From 72f78009e384afc05485b047fff3d2b77cd59c35 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Tue, 30 Apr 2024 23:00:29 +0200 Subject: [PATCH 01/10] fix: Initial implementation for non-HA redis Signed-off-by: Marco Maurer --- .../deployment.yaml | 9 +++-- .../statefulset.yaml | 9 +++-- .../argocd-configs/externalredis-secret.yaml | 2 +- .../argocd-repo-server/deployment.yaml | 9 +++-- .../templates/argocd-server/deployment.yaml | 9 +++-- .../argo-cd/templates/redis/deployment.yaml | 37 ++++++++++++++++++- charts/argo-cd/templates/redis/role.yaml | 21 +++++++++++ .../argo-cd/templates/redis/rolebinding.yaml | 13 +++++++ 8 files changed, 94 insertions(+), 15 deletions(-) create mode 100644 charts/argo-cd/templates/redis/role.yaml create mode 100644 charts/argo-cd/templates/redis/rolebinding.yaml diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml index dc26a8dbe..4308d5caf 100644 --- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -199,15 +199,18 @@ spec: - name: REDIS_USERNAME valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} key: redis-username optional: true - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} + {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} key: redis-password - optional: true + {{- else }} + key: auth + {{- end }} - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index 208f358fe..3c50f7c7c 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -198,15 +198,18 @@ spec: - name: REDIS_USERNAME valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} key: redis-username optional: true - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} + {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} key: redis-password - optional: true + {{- else }} + key: auth + {{- end }} - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml b/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml index 9bfcd9836..23891b157 100644 --- a/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "argo-cd.redis.fullname" . }} + name: argocd-redis namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index cb1dbf85c..46ef3817c 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -179,15 +179,18 @@ spec: - name: REDIS_USERNAME valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} key: redis-username optional: true - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} + {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} key: redis-password - optional: true + {{- else }} + key: auth + {{- end }} - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index dee9cf43f..408c461fe 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -243,15 +243,18 @@ spec: - name: REDIS_USERNAME valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} key: redis-username optional: true - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} + {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} key: redis-password - optional: true + {{- else }} + key: auth + {{- end }} - name: ARGOCD_DEFAULT_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 56ceae93f..3a7be5310 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -65,8 +65,18 @@ spec: - "" - --appendonly - "no" - {{- with (concat .Values.global.env .Values.redis.env) }} + - --requirepass $(REDIS_PASSWORD) env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: argocd-redis + {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} + key: redis-password + {{- else }} + key: auth + {{- end }} + {{- with (concat .Values.global.env .Values.redis.env) }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.redis.envFrom }} @@ -163,9 +173,32 @@ spec: {{- with .Values.redis.extraContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- with .Values.redis.initContainers }} + {{- if or .Values.redis.initContainers (not .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }} initContainers: + {{- if or (not .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }} + - command: + - argocd + - admin + - redis-initial-password + # image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }} + image: argocd:GHSA-9766-5277-j5hr + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }} + name: secret-init + resources: + {{- toYaml .Values.redis.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- with .Values.redis.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} {{- end }} {{- with .Values.redis.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: diff --git a/charts/argo-cd/templates/redis/role.yaml b/charts/argo-cd/templates/redis/role.yaml new file mode 100644 index 000000000..35ef6a5cd --- /dev/null +++ b/charts/argo-cd/templates/redis/role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + name: {{ include "argo-cd.redis.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - argocd-redis + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create diff --git a/charts/argo-cd/templates/redis/rolebinding.yaml b/charts/argo-cd/templates/redis/rolebinding.yaml new file mode 100644 index 000000000..ee2923418 --- /dev/null +++ b/charts/argo-cd/templates/redis/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + name: {{ include "argo-cd.redis.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "argo-cd.redis.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "argo-cd.redis.serviceAccountName" . }} From edaad735ef0b0c2a9b3c0a31ec5b14aaf8561671 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Wed, 1 May 2024 17:39:15 +0200 Subject: [PATCH 02/10] chore: Rework as a Kubernetes Job (use ingress-nginx/cert-manager approach) Signed-off-by: Marco Maurer --- .../templates/redis-secret-init/job.yaml | 44 +++++++++++++++++++ .../{redis => redis-secret-init}/role.yaml | 6 +++ .../rolebinding.yaml | 6 +++ .../redis-secret-init/serviceaccount.yaml | 16 +++++++ .../argo-cd/templates/redis/deployment.yaml | 25 +---------- charts/argo-cd/values.yaml | 15 +++++++ 6 files changed, 88 insertions(+), 24 deletions(-) create mode 100644 charts/argo-cd/templates/redis-secret-init/job.yaml rename charts/argo-cd/templates/{redis => redis-secret-init}/role.yaml (68%) rename charts/argo-cd/templates/{redis => redis-secret-init}/rolebinding.yaml (68%) create mode 100644 charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml diff --git a/charts/argo-cd/templates/redis-secret-init/job.yaml b/charts/argo-cd/templates/redis-secret-init/job.yaml new file mode 100644 index 000000000..623481a4a --- /dev/null +++ b/charts/argo-cd/templates/redis-secret-init/job.yaml @@ -0,0 +1,44 @@ +{{- if .Values.redisSecretInit.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "argo-cd.redis.fullname" . }}-secretgen + namespace: {{ .Release.Namespace | quote }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} +spec: + template: + metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - argocd + - admin + - redis-initial-password + # image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }} + image: argocd:GHSA-9766-5277-j5hr + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }} + name: secret-init + resources: + {{- toYaml .Values.redis.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: OnFailure + serviceAccountName: {{ include "argo-cd.redis.serviceAccountName" . }} +{{- end }} diff --git a/charts/argo-cd/templates/redis/role.yaml b/charts/argo-cd/templates/redis-secret-init/role.yaml similarity index 68% rename from charts/argo-cd/templates/redis/role.yaml rename to charts/argo-cd/templates/redis-secret-init/role.yaml index 35ef6a5cd..1abfd060e 100644 --- a/charts/argo-cd/templates/redis/role.yaml +++ b/charts/argo-cd/templates/redis-secret-init/role.yaml @@ -1,9 +1,14 @@ +{{- if .Values.redisSecretInit.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} name: {{ include "argo-cd.redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} rules: - apiGroups: - "" @@ -19,3 +24,4 @@ rules: - secrets verbs: - create +{{- end }} diff --git a/charts/argo-cd/templates/redis/rolebinding.yaml b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml similarity index 68% rename from charts/argo-cd/templates/redis/rolebinding.yaml rename to charts/argo-cd/templates/redis-secret-init/rolebinding.yaml index ee2923418..2f4a6e7b3 100644 --- a/charts/argo-cd/templates/redis/rolebinding.yaml +++ b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml @@ -1,9 +1,14 @@ +{{- if .Values.redisSecretInit.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} name: {{ include "argo-cd.redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,3 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "argo-cd.redis.serviceAccountName" . }} +{{- end }} diff --git a/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml new file mode 100644 index 000000000..26d9bf95d --- /dev/null +++ b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.redisSecretInit.enabled .Values.redisSecretInit.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.redisSecretInit.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "argo-cd.redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation + {{- range $key, $value := .Values.redisSecretInit.serviceAccount.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} +{{- end }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 3a7be5310..a3fc24045 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -173,32 +173,9 @@ spec: {{- with .Values.redis.extraContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- if or .Values.redis.initContainers (not .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }} + {{- with .Values.redis.initContainers }} initContainers: - {{- if or (not .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }} - - command: - - argocd - - admin - - redis-initial-password - # image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }} - image: argocd:GHSA-9766-5277-j5hr - imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }} - name: secret-init - resources: - {{- toYaml .Values.redis.resources | nindent 10 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- with .Values.redis.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} - {{- end }} {{- end }} {{- with .Values.redis.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index e675db4eb..f18c128bd 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1601,6 +1601,21 @@ externalRedis: # -- External Redis Secret annotations secretAnnotations: {} +redisSecretInit: + # -- Enable redis secret generator/init Job + enabled: true + + serviceAccount: + # -- Create a service account for the redis pod + create: false + # -- Service account name for redis pod + name: "" + # -- Annotations applied to created service account + annotations: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: false + + ## Server server: # -- Argo CD server name From 3dd0e19dad53efd14ded9e02d53f9bd3267ff448 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Wed, 1 May 2024 18:49:10 +0200 Subject: [PATCH 03/10] fix: Implement redis probes (add auth) Signed-off-by: Marco Maurer --- charts/argo-cd/templates/redis/health-configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/argo-cd/templates/redis/health-configmap.yaml b/charts/argo-cd/templates/redis/health-configmap.yaml index fd0ecff7d..d5bb1707e 100644 --- a/charts/argo-cd/templates/redis/health-configmap.yaml +++ b/charts/argo-cd/templates/redis/health-configmap.yaml @@ -11,6 +11,7 @@ data: redis_liveness.sh: | response=$( redis-cli \ + -a "${REDIS_PASSWORD}" --no-auth-warning \ -h localhost \ -p {{ .Values.redis.containerPorts.redis }} \ ping @@ -23,6 +24,7 @@ data: redis_readiness.sh: | response=$( redis-cli \ + -a "${REDIS_PASSWORD}" --no-auth-warning \ -h localhost \ -p {{ .Values.redis.containerPorts.redis }} \ ping From d6643b270fc084f25a64ce55603cc63288d52b88 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Wed, 1 May 2024 18:58:07 +0200 Subject: [PATCH 04/10] feat: Add some standardization on the newly added resources Signed-off-by: Marco Maurer --- charts/argo-cd/README.md | 25 ++++++++ charts/argo-cd/README.md.gotmpl | 13 ++++ charts/argo-cd/templates/_helpers.tpl | 19 ++++++ .../templates/redis-secret-init/job.yaml | 39 +++++++----- .../templates/redis-secret-init/role.yaml | 6 +- .../redis-secret-init/rolebinding.yaml | 10 +-- .../redis-secret-init/serviceaccount.yaml | 6 +- charts/argo-cd/values.yaml | 62 +++++++++++++++++-- 8 files changed, 151 insertions(+), 29 deletions(-) diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index db6238eda..5015ad0ec 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -1347,8 +1347,10 @@ The main options are listed here: |-----|------|---------|-------------| | redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. | | redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. | +| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH | | redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context | | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment | +| redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. | | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter | | redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter | @@ -1392,6 +1394,29 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations | | externalRedis.username | string | `""` | External Redis username | +### Redis secret-init + +The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed. +If you use an External Redis (See Option 3 above), this Job is not deployed. + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| redisSecretInit.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context | +| redisSecretInit.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Redis secret-init Job | +| redisSecretInit.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Redis secret-init Job | +| redisSecretInit.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Redis secret-init Job | +| redisSecretInit.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| redisSecretInit.jobAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job | +| redisSecretInit.name | string | `"redis-secret-init"` | Redis secret-init name | +| redisSecretInit.podAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job | +| redisSecretInit.podLabels | object | `{}` | Labels to be added to the Redis secret-init Job | +| redisSecretInit.resources | object | `{}` | Resource limits and requests for Redis secret-init Job | +| redisSecretInit.securityContext | object | `{}` | Redis secret-init Job pod-level security context | +| redisSecretInit.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| redisSecretInit.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | +| redisSecretInit.serviceAccount.create | bool | `true` | Create a service account for the redis pod | +| redisSecretInit.serviceAccount.name | string | `""` | Service account name for redis pod | + ## ApplicationSet | Key | Type | Default | Description | diff --git a/charts/argo-cd/README.md.gotmpl b/charts/argo-cd/README.md.gotmpl index fbae40c4b..8166ed1ab 100644 --- a/charts/argo-cd/README.md.gotmpl +++ b/charts/argo-cd/README.md.gotmpl @@ -719,6 +719,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide {{- end }} {{- end }} +### Redis secret-init + +The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed. +If you use an External Redis (See Option 3 above), this Job is not deployed. + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "redisSecretInit" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + ## ApplicationSet | Key | Type | Default | Description | diff --git a/charts/argo-cd/templates/_helpers.tpl b/charts/argo-cd/templates/_helpers.tpl index 516668db6..1df8d7023 100644 --- a/charts/argo-cd/templates/_helpers.tpl +++ b/charts/argo-cd/templates/_helpers.tpl @@ -86,6 +86,25 @@ Create the name of the redis service account to use {{- end -}} {{- end -}} + +{{/* +Create Redis secret-init name +*/}} +{{- define "argo-cd.redisSecretInit.fullname" -}} +{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the Redis secret-init service account to use +*/}} +{{- define "argo-cd.redisSecretInit.serviceAccountName" -}} +{{- if .Values.redisSecretInit.serviceAccount.create -}} + {{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redis.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.redisSecretInit.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create argocd server name and version as used by the chart label. */}} diff --git a/charts/argo-cd/templates/redis-secret-init/job.yaml b/charts/argo-cd/templates/redis-secret-init/job.yaml index 623481a4a..68f320578 100644 --- a/charts/argo-cd/templates/redis-secret-init/job.yaml +++ b/charts/argo-cd/templates/redis-secret-init/job.yaml @@ -1,19 +1,31 @@ -{{- if .Values.redisSecretInit.enabled }} +{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "argo-cd.redis.fullname" . }}-secretgen + name: {{ include "argo-cd.redisSecretInit.fullname" . }} namespace: {{ .Release.Namespace | quote }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation + {{- range $key, $value := .Values.redisSecretInit.jobAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }} spec: template: metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redisSecretInit.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redisSecretInit.podAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} spec: {{- with .Values.global.imagePullSecrets }} imagePullSecrets: @@ -24,21 +36,20 @@ spec: - argocd - admin - redis-initial-password - # image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }} + # image: {{ default .Values.global.image.repository .Values.redisSecretInit.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.redisSecretInit.image.tag }} image: argocd:GHSA-9766-5277-j5hr - imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redisSecretInit.image.imagePullPolicy }} name: secret-init resources: - {{- toYaml .Values.redis.resources | nindent 10 }} + {{- toYaml .Values.redisSecretInit.resources | nindent 10 }} + {{- with .Values.redisSecretInit.containerSecurityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.redisSecretInit.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "argo-cd.redis.serviceAccountName" . }} {{- end }} diff --git a/charts/argo-cd/templates/redis-secret-init/role.yaml b/charts/argo-cd/templates/redis-secret-init/role.yaml index 1abfd060e..565d94708 100644 --- a/charts/argo-cd/templates/redis-secret-init/role.yaml +++ b/charts/argo-cd/templates/redis-secret-init/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.redisSecretInit.enabled }} +{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -6,8 +6,8 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} - name: {{ include "argo-cd.redis.fullname" . }} + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }} + name: {{ include "argo-cd.redisSecretInit.fullname" . }} namespace: {{ .Release.Namespace | quote }} rules: - apiGroups: diff --git a/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml index 2f4a6e7b3..e19f40bd6 100644 --- a/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml +++ b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.redisSecretInit.enabled }} +{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -6,14 +6,14 @@ metadata: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} - name: {{ include "argo-cd.redis.fullname" . }} + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }} + name: {{ include "argo-cd.redisSecretInit.fullname" . }} namespace: {{ .Release.Namespace | quote }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "argo-cd.redis.fullname" . }} + name: {{ include "argo-cd.redisSecretInit.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "argo-cd.redis.serviceAccountName" . }} + name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }} {{- end }} diff --git a/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml index 26d9bf95d..733c09274 100644 --- a/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml +++ b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.redisSecretInit.enabled .Values.redisSecretInit.serviceAccount.create }} +{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.redisSecretInit.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ include "argo-cd.redis.serviceAccountName" . }} + name: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} annotations: "helm.sh/hook": pre-install,pre-upgrade @@ -12,5 +12,5 @@ metadata: {{ $key }}: {{ $value | quote }} {{- end }} labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 4 }} {{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index f18c128bd..80880662a 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1554,6 +1554,12 @@ redis-ha: containerSecurityContext: readOnlyRootFilesystem: true + # -- Configures redis-ha with AUTH + auth: true + # -- Existing Secret to use for redis-ha authentication. + # By default the redis-secret-init Job is generating this Secret. + existingSecret: argocd-redis + # -- Whether the Redis server pods should be forced to run on separate nodes. hardAntiAffinity: true @@ -1602,18 +1608,66 @@ externalRedis: secretAnnotations: {} redisSecretInit: - # -- Enable redis secret generator/init Job - enabled: true + # -- Redis secret-init name + name: redis-secret-init + + image: + # -- Repository to use for the Redis secret-init Job + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use for the Redis secret-init Job + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Image pull policy for the Redis secret-init Job + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" # IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Annotations to be added to the Redis secret-init Job + jobAnnotations: {} + + # -- Annotations to be added to the Redis secret-init Job + podAnnotations: {} + + # -- Labels to be added to the Redis secret-init Job + podLabels: {} + + # -- Resource limits and requests for Redis secret-init Job + resources: {} + # limits: + # cpu: 200m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 64Mi + + # -- Application controller container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # -- Redis secret-init Job pod-level security context + securityContext: {} serviceAccount: # -- Create a service account for the redis pod - create: false + create: true # -- Service account name for redis pod name: "" # -- Annotations applied to created service account annotations: {} # -- Automount API credentials for the Service Account - automountServiceAccountToken: false + automountServiceAccountToken: true ## Server From e3ff9793339c7dc4f01cbe72fbb79b7bf741b911 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Wed, 1 May 2024 19:35:08 +0200 Subject: [PATCH 05/10] fix: Ensure externalRedis is still working properly Signed-off-by: Marco Maurer --- .../templates/argocd-application-controller/deployment.yaml | 3 ++- .../templates/argocd-application-controller/statefulset.yaml | 3 ++- charts/argo-cd/templates/argocd-repo-server/deployment.yaml | 3 ++- charts/argo-cd/templates/argocd-server/deployment.yaml | 3 ++- charts/argo-cd/templates/redis-secret-init/job.yaml | 2 +- charts/argo-cd/templates/redis-secret-init/role.yaml | 2 +- charts/argo-cd/templates/redis-secret-init/rolebinding.yaml | 2 +- .../argo-cd/templates/redis-secret-init/serviceaccount.yaml | 2 +- charts/argo-cd/templates/redis/deployment.yaml | 4 ---- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml index 4308d5caf..23cac6018 100644 --- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -206,8 +206,9 @@ spec: valueFrom: secretKeyRef: name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} - {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} + {{- if .Values.externalRedis.host }} key: redis-password + optional: true {{- else }} key: auth {{- end }} diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index 3c50f7c7c..cd6acc43b 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -205,8 +205,9 @@ spec: valueFrom: secretKeyRef: name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} - {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} + {{- if .Values.externalRedis.host }} key: redis-password + optional: true {{- else }} key: auth {{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index 46ef3817c..d4c0b6fd6 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -186,8 +186,9 @@ spec: valueFrom: secretKeyRef: name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} - {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} + {{- if .Values.externalRedis.host }} key: redis-password + optional: true {{- else }} key: auth {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index 408c461fe..04ea8742c 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -250,8 +250,9 @@ spec: valueFrom: secretKeyRef: name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} - {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} + {{- if .Values.externalRedis.host }} key: redis-password + optional: true {{- else }} key: auth {{- end }} diff --git a/charts/argo-cd/templates/redis-secret-init/job.yaml b/charts/argo-cd/templates/redis-secret-init/job.yaml index 68f320578..467477fe2 100644 --- a/charts/argo-cd/templates/redis-secret-init/job.yaml +++ b/charts/argo-cd/templates/redis-secret-init/job.yaml @@ -1,4 +1,4 @@ -{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} +{{- if not .Values.externalRedis.host }} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/argo-cd/templates/redis-secret-init/role.yaml b/charts/argo-cd/templates/redis-secret-init/role.yaml index 565d94708..52bdf0a39 100644 --- a/charts/argo-cd/templates/redis-secret-init/role.yaml +++ b/charts/argo-cd/templates/redis-secret-init/role.yaml @@ -1,4 +1,4 @@ -{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} +{{- if not .Values.externalRedis.host }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml index e19f40bd6..536c847d0 100644 --- a/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml +++ b/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} +{{- if not .Values.externalRedis.host }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml index 733c09274..0dc9979a6 100644 --- a/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml +++ b/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if not (or .Values.externalRedis.password .Values.externalRedis.existingSecret) }} +{{- if not .Values.externalRedis.host }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.redisSecretInit.serviceAccount.automountServiceAccountToken }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index a3fc24045..3230bb57b 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -71,11 +71,7 @@ spec: valueFrom: secretKeyRef: name: argocd-redis - {{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret }} - key: redis-password - {{- else }} key: auth - {{- end }} {{- with (concat .Values.global.env .Values.redis.env) }} {{- toYaml . | nindent 8 }} {{- end }} From f4080b5f6fc2940c4c7b5464c465c2cbe2285da1 Mon Sep 17 00:00:00 2001 From: Marco Maurer Date: Wed, 1 May 2024 19:53:03 +0200 Subject: [PATCH 06/10] fix: Use correct ServiceAccount in Job Signed-off-by: Marco Maurer --- charts/argo-cd/templates/redis-secret-init/job.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/argo-cd/templates/redis-secret-init/job.yaml b/charts/argo-cd/templates/redis-secret-init/job.yaml index 467477fe2..fc9988bf9 100644 --- a/charts/argo-cd/templates/redis-secret-init/job.yaml +++ b/charts/argo-cd/templates/redis-secret-init/job.yaml @@ -16,7 +16,7 @@ spec: template: metadata: labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }} + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redisSecretInit.name "name" .Values.redisSecretInit.name) | nindent 8 }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redisSecretInit.podLabels) }} {{- toYaml . | nindent 8 }} {{- end }} @@ -51,5 +51,5 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "argo-cd.redis.serviceAccountName" . }} + serviceAccountName: {{ include "argo-cd.redisSecretInit.serviceAccountName" . }} {{- end }} From 2f5ec8b0322c2e0577377c807644a16d40d928be Mon Sep 17 00:00:00 2001 From: Ilia Medvedev Date: Tue, 14 May 2024 10:57:44 +0300 Subject: [PATCH 07/10] update chart version --- charts/argo-cd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 7b3e97530..de5f8ee1d 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10-2024.3.29-1dcc54e29 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.7.18-1-cap-2.10-2024.3.29-1dcc54e29 +version: 6.7.18-2-cap-2.10-2024.3.29-1dcc54e29 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: From 741469f8000dde2d382f192cded81e0aeda20b53 Mon Sep 17 00:00:00 2001 From: pashakostohrys Date: Tue, 14 May 2024 14:21:21 +0300 Subject: [PATCH 08/10] feat: update argocd version and add event reporter support --- charts/argo-cd/Chart.yaml | 6 +++--- charts/argo-cd/templates/event-reporter/statefulset.yaml | 8 ++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index de5f8ee1d..82ef849d8 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: v2.10-2024.3.29-1dcc54e29 +appVersion: v2.10-2024.5.14-9315e75e1 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.7.18-2-cap-2.10-2024.3.29-1dcc54e29 +version: 6.7.18-3-cap-2.10-2024.5.14-9315e75e1 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -27,4 +27,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: changed - description: Upgrade argo-cd to v2.10-2024.3.29-1dcc54e29 + description: Upgrade argo-cd to v2.10-2024.5.14-9315e75e1 diff --git a/charts/argo-cd/templates/event-reporter/statefulset.yaml b/charts/argo-cd/templates/event-reporter/statefulset.yaml index 7bf7f5b6a..811446c09 100644 --- a/charts/argo-cd/templates/event-reporter/statefulset.yaml +++ b/charts/argo-cd/templates/event-reporter/statefulset.yaml @@ -159,15 +159,19 @@ spec: - name: REDIS_USERNAME valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} key: redis-username optional: true - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }} + {{- if .Values.externalRedis.host }} key: redis-password optional: true + {{- else }} + key: auth + {{- end }} - name: EVENT_REPORTER_SHARDING_ALGORITHM valueFrom: configMapKeyRef: From 76e2e5d9b08d78f0c17115248c78a21e2f19ccc3 Mon Sep 17 00:00:00 2001 From: ilia-medvedev-codefresh Date: Tue, 14 May 2024 14:57:58 +0300 Subject: [PATCH 09/10] Use ArgoCD image for Redis secret init Signed-off-by: ilia-medvedev-codefresh --- charts/argo-cd/templates/redis-secret-init/job.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/argo-cd/templates/redis-secret-init/job.yaml b/charts/argo-cd/templates/redis-secret-init/job.yaml index fc9988bf9..51e0c1047 100644 --- a/charts/argo-cd/templates/redis-secret-init/job.yaml +++ b/charts/argo-cd/templates/redis-secret-init/job.yaml @@ -36,8 +36,8 @@ spec: - argocd - admin - redis-initial-password - # image: {{ default .Values.global.image.repository .Values.redisSecretInit.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.redisSecretInit.image.tag }} - image: argocd:GHSA-9766-5277-j5hr + image: {{ default .Values.global.image.repository .Values.redisSecretInit.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.redisSecretInit.image.tag }} + #image: argocd:GHSA-9766-5277-j5hr imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redisSecretInit.image.imagePullPolicy }} name: secret-init resources: From ced41e137aa6c6ace57801a774dc9e077724cab0 Mon Sep 17 00:00:00 2001 From: Ilia Medvedev Date: Wed, 15 May 2024 12:25:46 +0300 Subject: [PATCH 10/10] update artifacthub changes --- charts/argo-cd/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 82ef849d8..129c1e207 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -28,3 +28,5 @@ annotations: artifacthub.io/changes: | - kind: changed description: Upgrade argo-cd to v2.10-2024.5.14-9315e75e1 + - kind: changed + description: Fix for security vulnerability GHSA-9766-5277-j5hr - Redis authentication