Merge pull request #200 from projectsyn/fix/refresh-tls-secret

Deploy cronjob which periodically refreshes the `syn-argocd-tls` secret

Author: simu

component/argocd.jsonnet

@@ -405,6 +405,85 @@ local webhook_certs = [
   },
 ];
 
+// Manually trigger refresh of ArgoCD TLS certificate. Currently the operator
+// will not do anything if it sees that the secret `syn-argocd-tls` exists
+// even if the certificate stored in the secret expired or is expiring soon.
+local tls_sa = kube.ServiceAccount('syn-argocd-tls-refresher') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+};
+local tls_role = kube.Role('syn-argocd-tls-refresher') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  rules: [ {
+    apiGroups: [ '' ],
+    resources: [ 'secrets' ],
+    verbs: [ 'delete' ],
+    resourceNames: [
+      'syn-argocd-tls',
+      'syn-argocd-ca',
+    ],
+  } ],
+};
+local tls_rolebinding = kube.RoleBinding('syn-argocd-tls-refresher') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  subjects_: [ tls_sa ],
+  roleRef_: tls_role,
+};
+local tls_cronjob =
+  local homedir = '/home/refresh';
+  kube.CronJob('syn-argocd-tls-refresher') {
+    metadata+: {
+      namespace: params.namespace,
+    },
+    spec+: {
+      failedJobsHistoryLimit: 3,
+      // At 09:00 on the first day of the month every 4th month.
+      schedule: '0 9 1 */4 *',
+      jobTemplate+: {
+        spec+: {
+          template+: {
+            spec+: {
+              containers_: {
+                refresh: kube.Container('refresh') {
+                  image: common.render_image('kubectl'),
+                  command: [
+                    'kubectl',
+                    'delete',
+                    'secret',
+                    'syn-argocd-tls',
+                    'syn-argocd-ca',
+                  ],
+                  env_: {
+                    HOME: homedir,
+                  },
+                  volumeMounts_+: {
+                    home: { mountPath: homedir },
+                  },
+                },
+              },
+              serviceAccountName: tls_sa.metadata.name,
+              volumes_+: {
+                home: { emptyDir: {} },
+              },
+            },
+          },
+        },
+      },
+    },
+  };
+
+local tls_refresh = [
+  tls_sa,
+  tls_role,
+  tls_rolebinding,
+  tls_cronjob,
+];
+
 {
   '00_vault_agent_config': vault_agent_config,
   '00_kapitan_plugin_config': kapitan_plugin_config,
@@ -415,4 +494,5 @@ local webhook_certs = [
   // as the upstream kustomize is broken.
   // 2023/02/19 sfe
   [if params.operator.conversion_webhook then '../10_operator_webhook_certs']: webhook_certs,
+  '10_refresh_argocd_tls': tls_refresh,
 }

tests/golden/defaults/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+rules:
+  - apiGroups:
+      - ''
+    resourceNames:
+      - syn-argocd-tls
+      - syn-argocd-ca
+    resources:
+      - secrets
+    verbs:
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: syn-argocd-tls-refresher
+subjects:
+  - kind: ServiceAccount
+    name: syn-argocd-tls-refresher
+    namespace: syn
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      completions: 1
+      parallelism: 1
+      template:
+        metadata:
+          labels:
+            name: syn-argocd-tls-refresher
+        spec:
+          containers:
+            - args: []
+              command:
+                - kubectl
+                - delete
+                - secret
+                - syn-argocd-tls
+                - syn-argocd-ca
+              env:
+                - name: HOME
+                  value: /home/refresh
+              image: docker.io/bitnami/kubectl
+              imagePullPolicy: IfNotPresent
+              name: refresh
+              ports: []
+              stdin: false
+              tty: false
+              volumeMounts:
+                - mountPath: /home/refresh
+                  name: home
+          imagePullSecrets: []
+          initContainers: []
+          restartPolicy: OnFailure
+          serviceAccountName: syn-argocd-tls-refresher
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home
+  schedule: 0 9 1 */4 *
+  successfulJobsHistoryLimit: 10

tests/golden/openshift/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+rules:
+  - apiGroups:
+      - ''
+    resourceNames:
+      - syn-argocd-tls
+      - syn-argocd-ca
+    resources:
+      - secrets
+    verbs:
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: syn-argocd-tls-refresher
+subjects:
+  - kind: ServiceAccount
+    name: syn-argocd-tls-refresher
+    namespace: syn
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      completions: 1
+      parallelism: 1
+      template:
+        metadata:
+          labels:
+            name: syn-argocd-tls-refresher
+        spec:
+          containers:
+            - args: []
+              command:
+                - kubectl
+                - delete
+                - secret
+                - syn-argocd-tls
+                - syn-argocd-ca
+              env:
+                - name: HOME
+                  value: /home/refresh
+              image: docker.io/bitnami/kubectl
+              imagePullPolicy: IfNotPresent
+              name: refresh
+              ports: []
+              stdin: false
+              tty: false
+              volumeMounts:
+                - mountPath: /home/refresh
+                  name: home
+          imagePullSecrets: []
+          initContainers: []
+          restartPolicy: OnFailure
+          serviceAccountName: syn-argocd-tls-refresher
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home
+  schedule: 0 9 1 */4 *
+  successfulJobsHistoryLimit: 10

tests/golden/params/argocd/argocd/30_argocd/10_refresh_argocd_tls.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+rules:
+  - apiGroups:
+      - ''
+    resourceNames:
+      - syn-argocd-tls
+      - syn-argocd-ca
+    resources:
+      - secrets
+    verbs:
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: syn-argocd-tls-refresher
+subjects:
+  - kind: ServiceAccount
+    name: syn-argocd-tls-refresher
+    namespace: syn
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations: {}
+  labels:
+    name: syn-argocd-tls-refresher
+  name: syn-argocd-tls-refresher
+  namespace: syn
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      completions: 1
+      parallelism: 1
+      template:
+        metadata:
+          labels:
+            name: syn-argocd-tls-refresher
+        spec:
+          containers:
+            - args: []
+              command:
+                - kubectl
+                - delete
+                - secret
+                - syn-argocd-tls
+                - syn-argocd-ca
+              env:
+                - name: HOME
+                  value: /home/refresh
+              image: docker.io/bitnami/kubectl
+              imagePullPolicy: IfNotPresent
+              name: refresh
+              ports: []
+              stdin: false
+              tty: false
+              volumeMounts:
+                - mountPath: /home/refresh
+                  name: home
+          imagePullSecrets: []
+          initContainers: []
+          restartPolicy: OnFailure
+          serviceAccountName: syn-argocd-tls-refresher
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - emptyDir: {}
+              name: home
+  schedule: 0 9 1 */4 *
+  successfulJobsHistoryLimit: 10