Add --tls-certificate-secret-name parameter to server command. Fixes #5582
#9423
Conversation
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
3 times, most recently
from
d2e0dd4 to
8bae7c5
Compare
| issuerRef: | ||
| kind: Issuer | ||
| name: argo-workflows-issuer | ||
| secretName: argo-server-tls |
There was a problem hiding this comment.
Did you intend for this to be deployed as part of installing our manifests? I see manifests/base/argo-server/kustomization.yaml calls out the yaml files in this directory. Should we add it to that?
There was a problem hiding this comment.
Thanks, added to manifests/base/argo-server/kustomization.yaml.
Yes, intend to install as part manifests, since certificate from Certificate resource is persistent compared to one argo-server generates itself. This way user will only need to set up trust once.
This |
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
from
8bae7c5 to
dbbc822
Compare
Oh, I see… |
Great. As far as I can tell, that will propagate into all of the various manifests. You'll need to run "make codegen -B STATIC_FILES=false" and "git diff" and check in whatever changed (which you can see here). |
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
from
dbbc822 to
2858919
Compare
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
from
fe9c125 to
c065a95
Compare
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
2 times, most recently
from
5132b89 to
c5b73e1
Compare
|
@sarabala1979 @terrytangyuan Are either of you able to review and merge this PR? |
|
I am not familiar with this. Maybe @alexec @sarabala1979? |
| @@ -334,7 +334,10 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe | |||
| grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxGRPCMessageSize)), | |||
| } | |||
| if as.tlsConfig != nil { | |||
| dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(as.tlsConfig))) | |||
| tlsConfig := as.tlsConfig | |||
| tlsConfig.InsecureSkipVerify = true | |||
There was a problem hiding this comment.
@chtcvl Do you need to make InsecureSkipVerify=true for all cases? Can you make as command line arg and configure in tsConfig?
There was a problem hiding this comment.
Right now gRPC server explicitly runs on localhost (
argo-workflows/server/apiserver/argoserver.go
Line 260 in 769896e
https://localhost. For grpc-gateway to access gRPC server it has some options:1 . set
InsecureSkipVerify=true (not really a concern as this is communication between two goroutines in the same app) - let grpc-gateway trust gRPC server running on localhost.2. have certificate Subject Alternate Name include
localhost - this is not supported by publicly trusted certificates.3. serve on https://realdomain... for which certificate is issued instead of localhost.
This being said, adding new option for InsecureSkipVerify=false can lead to confusion as option will only be usable in pt.3 which is not supported by current code.
There was a problem hiding this comment.
Thanks for your response. LGTM @alexec Can you quickly take a look? if I am missing anything.
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
from
c5b73e1 to
69f759c
Compare
Signed-off-by: vladimir.ivanov <[email protected]>
chtcvl
force-pushed
the
add-tls-certificate-secret-name-key
branch
from
69f759c to
c642000
Compare
…rgoproj#5582 (argoproj#9423) fix: Add --tls-certificate-secret-name parameter to server command Signed-off-by: vladimir.ivanov <[email protected]> Signed-off-by: vladimir.ivanov <[email protected]> Signed-off-by: yangxue.chen <[email protected]>
|
Hi, This PR enforces users of the manifests to have the cert-manger CRD's installed. Is this the intention? To use the new manifests (while happy with a self signed cert). Had to add the following to kustomize: patchesStrategicMerge:
- |-
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: argo-workflows-issuer
$patch: delete
- |-
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argo-server-cert
$patch: delete |
This was a huge issue for me as well. |
…rgoproj#5582 (argoproj#9423) fix: Add --tls-certificate-secret-name parameter to server command Signed-off-by: vladimir.ivanov <[email protected]> Signed-off-by: vladimir.ivanov <[email protected]> Signed-off-by: juchao <[email protected]>
agilgur5
changed the title
--tls-certificate-secret-name parameter to server command. Fixes #5582
Signed-off-by: vladimir ivanov [email protected]
Fixes #5582
Add
--tls-certificate-secret-nameparameter to server command.Since server runs on
localhost:2746, get an error in the UI "certificate is valid for ... not for localhost". Therefore the merge request setInsecureSkipVerifyonTLSconfigfor grpc client on the gateway.Tested to to work with secret provided by cert-manager (added to manifests).