-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
False
-
-
False
-
Not Selected
-
L
-
Moderate
Description of problem:
When custom API server has been set in managed cluster, ArgoCD can't contact API server (TLS handshake failure). CA of API server is not used/loaded by ArgoCD.
Steps to Reproduce:
- Set custom API server as defined in https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/configuring-certificates#api-server-certificates
- Registering managed clusters to Red Hat OpenShift GitOps operator
Actual results:
ArgoCD call to API server failed.
Expected results:
ArgoCD call to API server success. (TLS Handshake is ok)
Additional info:
This is due to how gitopscluster load CA certificate.
According to the source code of the gitopscluster_controller, the secrets used for adding clusters in ArgoCD are generated from the secret created by the ManagedServiceAccount
https://github.com/open-cluster-management-io/multicloud-integrations/blob/f8d354e772bed0cb67c3be01c476e7f4c6ea7370/pkg/controller/gitopscluster/gitopscluster_controller.go#L1122 .... caCrt := base64.StdEncoding.EncodeToString(tokenSecret.Data["ca.crt"]) ....
To be short only CA in "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" are used and CA certificate of API server is not inside.
=> In additon to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, ArgoCD should load API CA certificate.
