Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5232

Enable the use of secrets to store TLS cert details instead of direct embedding

XMLWordPrintable

    • Enable the use of secrets to store TLS cert details instead of direct embedding
    • False
    • None
    • False
    • To Do
    • SECFLOWOTL-195 - RFEs 1.15
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      With this update, you can now use Kubernetes TLS-type secrets to configure custom TLS certificates for Routes in ArgoCD CR. Previously, TLS data had to be embedded directly in the ArgoCD CR as plain text, which is not a good practice due to the sensitivity of TLS information. To enhance security, it is now recommended to use Kubernetes secrets for handling TLS data. A new field `.spec.*.route.tls.externalCertificate` has been introduced in ArgoCD CR to reference Kubernetes secrets of type `kubernetes.io/tls` containing TLS data. Please refer to the [upstream documentation](https://argocd-operator.readthedocs.io/en/latest/usage/routes/#custom-tls-certificates) for detailed usage instructions.
      Show
      With this update, you can now use Kubernetes TLS-type secrets to configure custom TLS certificates for Routes in ArgoCD CR. Previously, TLS data had to be embedded directly in the ArgoCD CR as plain text, which is not a good practice due to the sensitivity of TLS information. To enhance security, it is now recommended to use Kubernetes secrets for handling TLS data. A new field `.spec.*.route.tls.externalCertificate` has been introduced in ArgoCD CR to reference Kubernetes secrets of type `kubernetes.io/tls` containing TLS data. Please refer to the [upstream documentation]( https://argocd-operator.readthedocs.io/en/latest/usage/routes/#custom-tls-certificates ) for detailed usage instructions.

      Epic Goal

      Goals:

      • Provide an option to refer a kubernetes secret with TLS certificate details rather than providing the certificate details directly as plain text in the ArgoCD CR.

      Non-goals:
      NA

      Maps-to:

      Value:
      This feature addresses the security risk involved in exposing sensitive information in the ArgoCD CR.

      Why is this important?

      TLS cert details contains encryption key which should ideally be stored in a kubernetes secret. Embedding such sensitive information directly into the ArgoCD CR as a plain text, is a bad practice from security point of view.

      Background information

      When using custom certificates for securing the OpenShift GitOps route, the KCS document provided here -> https://access.redhat.com/solutions/7011305 suggests users to add the TLS details as plain text in the ArgoCD CR under spec.server.route.tls section like below.

      server: 
            [...]
            route: 
              enabled: true
              tls: 
                certificate: |
                  -----BEGIN CERTIFICATE-----
                  ---                         <======= Add the custom-cert here
                  -----END CERTIFICATE-----
                key: |
                  -----BEGIN RSA PRIVATE KEY-----
                  ---                        <======= Add the key here
                  -----END RSA PRIVATE KEY-----
                insecureEdgeTerminationPolicy: Redirect
                termination: reencrypt
      

      The tls.key field contains sensitive data and should not be embedded as plain text in a CR. This allows anyone who has view permission to get access to this sensitive information.

      Some more background information is captured in this document
      https://docs.google.com/document/d/13fkNLVBx6GJvjPrOt1J2DgTH0f72pzkdY-R6qwGKvW4/edit?usp=sharing

      Impact if not implemented

      If not implemented, there would be a security risk as the cert details remain exposed to anyone who can view the ArgoCD CR.

      Additional information

      Implementation details.

      • We can provide an option to refer a secret in the spec.server.route.tls section like below
        server: 
              [...]
              route: 
                enabled: true
                tls: 
                  secretRef: custom-tls-cert
        
      • Ensure that the secret referred is of type kubernetes.io/tls
      • Deprecate the old way of providing tls secrets.

      Acceptance Criteria (Mandatory)

      • Cert details should not be exposed in the ArgoCD CR. Deprecate the current behaviour and put a warning to users when they embed cert details.
      • It should be possible to refer a secret containing the TLS cert details from the ArgoCD CR.
      • Operator should pick up the TLS cert details directly from the secret that is being referenced.
      • Only secrets of type kubernetes.io/tls should be referred, for other secret types, it should report an error.

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions::

      1. ...
      •  

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              rh-ee-sghadi Siddhesh Ghadi
              anjoseph Anand Francis Joseph
              Anand Singh
              GitOps
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: