Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-4801

Adding a self-signed TLS cert for the for the ApplicationSet Gitlab SCM Providerdoesn't work as expected in Gitops

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • Hide
      Before this update, adding a self-signed TLS cert for the for the ApplicationSet Gitlab SCM Provider did not work as expected, the certificate would not mount on the required volume . This update fixes the issue by fixing the volume mount path and also documenting the right behaviour to use this feature. Now, the user should ensure that the ConfigMap is named argocd-appset-gitlab-scm-tls-certs-cm. Also note that the the key TLS Certificate ConfigMap should be named 'cert', as this is used as the filename that is mounted. Other key names will not work due to an upstream bug that will be addressed later. Below is a sample ConfigMap that can be used to mount your TLS certificate.

      ```yaml
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: argocd-appset-gitlab-scm-tls-certs-cm
        namespace: test-1-32-appsets-scm-tls-mount
      data:
        cert: |
          -----BEGIN CERTIFICATE-----
          ... (certificate contents) ...
          -----END CERTIFICATE-----
      ```
      Show
      Before this update, adding a self-signed TLS cert for the for the ApplicationSet Gitlab SCM Provider did not work as expected, the certificate would not mount on the required volume . This update fixes the issue by fixing the volume mount path and also documenting the right behaviour to use this feature. Now, the user should ensure that the ConfigMap is named argocd-appset-gitlab-scm-tls-certs-cm. Also note that the the key TLS Certificate ConfigMap should be named 'cert', as this is used as the filename that is mounted. Other key names will not work due to an upstream bug that will be addressed later. Below is a sample ConfigMap that can be used to mount your TLS certificate. ```yaml apiVersion: v1 kind: ConfigMap metadata:   name: argocd-appset-gitlab-scm-tls-certs-cm   namespace: test-1-32-appsets-scm-tls-mount data:   cert: |     -----BEGIN CERTIFICATE-----     ... (certificate contents) ...     -----END CERTIFICATE----- ```
    • GitOps Crimson - Sprint 3258, GitOps Crimson - Sprint 3259, GitOps Crimson - Sprint 3260, GitOps Crimson - Sprint 3261

      Description of problem:

      Adding a self-signed TLS cert for the for the ApplicationSet Gitlab SCM Providerdoesn't work as expected in Gitops

      Workaround:
      Client have to use insecure=true in the ApplicationSet configs

      Steps to Reproduce:
       
      As described in [1] and validated with [2], the `scmRootCAConfigMap` must be set in the ArgoCD CR, e.g.:

      spec:
  applicationSet:
    scmRootCAConfigMap: my-gitlab-scm-tls-cert
      • The certificate is only mounted if the name of the scmRootCAConfigMap is “argocd-appset-gitlab-scm-tls-certs-cm”. 
      • Then the certificate is created, but as a file in rootPath /app/tls/scm/cert/ with filename according to the key value in the CM. 

      However, the openshift-gitops-applicationset-controller expects the certificate file as /app/tls/scm/cert and fails with:

      level=error msg=“error reading certificate from file ‘/app/tls/scm/cert’, proceeding without custom rootCA : read /app/tls/scm/cert: is a directory”

       

      [1] https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#add-self-signed-tls-certificate-for-gitlab-scm-provider-to-applicationsets-controller

      [2] https://github.com/argoproj-labs/argocd-operator/blob/b300521514289b1ae4fd9e4dd8fd23c5148a7164/tests/k8s/1-033_validate_applicationset_tls_scm_volume_mount/01-install.yaml

       

      Prerequisites (if any, like setup, operators/versions):

      OCP: 4.14.19
      openshift-gitops-operator.v1.12.2 

              saumeyakatyal Saumeya Katyal
              rhn-support-dtambat Darshan Tambat
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: