Details
-
Epic
-
Resolution: Unresolved
-
Major
-
None
Description
Epic Goal
Be specific about TLS termination for the default Argo CD instance that we ship with the GitOps operator.
The default instance currently uses passthrough when you don’t set a value, and we would like to start setting `reencrypt` for customers on the default instance.
Why is this important?
- Good security practice
- The current behaviour is a surprise to users who have set up OCP to use their own custom CA for signing - they end up with a self-signed cert on their default Argo CD instance that they were not expecting.
Scenarios
- See customer description of issue on the original RFE: https://issues.redhat.com/browse/RFE-4045
Acceptance Criteria (Mandatory)
- CI - MUST be running successfully with tests automated
- Release Technical Enablement:
- Let CEE folks know that this change is happening
- The default Argo CD instance that we ship with the GitOps operator sets the route TLS termination to `reencrypt`
- When the default OCP ingress router cert has been changed, TLS connections to the default Argo CD instance should receive the set OCP ingress router cert instead of the self-signed Argo CD cert
- Documentation covering the default Argo CD instance mentions that we set the TLS termination to `reencrypt` from whichever version this is released in
Done Checklist
- Acceptance criteria are met
- Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
- User Journey automation is delivered
- Support and SRE teams are provided with enough skills to support the feature in production environment
Attachments
Issue Links
- is documented by
-
RHDEVDOCS-6010 [Recurring task]: GitOps 1.13.0 release notes
- Open
- relates to
-
RFE-4045 Change default TLS termination for cluster ArgoCD instance to reencrypt
- Accepted