feat(argo-cd): add authentication for builtin Redis #2616
Conversation
Signed-off-by: André Frimberger <[email protected]>
afrimberger
requested review from
mbevc1,
mkilchhofer,
yu-croco,
jmeridth,
pdrastil and
tico24
as code owners
| @@ -0,0 +1,60 @@ | |||
| # lookup existing secret | |||
| {{- $secretName := include "argo-cd.redis.fullname" . -}} | |||
| {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }} | |||
There was a problem hiding this comment.
Using lookup inside the Argo ecosystem is IMHO a bad idea. Argo CD uses helm only as a template engine (argocd only executes helm template ...).
And helm template does not support looking up values for security reasons.
There was a problem hiding this comment.
Hi @mkilchhofer, Thanks for bringing up this topic! If we're talking about ArgoCD in general, I fully agree. However, in this particular case the Helm Chart is meant for bootstrapping ArgoCD. Basically, this can be achieved in two ways:
- Install directly via Helm -> Lookup works
- ArgoCD manages ArgoCD ->
ignoreDifferencesfor the password fields needs to be specified
I would really love to see a more secure default installation of ArgoCD. Especially, because not all clusters support NetworkPolicies out of the box (e.g. Flannel doesn't).
I suggest to add an example for ignoreDifferences and some explanation to the README to address the questions arising by using lookup. WDYT?
There was a problem hiding this comment.
I mean changing the default installation without being in-line with with upstrean kustomize manifests is not what we want.
Upstream is our reference for the default installation as mentioned in the charts README.
I appreciate a more secure default installation but it has to be promoted first as a PR in the upstream repo (https://github.com/argoproj/argo-cd).
There was a problem hiding this comment.
According to the Chart's README:
Hence, it makes sense to try to achieve a similar output of rendered .yaml resources when calling helm template using the default settings in values.yaml
According to this, the default should be redis.auth.enabled=false (as it is in the current implementation). Additionally, a user can easily enable a more secure installation by setting redis.auth.enabled to true.
Sounds reasonable to me.
Signed-off-by: André Frimberger <[email protected]>
|
Hi @afrimberger sorry to get back to you soo late. We were working intensively on the recent release to address exactly this Authentication issue. See:
We are now open for further improvement on this section, can you check which parts of your PR will work with the new setup? |
|
Hi @mkilchhofer, a security advisory can sometimes speed up things. Well played :-).
According to the least privileges principle the ArgoCD user should not have admin rights. The Redis ACLs could look like this (non HA): To allow an admin user to connect to Redis for debugging purposes, at least two passwords need to be generated. One option would be to only restrict the default user. Though, this would restrict the debug capabilities. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@github-actions: Not stale @afrimberger Maybe you can file an issue upstream (https://github.com/argoproj/argo-cd/issues) to enhance the redis access even more? |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This PR introduces authentication for the builtin Redis. It can be enabled by setting
redis.auth.enabled=true. The secrets are auto-generated and stored in a secret.Checklist: