-
Epic
-
Resolution: Done
-
Critical
-
None
-
Enable the use of secrets to store TLS cert details instead of direct embedding
-
False
-
None
-
False
-
To Do
-
SECFLOWOTL-195 - RFEs 1.15
-
0% To Do, 0% In Progress, 100% Done
-
-
-
Epic Goal
Goals:
- Provide an option to refer a kubernetes secret with TLS certificate details rather than providing the certificate details directly as plain text in the ArgoCD CR.
Non-goals:
NA
Maps-to:
Value:
This feature addresses the security risk involved in exposing sensitive information in the ArgoCD CR.
Why is this important?
TLS cert details contains encryption key which should ideally be stored in a kubernetes secret. Embedding such sensitive information directly into the ArgoCD CR as a plain text, is a bad practice from security point of view.
Background information
When using custom certificates for securing the OpenShift GitOps route, the KCS document provided here -> https://access.redhat.com/solutions/7011305 suggests users to add the TLS details as plain text in the ArgoCD CR under spec.server.route.tls section like below.
server: [...] route: enabled: true tls: certificate: | -----BEGIN CERTIFICATE----- --- <======= Add the custom-cert here -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- --- <======= Add the key here -----END RSA PRIVATE KEY----- insecureEdgeTerminationPolicy: Redirect termination: reencrypt
The tls.key field contains sensitive data and should not be embedded as plain text in a CR. This allows anyone who has view permission to get access to this sensitive information.
Some more background information is captured in this document
https://docs.google.com/document/d/13fkNLVBx6GJvjPrOt1J2DgTH0f72pzkdY-R6qwGKvW4/edit?usp=sharing
Impact if not implemented
If not implemented, there would be a security risk as the cert details remain exposed to anyone who can view the ArgoCD CR.
Additional information
Implementation details.
- We can provide an option to refer a secret in the spec.server.route.tls section like below
server: [...] route: enabled: true tls: secretRef: custom-tls-cert
- Ensure that the secret referred is of type kubernetes.io/tls
- Deprecate the old way of providing tls secrets.
Acceptance Criteria (Mandatory)
- Cert details should not be exposed in the ArgoCD CR. Deprecate the current behaviour and put a warning to users when they embed cert details.
- It should be possible to refer a secret containing the TLS cert details from the ArgoCD CR.
- Operator should pick up the TLS cert details directly from the secret that is being referenced.
- Only secrets of type kubernetes.io/tls should be referred, for other secret types, it should report an error.
Dependencies (internal and external)
- ...
Previous Work (Optional):
- ...
Open questions::
- ...
Done Checklist
- Acceptance criteria are met
- Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
- User Journey automation is delivered
- Support and SRE teams are provided with enough skills to support the feature in production environment
- is depended on by
-
RFE-5037 GitOps operator should use secrets instead of embedding the custom TLS certificates in ArgoCD CR
- Accepted
- relates to
-
GITOPS-5950 [Manual Test] for Enable the use of secrets to store TLS cert details instead of direct embedding
- New
- links to
-
RHEA-2024:139495 Errata Advisory for OpenShift GitOps v1.15.0