-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(argo-cd): add authentication for builtin Redis #2616
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: André Frimberger <[email protected]>
@@ -0,0 +1,60 @@ | |||
# lookup existing secret | |||
{{- $secretName := include "argo-cd.redis.fullname" . -}} | |||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using lookup inside the Argo ecosystem is IMHO a bad idea. Argo CD uses helm only as a template engine (argocd only executes helm template ...
).
And helm template
does not support looking up values for security reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mkilchhofer, Thanks for bringing up this topic! If we're talking about ArgoCD in general, I fully agree. However, in this particular case the Helm Chart is meant for bootstrapping ArgoCD. Basically, this can be achieved in two ways:
- Install directly via Helm -> Lookup works
- ArgoCD manages ArgoCD ->
ignoreDifferences
for the password fields needs to be specified
I would really love to see a more secure default installation of ArgoCD. Especially, because not all clusters support NetworkPolicies
out of the box (e.g. Flannel doesn't).
I suggest to add an example for ignoreDifferences
and some explanation to the README to address the questions arising by using lookup. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean changing the default installation without being in-line with with upstrean kustomize manifests is not what we want.
Upstream is our reference for the default installation as mentioned in the charts README.
I appreciate a more secure default installation but it has to be promoted first as a PR in the upstream repo (https://github.com/argoproj/argo-cd).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the Chart's README:
Hence, it makes sense to try to achieve a similar output of rendered .yaml resources when calling helm template using the default settings in values.yaml
According to this, the default should be redis.auth.enabled=false
(as it is in the current implementation). Additionally, a user can easily enable a more secure installation by setting redis.auth.enabled
to true
.
Sounds reasonable to me.
Signed-off-by: André Frimberger <[email protected]>
Hi @afrimberger sorry to get back to you soo late. We were working intensively on the recent release to address exactly this Authentication issue. See:
We are now open for further improvement on this section, can you check which parts of your PR will work with the new setup? |
Hi @mkilchhofer, a security advisory can sometimes speed up things. Well played :-).
According to the least privileges principle the ArgoCD user should not have admin rights. The Redis ACLs could look like this (non HA):
To allow an admin user to connect to Redis for debugging purposes, at least two passwords need to be generated. One option would be to only restrict the default user. Though, this would restrict the debug capabilities. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@github-actions: Not stale @afrimberger Maybe you can file an issue upstream (https://github.com/argoproj/argo-cd/issues) to enhance the redis access even more? |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@github-actions: Not stale |
This PR introduces authentication for the builtin Redis. It can be enabled by setting
redis.auth.enabled=true
. The secrets are auto-generated and stored in a secret.Checklist: