diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index fa41352d7..20b57462f 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10.5 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.7.6 +version: 6.8.0 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -26,5 +26,7 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | + - kind: added + description: added authentication for builtin Redis - kind: fixed description: added missing crd change for 2.10.5 diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index d43a0fdab..445521aee 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -1154,6 +1154,10 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| | redis.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment | +| redis.auth.configAnnotations | object | `{}` | Annotations to be added to Redis config secret | +| redis.auth.enabled | bool | `false` | Enable authentication for Redis. Passwords are auto-generated and stored in the Secret `argocd-redis`. If you're managing ArgoCD via ArgoCD you need to ignore the auto-generated password fields in `ignoreDifferences` , e.g. with ``` ignoreDifferences: - kind: Secret name: argocd-redis jsonPointers: - /data/redis-password - /data/redis-password-admin - /data/redis-password-default ``` | +| redis.auth.secretAnnotations | object | `{}` | Annotations to be added to Redis secret | +| redis.auth.username | string | `"argocd"` | Username for connecting to Redis | | redis.containerPorts.metrics | int | `9121` | Metrics container port | | redis.containerPorts.redis | int | `6379` | Redis container port | | redis.containerSecurityContext | object | See [values.yaml] | Redis container-level security context | @@ -1183,6 +1187,7 @@ NAME: my-release | redis.exporter.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | | redis.exporter.resources | object | `{}` | Resource limits and requests for redis-exporter sidecar | | redis.extraArgs | list | `[]` | Additional command line arguments to pass to redis-server | +| redis.extraConfig | string | `""` | Redis extra configuration settings (https://redis.io/docs/management/config-file/) | | redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod | | redis.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Redis image pull policy | | redis.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | diff --git a/charts/argo-cd/templates/redis/configmap.yaml b/charts/argo-cd/templates/redis/configmap.yaml new file mode 100644 index 000000000..65eeaca69 --- /dev/null +++ b/charts/argo-cd/templates/redis/configmap.yaml @@ -0,0 +1,25 @@ +{{- $redisHa := index .Values "redis-ha" -}} +{{- if and .Values.redis.enabled (or .Values.redis.auth.enabled .Values.redis.extraConfig) (not $redisHa.enabled) -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ include "argo-cd.redis.fullname" . }}-config" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- with .Values.redis.auth.secretAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +data: + {{- if or .Values.redis.auth.enabled .Values.redis.extraConfig }} + redis.conf: | + {{- if .Values.redis.auth.enabled }} + aclfile /etc/redis/users.acl + {{- end }} + {{- .Values.redis.extraConfig | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index a25c1bd86..79211cf6e 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -26,8 +26,9 @@ spec: {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redis.podLabels) }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redis.podAnnotations) }} annotations: + checksum/redis-config: {{ include (print $.Template.BasePath "/redis/secret.yaml") . | sha256sum }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redis.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} @@ -60,6 +61,9 @@ spec: {{- with .Values.redis.extraArgs }} {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.redis.auth.enabled .Values.redis.extraConfig }} + - /etc/redis/redis.conf + {{- end }} - --save - "" - --appendonly @@ -111,6 +115,11 @@ spec: volumeMounts: - mountPath: /health name: health + {{- if or .Values.redis.auth.enabled .Values.redis.extraConfig }} + - mountPath: /etc/redis + name: config + readOnly: true + {{- end }} {{- with .Values.redis.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -194,6 +203,17 @@ spec: configMap: name: {{ include "argo-cd.redis.fullname" . }}-health-configmap defaultMode: 493 + {{- if or .Values.redis.auth.enabled .Values.redis.extraConfig }} + - name: config + projected: + sources: + - configMap: + name: "{{ include "argo-cd.redis.fullname" . }}-config" + {{- if .Values.redis.auth.enabled }} + - secret: + name: "{{ include "argo-cd.redis.fullname" . }}-users" + {{- end }} + {{- end }} {{- with .Values.redis.volumes }} {{- toYaml . | nindent 8}} {{- end }} diff --git a/charts/argo-cd/templates/redis/secret.yaml b/charts/argo-cd/templates/redis/secret.yaml new file mode 100644 index 000000000..cb6e62609 --- /dev/null +++ b/charts/argo-cd/templates/redis/secret.yaml @@ -0,0 +1,78 @@ +# lookup existing secret with Helm's `lookup` function. +# At first, it might seem strange to use this function in the ArgoCD ecosystem. +# However, the purpose of this Helm Chart is to bootstrap ArgoCD. For this use-case +# you don't have necessarily ArgoCD available, yet. +# +# Basically, ArgoCD can be installed with two approaches: +# 1. Via Helm -> Helm's `lookup` function works as expected +# 2. Via ArgoCD -> `lookup` will always return an empty value because ArgoCD +# calls `helm template` internally. In this case, you need to ignore the password +# fields of the secret in `ignoreDifferences`: +# ```yaml +# ignoreDifferences: +# - kind: Secret +# name: argocd-redis +# jsonPointers: +# - /data/redis-password +# - /data/redis-password-admin +# - /data/redis-password-default +# ``` +{{- $secretName := include "argo-cd.redis.fullname" . -}} +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }} +{{- $secretData := (get $secretObj "data") | default dict }} +# generate random password if secret doesn't exist +{{- $defaultUserPassword := (get $secretData "redis-password-default") | default (randAlphaNum 48 | b64enc) }} +{{- $adminUserPassword := (get $secretData "redis-password-admin") | default (randAlphaNum 48 | b64enc) }} +{{- $argoUserPassword := (get $secretData "redis-password") | default (randAlphaNum 48 | b64enc) }} +{{- if .Values.redis.auth.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- with .Values.redis.auth.secretAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: Opaque +immutable: true +data: + redis-username-default: {{ "default" | b64enc }} + redis-password-default: {{ $defaultUserPassword | quote }} + + redis-username-admin: {{ "admin" | b64enc }} + redis-password-admin: {{ $adminUserPassword | quote }} + + {{- with .Values.redis.auth.username }} + redis-username: {{ . | b64enc }} + {{- end }} + redis-password: {{ $argoUserPassword | quote }} +{{- end }} + +{{- $redisHa := index .Values "redis-ha" -}} +{{- if and .Values.redis.enabled .Values.redis.auth.enabled (not $redisHa.enabled) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "argo-cd.redis.fullname" . }}-users" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- with .Values.redis.auth.secretAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +stringData: + users.acl: | + user default on +@all -@admin -@dangerous ~* &* >{{ $defaultUserPassword | b64dec }} + user admin on +@all -@admin -@dangerous ~* &* >{{ $adminUserPassword | b64dec }} + user {{ .Values.redis.auth.username }} on +@all ~* &* >{{ $argoUserPassword | b64dec }} + +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index a281d0197..3906902d2 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1163,6 +1163,31 @@ redis: # -- Redis name name: redis + # -- Redis extra configuration settings (https://redis.io/docs/management/config-file/) + extraConfig: "" + + ## Redis authentication + auth: + # -- Enable authentication for Redis. Passwords are auto-generated and stored in the Secret `argocd-redis`. + # If you're managing ArgoCD via ArgoCD you need to ignore the auto-generated password fields in `ignoreDifferences` + # , e.g. with + # ``` + # ignoreDifferences: + # - kind: Secret + # name: argocd-redis + # jsonPointers: + # - /data/redis-password + # - /data/redis-password-admin + # - /data/redis-password-default + # ``` + enabled: false + # -- Username for connecting to Redis + username: argocd + # -- Annotations to be added to Redis secret + secretAnnotations: {} + # -- Annotations to be added to Redis config secret + configAnnotations: {} + ## Redis Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: