diff --git a/docs/usage/routes.md b/docs/usage/routes.md index c0aaaeab6..3763e27ae 100644 --- a/docs/usage/routes.md +++ b/docs/usage/routes.md @@ -3,7 +3,7 @@ The Argo CD Operator offers support for managing OpenShift Routes to access the Argo CD resources. Once the operator is deployed and running, create a new ArgoCD custom resource. -The following example shows the minimal required to create a new ArgoCD +The following [example](https://github.com/argoproj-labs/argocd-operator/blob/master/examples/argocd-route.yaml) shows the minimal required to create a new ArgoCD environment with the default configuration. ``` bash @@ -50,6 +50,9 @@ $ kubectl get secret argocd-cluster -n argocd -ojsonpath='{.data.admin\.password By default, the operator creates the Argo CD server route with `reencrypt` termination policy. You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR. +!!! warning + It is not recommended to use `.route.tls.key` & `.route.tls.certificate` fields to configure custom certificates for Argo CD routes. Use `.route.tls.externalCertificate` field instead. Refer [Custom TLS certificates](#custom-tls-certificates) section for more information. + ### TLS edge termination mode In `edge` termination mode, the route controller terminates the TLS connection and proxies the requests @@ -120,6 +123,42 @@ spec: termination: reencrypt insecureEdgeTerminationPolicy: Redirect ``` + +### Custom TLS certificates + +Custom TLS certificates can be configured for Argo CD Server Route using `.route.tls.externalCertificate.Name` field in ArgoCD CR. Use this field to reference a Kubernetes secret of type `kubernetes.io/tls`. Any modifications to the referenced secret will automatically reflect on the route without the need for manual intervention. + +!!! warning + It is not recommended to use `.route.tls.key` & `.route.tls.certificate` fields to configure custom certificates for Argo CD routes, as the sensitive TLS data will be stored as plain text in ArgoCD CR. Use `.route.tls.externalCertificate.Name` field instead to reference a Kubernetes secret of type `kubernetes.io/tls`. + +To provide custom certificate for route, you can use the following configuration: + +```yaml +spec: + server: + route: + enabled: true + tls: + externalCertificate: + name: +``` + +!!! note + The secret referenced in `.tls.externalCertificate.Name` should be of type `kubernetes.io/tls`. + +Example TLS secret: +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: + namespace: +type: kubernetes.io/tls +data: + tls.crt: + tls.key: +``` + ### Host for Route in Argo CD Status When setting up access to Argo CD via a Route, one can easily retrieve the hostname used for accessing the Argo CD installation through the ArgoCD Operand's `status` field. To expose the `host` field, run `kubectl edit argocd argocd` and then edit the Argo CD instance server to have route enabled as `true`, like so: