Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3918

Use reencrypt on the default Argo CD instance

    XMLWordPrintable

Details

    • Reencrypt TLS on default instance
    • False
    • None
    • False
    • To Do
    • 16
    • 16% 16%

    Description

      Epic Goal

      Be specific about TLS termination for the default Argo CD instance that we ship with the GitOps operator.

      The default instance currently uses passthrough when you don’t set a value, and we would like to start setting `reencrypt` for customers on the default instance.

      Why is this important?

      • Good security practice
      • The current behaviour is a surprise to users who have set up OCP to use their own custom CA for signing - they end up with a self-signed cert on their default Argo CD instance that they were not expecting. 

      Scenarios

      1. See customer description of issue on the original RFE: https://issues.redhat.com/browse/RFE-4045

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement:
      • Let CEE folks know that this change is happening
      • The default Argo CD instance that we ship with the GitOps operator sets the route TLS termination to `reencrypt`
      • When the default OCP ingress router cert has been changed, TLS connections to the default Argo CD instance should receive the set OCP ingress router cert instead of the self-signed Argo CD cert
      • Documentation covering the default Argo CD instance mentions that we set the TLS termination to `reencrypt` from whichever version this is released in

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

      Attachments

        Issue Links

          is documented by

          Task - Represents a small unit of work that is not end-user facing. RHDEVDOCS-6010 [Recurring task]: GitOps 1.13.0 release notes

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Open
          relates to

          Feature Request - Feature requests from customers and/or users RFE-4045 Change default TLS termination for cluster ArgoCD instance to reencrypt

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Accepted

          Activity

            People

              cbanavik Chetan Banavikalmutt
              halawren@redhat.com Harriet Lawrence
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: