertificateSecretName string - hsts bool + htst bool namespaced bool // --namespaced managedNamespace string // --managed-namespace enableOpenBrowser bool @@ -153,7 +153,7 @@ See %s`, help.ArgoServer), opts := apiserver.ArgoServerOpts{ BaseHRef: baseHRef, TLSConfig: tlsConfig, - HSTS: hsts, + HSTS: htst, Namespaced: namespaced, Namespace: namespace, Clients: clients, @@ -217,8 +217,7 @@ See %s`, help.ArgoServer), command.Flags().StringVar(&baseHRef, "basehref", defaultBaseHRef, "Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. Defaults to the environment variable BASE_HREF.") // "-e" for encrypt, like zip command.Flags().BoolVarP(&secure, "secure", "e", true, "Whether or not we should listen on TLS.") - command.Flags().StringVar(&tlsCertificateSecretName, "tls-certificate-secret-name", "", "The name of a Kubernetes secret that contains the server certificates") - command.Flags().BoolVar(&hsts, "hsts", true, "Whether or not we should add a HTTP Secure Transport Security header. This only has effect if secure is enabled.") + command.Flags().BoolVar(&htst, "hsts", true, "Whether or not we should add a HTTP Secure Transport Security header. This only has effect if secure is enabled.") command.Flags().StringArrayVar(&authModes, "auth-mode", []string{"client"}, "API server authentication mode. Any 1 or more length permutation of: client,server,sso") command.Flags().StringVar(&configMap, "configmap", common.ConfigMapName, "Name of K8s configmap to retrieve workflow controller configuration") command.Flags().BoolVar(&namespaced, "namespaced", false, "run as namespaced mode") diff --git a/docs/cli/argo_server.md b/docs/cli/argo_server.md index 38d8af1ec80d..562133e1e66d 100644 --- a/docs/cli/argo_server.md +++ b/docs/cli/argo_server.md @@ -32,7 +32,6 @@ See https://argoproj.github.io/argo-workflows/argo-server/ --managed-namespace string namespace that watches, default to the installation namespace --namespaced run as namespaced mode -p, --port int Port to listen on (default 2746) - --tls-certificate-secret-name string The name of a Kubernetes secret that contains the server certificates --x-frame-options string Set X-Frame-Options header in HTTP responses. (default "DENY") ``` diff --git a/manifests/base/argo-server/argo-server-certificate.yaml b/manifests/base/argo-server/argo-server-certificate.yaml deleted file mode 100644 index 489e57bdf883..000000000000 --- a/manifests/base/argo-server/argo-server-certificate.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: argo-workflows-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argo-server-cert -spec: - dnsNames: - - argo-server.argo.svc.cluster.local - - argo-server.argo.svc - - argo-server - issuerRef: - kind: Issuer - name: argo-workflows-issuer - secretName: argo-server-tls diff --git a/manifests/base/argo-server/argo-server-deployment.yaml b/manifests/base/argo-server/argo-server-deployment.yaml index 52687d4d1ecd..e3672fbe16a2 100644 --- a/manifests/base/argo-server/argo-server-deployment.yaml +++ b/manifests/base/argo-server/argo-server-deployment.yaml @@ -22,9 +22,7 @@ spec: capabilities: drop: - ALL - args: - - server - - --tls-certificate-secret-name=argo-server-tls + args: [ server ] env: [] ports: - name: web diff --git a/manifests/base/argo-server/kustomization.yaml b/manifests/base/argo-server/kustomization.yaml index 3a7ed2e7d2b7..3817bd729b12 100644 --- a/manifests/base/argo-server/kustomization.yaml +++ b/manifests/base/argo-server/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- argo-server-certificate.yaml - argo-server-deployment.yaml - argo-server-sa.yaml - argo-server-service.yaml diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 459165e5a3ea..5fe8a45864e5 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -1809,24 +1809,3 @@ spec: securityContext: runAsNonRoot: true serviceAccountName: argo ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argo-server-cert -spec: - dnsNames: - - argo-server.argo.svc.cluster.local - - argo-server.argo.svc - - argo-server - issuerRef: - kind: Issuer - name: argo-workflows-issuer - secretName: argo-server-tls ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: argo-workflows-issuer -spec: - selfSigned: {} diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index bbf2466ac368..37f7d52299b1 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -1898,24 +1898,3 @@ spec: securityContext: runAsNonRoot: true serviceAccountName: argo ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argo-server-cert -spec: - dnsNames: - - argo-server.argo.svc.cluster.local - - argo-server.argo.svc - - argo-server - issuerRef: - kind: Issuer - name: argo-workflows-issuer - secretName: argo-server-tls ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: argo-workflows-issuer -spec: - selfSigned: {} diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index 5790197e15de..97ac6c6ff1de 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -1890,24 +1890,3 @@ spec: securityContext: runAsNonRoot: true serviceAccountName: argo ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argo-server-cert -spec: - dnsNames: - - argo-server.argo.svc.cluster.local - - argo-server.argo.svc - - argo-server - issuerRef: - kind: Issuer - name: argo-workflows-issuer - secretName: argo-server-tls ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: argo-workflows-issuer -spec: - selfSigned: {} diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go index c7d90a021eb6..4d79ac50a6ae 100644 --- a/server/apiserver/argoserver.go +++ b/server/apiserver/argoserver.go @@ -334,10 +334,7 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxGRPCMessageSize)), } if as.tlsConfig != nil { - tlsConfig := as.tlsConfig - tlsConfig.InsecureSkipVerify = true - dCreds := credentials.NewTLS(tlsConfig) - dialOpts = append(dialOpts, grpc.WithTransportCredentials(dCreds)) + dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(as.tlsConfig))) } else { dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials())) }