Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-4778

Update the default policy to reencrypt only if the TLS secret is absent

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • Hide

      Steps to Reproduce

      1. Install/Run an older version of the operator that still has Passthrough as default.
      2. Verify that the Route is using the Passthrough policy. Configure a custom TLS secret "argocd-server-tls" using OpenSSL.
      3. Stop the operator and run a latest version of the operator.
      4. Verify that the Route is using Reencrypt. But the UI is not accessible because the operator is trying to request a certificate from OpenShift Service CA in an existing secret.
      5. Verify the errors in the annotations of the Argo CD server service.
      Show
      Steps to Reproduce Install/Run an older version of the operator that still has Passthrough as default. Verify that the Route is using the Passthrough policy. Configure a custom TLS secret "argocd-server-tls" using OpenSSL. Stop the operator and run a latest version of the operator. Verify that the Route is using Reencrypt. But the UI is not accessible because the operator is trying to request a certificate from OpenShift Service CA in an existing secret. Verify the errors in the annotations of the Argo CD server service.
    • 3
    • GitOps Scarlet - Sprint 3258

      Description of problem:

      #1363 changed the default termination policy from passthrough to reencrypt. However, there could be some users who have configured the old passthrough Route with a custom certificate before the upgrade. We don't want to overwrite their configuration once they upgrade the operator.

      This PR introduces logic to update the Route to renencrypt only if the "argocd-server-tls` secret is not present.

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Install/Run an older version of the operator that still has Passthrough as default.
      2. Verify that the Route is using the Passthrough policy. Configure a custom TLS secret "argocd-server-tls" using OpenSSL.
      3. Stop the operator and run a latest version of the operator.
      4. Verify that the Route is using Reencrypt. But the UI is not accessible because the operator is trying to request a certificate from OpenShift Service CA in an existing secret.
      5. Verify the errors in the annotations of the Argo CD server service.

       

      Actual results:

      Argo CD server route will be overwritten to reencrypt for users who have already configured the old Passthrough route with a custom "argocd-server-tls" secret.

      Expected results:

      Argo CD server route shouldn't be overwritten to reencrypt for users who have already configured the old Passthrough route with a custom "argocd-server-tls" secret.

      Reproducibility : Always

            cbanavik Chetan Banavikalmutt
            cbanavik Chetan Banavikalmutt
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: