Skip to content

Commit

Permalink
Add tls secret for route doc
Browse files Browse the repository at this point in the history
Signed-off-by: Siddhesh Ghadi <[email protected]>
  • Loading branch information
svghadi committed Oct 28, 2024
1 parent 1f676d0 commit b0b01f1
Showing 1 changed file with 40 additions and 1 deletion.
41 changes: 40 additions & 1 deletion docs/usage/routes.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
The Argo CD Operator offers support for managing OpenShift Routes to access the Argo CD resources.

Once the operator is deployed and running, create a new ArgoCD custom resource.
The following example shows the minimal required to create a new ArgoCD
The following [example](https://github.com/argoproj-labs/argocd-operator/blob/master/examples/argocd-route.yaml) shows the minimal required to create a new ArgoCD
environment with the default configuration.

``` bash
Expand Down Expand Up @@ -50,6 +50,9 @@ $ kubectl get secret argocd-cluster -n argocd -ojsonpath='{.data.admin\.password

By default, the operator creates the Argo CD server route with `reencrypt` termination policy. You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR.

!!! warning
It is not recommended to use `.tls.key` & `.tls.certificate` fields to configure custom certificates for Argo CD routes. Use `.tls.externalCertificate` field instead. Refer [Custom TLS certificates](#custom-tls-certificates) section for more information.

### TLS edge termination mode

In `edge` termination mode, the route controller terminates the TLS connection and proxies the requests
Expand Down Expand Up @@ -120,6 +123,42 @@ spec:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
```

### Custom TLS certificates

Custom TLS certificates can be configured for Argo CD Server Route using `.tls.externalCertificate.Name` field in ArgoCD CR. Use this field to reference a Kubernetes secret of type `kubernetes.io/tls`. Any modifications to the referenced secret will automatically reflect on the route without the need for manual intervention.

!!! warning
It is not recommended to use `.tls.key` & `.tls.certificate` fields to configure custom certificates for Argo CD routes, as the sensitive TLS data will be stored as plain text in ArgoCD CR. Use `.tls.externalCertificate.Name` field instead to reference a Kubernetes secret of type `kubernetes.io/tls`.

To provide custom certificate for route, you can use the following configuration:

```yaml
spec:
server:
route:
enabled: true
tls:
externalCertificate:
name: <your-tls-type-secret>
```

!!! note
The secret referenced in `.tls.externalCertificate.Name` should be of type `kubernetes.io/tls`.

Example TLS secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: <example-tls-type-secret>
namespace: <argocd-namespace>
type: kubernetes.io/tls
data:
tls.crt: <certifcate>
tls.key: <key>
```

### Host for Route in Argo CD Status

When setting up access to Argo CD via a Route, one can easily retrieve the hostname used for accessing the Argo CD installation through the ArgoCD Operand's `status` field. To expose the `host` field, run `kubectl edit argocd argocd` and then edit the Argo CD instance server to have route enabled as `true`, like so:
Expand Down

0 comments on commit b0b01f1

Please sign in to comment.