Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add TLS support. Closes #2764 #2766

Merged
merged 29 commits into from
Apr 23, 2020
Merged

feat: Add TLS support. Closes #2764 #2766

merged 29 commits into from
Apr 23, 2020
+265 −63

Conversation

alexec
Copy link
Contributor

@alexec alexec commented Apr 20, 2020
edited
Loading

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
  • The title of the PR is (a) conventional, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
  • I've signed the CLA.
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My builds are green. Try syncing with master if they are not.
  • My organization is added to USERS.md.

How Is This Different to Argo CD?

The usage is documented in docs/tls.md, but essentially:

  • Rather than have two listeners, one HTTP and one HTTPS, you must have one of the other.
  • Rather than --insecure flag, we have a more specific --insecure-skip-verify flag.

@alexec alexec linked an issue Apr 20, 2020 that may be closed by this pull request
Add TLS support to Argo Server #2764
Closed
alexec
alexec commented Apr 21, 2020
View reviewed changes
docs/cli.md Outdated Show resolved Hide resolved
alexec
alexec commented Apr 21, 2020
View reviewed changes
go.mod
golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4
golang.org/x/net v0.0.0-20200301022130-244492dfa37a
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
golang.org/x/tools v0.0.0-20200414205525-6a72e3782ce5 // indirect
google.golang.org/api v0.20.0
google.golang.org/genproto v0.0.0-20200317114155-1f3552e48f24
google.golang.org/grpc v1.28.0
gopkg.in/gavv/httpexpect.v2 v2.0.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replaced this with go.mod format

alexec
alexec commented Apr 21, 2020
View reviewed changes
server/apiserver/argoserver.go
baseHRef string
baseHRef string
// https://itnext.io/practical-guide-to-securing-grpc-connections-with-go-and-tls-part-1-f63058e9d6d1
tlsConfig *tls.Config
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one variable is everything

@alexec alexec marked this pull request as ready for review April 21, 2020 18:57
@alexec alexec requested review from alexmt and jessesuen April 21, 2020 18:58
@alexec alexec added this to the v2.9 milestone Apr 21, 2020
whynowy
whynowy reviewed Apr 23, 2020
View reviewed changes
pkg/apiclient/argo-server-client.go
@@ -55,8 +57,12 @@ func (a *argoServerClient) NewInfoServiceClient() (infopkg.InfoServiceClient, er
return infopkg.NewInfoServiceClient(a.ClientConn), nil
}

func NewClientConn(argoServer string) (*grpc.ClientConn, error) {
conn, err := grpc.Dial(argoServer, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxClientGRPCMessageSize)), grpc.WithInsecure())
func newClientConn(opts ArgoServerOpts) (*grpc.ClientConn, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using argo --secure xxx, can we check the URL to see if it starts with https:// to determine? This will make it easy to use.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did consider usability, which is why you can set an env var, or you can use -e. The ARGO_SERVER is host:port not proto:https://host:port, so this would be more complex.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to make ARGO_SERVER smarter to support both host:port and protocol:https://host:port. Think about kubectl, curl and wget, they never ask the user to give an argument to indicate that. But it's up to you, I'll approve it.

manifests/quick-start-no-db.yaml
@@ -384,7 +384,8 @@ metadata:
name: argo-server
spec:
ports:
- port: 2746
- name: web
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A suggestion, can we use a different port when it's running secure mode?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did consider this. However, I wanted to keep things as simple as possible. If you want to run it on another port, you could use the --port flag to do so.

@sonarcloud
Copy link

sonarcloud bot commented Apr 23, 2020

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@alexec alexec merged commit 0dbd78f into argoproj:master Apr 23, 2020
@alexec alexec deleted the feat-tls branch April 23, 2020 20:39
@alexec alexec modified the milestones: v2.9, v2.8 Apr 23, 2020
@ad22 ad22 mentioned this pull request Mar 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whynowy whynowy whynowy approved these changes

@alexmt alexmt Awaiting requested review from alexmt

@jessesuen jessesuen Awaiting requested review from jessesuen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.8
Development

Successfully merging this pull request may close these issues.

Add TLS support to Argo Server
2 participants
@alexec @whynowy