Skip to content

feat(repo-server): Declare custom trust certs for repo-server and plugins #1876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

feat(repo-server): Declare custom trust certs for repo-server and plugins #1876

wants to merge 15 commits into from

Conversation

@olivergondza
Copy link
Contributor

@olivergondza olivergondza commented Sep 18, 2025
edited
Loading

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:

Permit users to trust CAs on a repo-server system level

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.
Screenshot From 2025-09-23 13-17-05

Which issue(s) this PR fixes:

Fixes #1830

How to test changes / Special notes to the reviewer:

Can be tested against:

k3d cluster create localtest \
              --k3s-arg "--kube-apiserver-arg=feature-gates=ClusterTrustBundle=true,ClusterTrustBundleProjection=true@server:*" \
              --k3s-arg "--kube-apiserver-arg=runtime-config=certificates.k8s.io/v1beta1/clustertrustbundles=true@server:*" \
              --k3s-arg "--kubelet-arg=feature-gates=ClusterTrustBundle=true,ClusterTrustBundleProjection=true@agent:*" \
              --image rancher/k3s:v1.33.0-k3s1

@olivergondza olivergondza changed the title feat(repo-server): Declare custom trust anchors to use by repo-server or plugins feat(repo-server): Declare custom trust anchors to used by repo-server or plugins Sep 18, 2025
@olivergondza
Copy link
Contributor Author

Compared to the proposal in #1876, it turned out 1 init container is enough. Also, this implements DropImageAnchors to suppress whatever CAs was in the image originally.

@olivergondza
Copy link
Contributor Author

/ok-to-test

@olivergondza olivergondza changed the title feat(repo-server): Declare custom trust anchors to used by repo-server or plugins feat(repo-server): Declare custom trust certs for repo-server and plugins Sep 22, 2025
@olivergondza
Copy link
Contributor Author

The "Code scans / Run golangci-lint and gosec (pull_request)" failure to be adressed by #1880

@olivergondza
Copy link
Contributor Author

The test failures are related to the fact the code depends on a tech-preview features. Any advise on how to handle such functionality?

https://github.com/argoproj-labs/argocd-operator/actions/runs/17917840047/job/50944661583?pr=1876#step:11:45

@olivergondza olivergondza force-pushed the ClusterTrustBundle branch 6 times, most recently from 93a8f75 to 2e5afb6 Compare September 24, 2025 13:58
anandf
anandf reviewed Sep 24, 2025
View reviewed changes
api/v1beta1/argocd_types.go
// ClusterTrustBundles is a list of projected ClusterTrustBundle volume definitions from where to take the trust certs.
ClusterTrustBundles []corev1.ClusterTrustBundleProjection `json:"clusterTrustBundles,omitempty"`
// Secrets is a list of projected Secret volume definitions from where to take the trust certs.
Secrets []corev1.SecretProjection `json:"secrets,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can it be SecretRefs instead of SecretProjection ? What is the advantage we get by using SecretProjection instead of referring a Secret directly which can be read directly by the operator code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question, projections are the only way (I know off), to create a single volume from multiple sources. So this can combine all three kinds of sources in any quantity, and the entries will be merged in a single directory making the init container completely agnostic of files' origin.

If customers are to create the Secret or CM manually, using only one resource might not be that much to ask. But ability to merge them permits seemless integration with signed ClusterTrustBundles that are likely to have more than one resource.

olivergondza
olivergondza commented Sep 24, 2025
View reviewed changes
@olivergondza olivergondza force-pushed the ClusterTrustBundle branch 2 times, most recently from de515ac to 448e641 Compare September 30, 2025 13:09
@olivergondza olivergondza marked this pull request as draft September 30, 2025 14:43
@olivergondza olivergondza force-pushed the ClusterTrustBundle branch 6 times, most recently from c0a9ad2 to 448e641 Compare October 4, 2025 07:01
@olivergondza olivergondza mentioned this pull request Oct 10, 2025
Open
1 task
@olivergondza olivergondza marked this pull request as ready for review October 10, 2025 12:52
@olivergondza
feat(repo-server): Address linting errors
9bfd0be 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(repo-server): Please gosec
2c4420e 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(repo-server): Use more generic test name
f9e6bad 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(repo-server): Reflect master changes
7e6055e 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
fix: Fix tests, the cluster-wide resource likely do not exist
1165074 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
docs: Document spec.repo.systemCATrust
7be1d86 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(ci-build): Run tests with the feature flags on
ddb777d 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(repo-server): Update tests to verify on clusters with or without…
10ac40b 
… CTB support

Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
feat(repo-server): Use reconciler hooks
12c425e 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
Unify tests with downstream
438c732 
Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza olivergondza force-pushed the ClusterTrustBundle branch 2 times, most recently from dfe7ca7 to 198d41d Compare October 27, 2025 08:53
@olivergondza
feat(repo-server): Propagate changes from Secrets/ConfigMaps/ClusterT…
9c3639c 
…rustBundles to repo-server automatically

Signed-off-by: Oliver Gondža <[email protected]>
@olivergondza
Copy link
Contributor Author

@jannfis, after your review, this is the added feature of change detection: 9c3639c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anandf anandf anandf left review comments

@svghadi svghadi svghadi left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Proposal: Populate repo-server container with ClusterTrustBundle CA certificates

3 participants

@olivergondza @anandf @svghadi