Epic Goal

• Use k8s trust anchors (the contents of the CA bundle), and let Argo CD trust them. Currently, Argo CD administrators needs to re-declare them in argocd-tls-certs-cm.

Evaluations:

• https://docs.google.com/document/d/1Nj53qYKfi-U23osKfx97Y928syqGHQeFeI4tozmFE-U/edit?tab=t.0
• https://docs.google.com/document/d/1_sOM9zBtm6XGtAEvurlyUMRnzGOSqBDPnDPsnema9b4/edit?tab=t.0

Why is this important?

• It eases the management for our customers,
• minimizes the work duplication.
• decreases operational risks/downtime causes by configuration mismatch.

Scenarios

1. As an Argo CD administrator, I would like to have a possibility to accept Trust Anchors from the cluster (instead of re-declaring them in Argo CD CMs).
2. As an Argo CD administrator, I would like not to worry about explicitly managing trust to well known hosts (raw.githubusercontent.com, etc.) while adding custom entries.
3. As an Argo CD administrator, I would like my repo-server plugin sidecars trust the hosts. This is important when my executed commands reach out to further TLS hosts. Such as kustomize, fetching files over TLS, etc.

Out of scope

• To begin with, this should just be about the repo-server. It could be expanded in future to any other certs required by Argo CD, but this feature is about repository access only.
• Only TLS certificates are in scope, SSH host keys are not.

Other Considerations

• The feature will be implemented in the gitops operator only for now.
• The required kubernetes feature is turning beta by the end of CY2025
  • https://access.redhat.com/support/cases/#/case/03181807/discussion?commentId=a0aHn00000ZUXwVIAX
• Alternative approaches
  • Some customers utilize the official documented approach to Trust Anchor injection using  config.openshift.io/inject-trusted-cabundle="true"
    • https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/configuring_network_settings/configuring-a-custom-pki#certificate-injection-using-operators_configuring-a-custom-pki
  • Upstream alternative proposal to add one trust anchor to be applied to all hosts, even when hostname not declared in argocd-tls-certs-cm.
    • https://github.com/argoproj/argo-cd/pull/17503

Definition of Ready

• The epic has been broken down into stories.
• Stories have been scoped.
• The epic has been stack ranked.

Definition of Done

• Code Complete:
  • All code has been written, reviewed, and approved.
• Tested:
  • Unit tests have been written and passed.
  • Integration tests have been completed.
  • System tests have been conducted, and all critical bugs have been fixed.
  • Tested on OpenShift either upstream or downstream on a local build.
• Documentation:
  • User documentation or release notes have been written.
• Build:
  • Code has been successfully built and integrated into the main repository / project.
• Review:
  • Code has been peer-reviewed and meets coding standards.
  • All acceptance criteria defined in the user story have been met.
  • Tested by reviewer on OpenShift.
• Deployment:
  • The feature has been deployed on OpenShift cluster for testing.
• Acceptance:
  • Product Manager or stakeholder has reviewed and accepted the work.