feat: add TLS config option to HTTP template. Fixes #7390 (#7929)

Signed-off-by: Rohan Kumar <[email protected]>
argoproj · Mar 18, 2022 · 5b14e15 · 5b14e15
1 parent 4e543f2
commit 5b14e15
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 22 deletions.
diff --git a/test/e2e/agent_test.go b/test/e2e/agent_test.go
@@ -37,19 +37,19 @@ spec:
  - - name: one
  template: http
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200?sleep=5000"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200?sleep=5000"}]
  - name: two
  template: http
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200?sleep=5000"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200?sleep=5000"}]
  - name: three
  template: http
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200?sleep=5000"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200?sleep=5000"}]
  - name: four
  template: http
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200?sleep=5000"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200?sleep=5000"}]
  - name: http
  inputs:
  parameters:
@@ -102,15 +102,15 @@ spec:
  - - name: http-status-is-201-fails
  template: http-status-is-201
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200"}]
  - name: http-status-is-201-succeeds
  template: http-status-is-201
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/201"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/201"}]
  - name: http-body-contains-google-fails
  template: http-body-contains-google
  arguments:
- parameters: [{name: url, value: "http:https://httpstat.us/200"}]
+ parameters: [{name: url, value: "https:https://httpstat.us/200"}]
  - name: http-body-contains-google-succeeds
  template: http-body-contains-google
  arguments:

diff --git a/test/e2e/manifests/minimal/kustomization.yaml b/test/e2e/manifests/minimal/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
 - https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_eventbus.yaml
 - https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_eventsources.yaml
 - https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/base/crds/argoproj.io_sensors.yaml
+- ../mixins/argo-workflows-agent-ca-certificates.yaml
 
 patchesStrategicMerge:
 - ../mixins/argo-server-deployment.yaml

diff --git a/test/e2e/manifests/mixins/argo-workflows-agent-ca-certificates.yaml b/test/e2e/manifests/mixins/argo-workflows-agent-ca-certificates.yaml
@@ -0,0 +1,31 @@
+# You can use the following command to generate a self-signed certificate:
+# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
+# also see: https://stackoverflow.com/a/10176685
+apiVersion: v1
+kind: Secret
+metadata:
+ name: argo-workflows-agent-ca-certificates
+stringData:
+ customcert.pem: >
+ -----BEGIN CERTIFICATE-----
+ MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+ d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+ QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+ MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+ b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+ 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+ CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+ nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+ 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+ T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+ gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+ BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+ TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+ DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+ hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+ 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+ PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+ YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+ CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+ -----END CERTIFICATE-----
diff --git a/workflow/common/common.go b/workflow/common/common.go
@@ -230,6 +230,9 @@ const (
  ServiceAccountTokenVolumeName = "exec-sa-token" //nolint:gosec
  SecretVolMountPath = "/argo/secret"
 
+ // CACertificatesVolumeMountName is the name of the secret that contains the CA certificates.
+ CACertificatesVolumeMountName = "argo-workflows-agent-ca-certificates"
+
  // ArgoProgressPath defines the path to a file used for self reporting progress
  ArgoProgressPath = "/var/run/argo/progress"
 

diff --git a/workflow/controller/agent.go b/workflow/controller/agent.go
@@ -72,6 +72,42 @@ func assessAgentPodStatus(pod *apiv1.Pod) (wfv1.WorkflowPhase, string) {
  return newPhase, message
 }
 
+func (woc *wfOperationCtx) secretExists(ctx context.Context, name string) (bool, error) {
+ _, err := woc.controller.kubeclientset.CoreV1().Secrets(woc.wf.Namespace).Get(ctx, name, metav1.GetOptions{})
+ if err != nil {
+ if apierr.IsNotFound(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ return true, nil
+}
+
+func (woc *wfOperationCtx) getCertVolumeMount(ctx context.Context, name string) (*apiv1.Volume, *apiv1.VolumeMount, error) {
+ exists, err := woc.secretExists(ctx, name)
+ if err != nil {
+ return nil, nil, fmt.Errorf("failed to check if secret %s exists: %v", name, err)
+ }
+ if exists {
+ certVolume := &apiv1.Volume{
+ Name: name,
+ VolumeSource: apiv1.VolumeSource{
+ Secret: &apiv1.SecretVolumeSource{
+ SecretName: name,
+ },
+ }}
+
+ certVolumeMount := &apiv1.VolumeMount{
+ Name: name,
+ MountPath: "/etc/ssl/certs/ca-certificates/",
+ ReadOnly: true,
+ }
+
+ return certVolume, certVolumeMount, nil
+ }
+ return nil, nil, nil
+}
+
 func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, error) {
  podName := woc.getAgentPodName()
  log := woc.log.WithField("podName", podName)
@@ -88,6 +124,11 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
  }
  }
 
+ certVolume, certVolumeMount, err := woc.getCertVolumeMount(ctx, common.CACertificatesVolumeMountName)
+ if err != nil {
+ return nil, err
+ }
+
  pluginSidecars := woc.getExecutorPlugins()
  envVars := []apiv1.EnvVar{
  {Name: common.EnvVarWorkflowName, Value: woc.wf.Name},
@@ -111,6 +152,46 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
  // Intentionally randomize the name so that plugins cannot determine it.
  tokenVolumeName := fmt.Sprintf("kube-api-access-%s", rand.String(5))
 
+ var podVolumes []apiv1.Volume
+ var podVolumeMounts []apiv1.VolumeMount
+ if certVolume != nil && certVolumeMount != nil {
+ podVolumes = []apiv1.Volume{
+ {
+ Name: tokenVolumeName,
+ VolumeSource: apiv1.VolumeSource{
+ Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
+ },
+ },
+ *certVolume,
+ }
+
+ podVolumeMounts = []apiv1.VolumeMount{
+ {
+ Name: tokenVolumeName,
+ MountPath: common.ServiceAccountTokenMountPath,
+ ReadOnly: true,
+ },
+ *certVolumeMount,
+ }
+ } else {
+ podVolumes = []apiv1.Volume{
+ {
+ Name: tokenVolumeName,
+ VolumeSource: apiv1.VolumeSource{
+ Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
+ },
+ },
+ }
+
+ podVolumeMounts = []apiv1.VolumeMount{
+ {
+ Name: tokenVolumeName,
+ MountPath: common.ServiceAccountTokenMountPath,
+ ReadOnly: true,
+ },
+ }
+ }
+
  pod := &apiv1.Pod{
  ObjectMeta: metav1.ObjectMeta{
  Name: podName,
@@ -136,14 +217,8 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
  },
  ServiceAccountName: serviceAccountName,
  AutomountServiceAccountToken: pointer.BoolPtr(false),
- Volumes: []apiv1.Volume{
- {
- Name: tokenVolumeName,
- VolumeSource: apiv1.VolumeSource{
- Secret: &apiv1.SecretVolumeSource{SecretName: secretName},
- },
- },
- },
+ Volumes: podVolumes,
+
  Containers: append(
  pluginSidecars,
  apiv1.Container{
@@ -153,6 +228,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
  Image: woc.controller.executorImage(),
  ImagePullPolicy: woc.controller.executorImagePullPolicy(),
  Env: envVars,
+
  SecurityContext: &apiv1.SecurityContext{
  Capabilities: &apiv1.Capabilities{
  Drop: []apiv1.Capability{"ALL"},
@@ -172,13 +248,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
  "memory": resource.MustParse(env.LookupEnvStringOr("ARGO_AGENT_MEMORY_LIMIT", "256M")),
  },
  },
- VolumeMounts: []apiv1.VolumeMount{
- {
- Name: tokenVolumeName,
- MountPath: common.ServiceAccountTokenMountPath,
- ReadOnly: true,
- },
- },
+ VolumeMounts: podVolumeMounts,
  },
  ),
  },