-
Notifications
You must be signed in to change notification settings - Fork 5.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-9766-5277-j5hr
* fix: Enable Redis authentication in the default installation Signed-off-by: May Zhang <[email protected]> * chore: fix git_test unit test Signed-off-by: Leonardo Luz Almeida <[email protected]> --------- Signed-off-by: May Zhang <[email protected]> Signed-off-by: Leonardo Luz Almeida <[email protected]> Co-authored-by: May Zhang <[email protected]>
- Loading branch information
1 parent
6530c6f
commit f1a449e
Showing
27 changed files
with
886 additions
and
119 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
package admin | ||
|
||
import ( | ||
"context" | ||
"crypto/rand" | ||
"fmt" | ||
"math/big" | ||
|
||
"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" | ||
"github.com/argoproj/argo-cd/v2/util/cli" | ||
apierr "k8s.io/apimachinery/pkg/api/errors" | ||
|
||
"github.com/argoproj/argo-cd/v2/util/errors" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/client-go/kubernetes" | ||
"k8s.io/client-go/tools/clientcmd" | ||
|
||
"github.com/spf13/cobra" | ||
corev1 "k8s.io/api/core/v1" | ||
) | ||
|
||
const defaulRedisInitialPasswordSecretName = "argocd-redis" | ||
const defaultResisInitialPasswordKey = "auth" | ||
|
||
func generateRandomPassword() (string, error) { | ||
const initialPasswordLength = 16 | ||
const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" | ||
randBytes := make([]byte, initialPasswordLength) | ||
for i := 0; i < initialPasswordLength; i++ { | ||
num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) | ||
if err != nil { | ||
return "", err | ||
} | ||
randBytes[i] = letters[num.Int64()] | ||
} | ||
initialPassword := string(randBytes) | ||
return initialPassword, nil | ||
} | ||
|
||
// NewRedisInitialPasswordCommand defines a new command to ensure Argo CD Redis password secret exists. | ||
func NewRedisInitialPasswordCommand() *cobra.Command { | ||
var ( | ||
clientConfig clientcmd.ClientConfig | ||
) | ||
var command = cobra.Command{ | ||
Use: "redis-initial-password", | ||
Short: "Ensure the Redis password exists, creating a new one if necessary.", | ||
Run: func(c *cobra.Command, args []string) { | ||
namespace, _, err := clientConfig.Namespace() | ||
errors.CheckError(err) | ||
|
||
redisInitialPasswordSecretName := defaulRedisInitialPasswordSecretName | ||
redisInitialPasswordKey := defaultResisInitialPasswordKey | ||
fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialPasswordSecretName, redisInitialPasswordKey) | ||
|
||
config, err := clientConfig.ClientConfig() | ||
errors.CheckError(err) | ||
errors.CheckError(v1alpha1.SetK8SConfigDefaults(config)) | ||
|
||
kubeClientset := kubernetes.NewForConfigOrDie(config) | ||
|
||
randomPassword, err := generateRandomPassword() | ||
errors.CheckError(err) | ||
|
||
data := map[string][]byte{ | ||
redisInitialPasswordKey: []byte(randomPassword), | ||
} | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: redisInitialPasswordSecretName, | ||
Namespace: namespace, | ||
}, | ||
Data: data, | ||
Type: corev1.SecretTypeOpaque, | ||
} | ||
_, err = kubeClientset.CoreV1().Secrets(namespace).Create(context.Background(), secret, metav1.CreateOptions{}) | ||
if err != nil && !apierr.IsAlreadyExists(err) { | ||
errors.CheckError(err) | ||
} | ||
|
||
fmt.Println("Argo CD Redis secret state confirmed: secret name argocd-redis.") | ||
secret, err = kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), redisInitialPasswordSecretName, v1.GetOptions{}) | ||
errors.CheckError(err) | ||
|
||
if _, ok := secret.Data[redisInitialPasswordKey]; ok { | ||
fmt.Println("Password secret is configured properly.") | ||
} else { | ||
err := fmt.Errorf("key %s doesn't exist in secret %s. \n", redisInitialPasswordKey, redisInitialPasswordSecretName) | ||
errors.CheckError(err) | ||
} | ||
}, | ||
} | ||
|
||
clientConfig = cli.AddKubectlFlagsToCmd(&command) | ||
|
||
return &command | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
docs/user-guide/commands/argocd_admin_redis-initial-password.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# `argocd admin redis-initial-password` Command Reference | ||
|
||
## argocd admin redis-initial-password | ||
|
||
Ensure the Redis password exists, creating a new one if necessary. | ||
|
||
``` | ||
argocd admin redis-initial-password [flags] | ||
``` | ||
|
||
### Options | ||
|
||
``` | ||
--as string Username to impersonate for the operation | ||
--as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. | ||
--as-uid string UID to impersonate for the operation | ||
--certificate-authority string Path to a cert file for the certificate authority | ||
--client-certificate string Path to a client certificate file for TLS | ||
--client-key string Path to a client key file for TLS | ||
--cluster string The name of the kubeconfig cluster to use | ||
--context string The name of the kubeconfig context to use | ||
--disable-compression If true, opt-out of response compression for all requests to the server | ||
-h, --help help for redis-initial-password | ||
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure | ||
--kubeconfig string Path to a kube config. Only required if out-of-cluster | ||
-n, --namespace string If present, the namespace scope for this CLI request | ||
--password string Password for basic authentication to the API server | ||
--proxy-url string If provided, this URL will be used to connect via proxy | ||
--request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") | ||
--server string The address and port of the Kubernetes API server | ||
--tls-server-name string If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used. | ||
--token string Bearer token for authentication to the API server | ||
--user string The name of the kubeconfig user to use | ||
--username string Username for basic authentication to the API server | ||
``` | ||
|
||
### Options inherited from parent commands | ||
|
||
``` | ||
--auth-token string Authentication token | ||
--client-crt string Client certificate file | ||
--client-crt-key string Client certificate key file | ||
--config string Path to Argo CD config (default "/home/user/.config/argocd/config") | ||
--controller-name string Name of the Argo CD Application controller; set this or the ARGOCD_APPLICATION_CONTROLLER_NAME environment variable when the controller's name label differs from the default, for example when installing via the Helm chart (default "argocd-application-controller") | ||
--core If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server | ||
--grpc-web Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. | ||
--grpc-web-root-path string Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root. | ||
-H, --header strings Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers) | ||
--http-retry-max int Maximum number of retries to establish http connection to Argo CD server | ||
--insecure Skip server certificate and domain verification | ||
--kube-context string Directs the command to the given kube-context | ||
--logformat string Set the logging format. One of: text|json (default "text") | ||
--loglevel string Set the logging level. One of: debug|info|warn|error (default "info") | ||
--plaintext Disable TLS | ||
--port-forward Connect to a random argocd-server port using port forwarding | ||
--port-forward-namespace string Namespace name which should be used for port forwarding | ||
--redis-haproxy-name string Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy") | ||
--redis-name string Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis") | ||
--repo-server-name string Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server") | ||
--server-crt string Server certificate file | ||
--server-name string Name of the Argo CD API server; set this or the ARGOCD_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-server") | ||
``` | ||
|
||
### SEE ALSO | ||
|
||
* [argocd admin](argocd_admin.md) - Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
labels: | ||
app.kubernetes.io/component: redis | ||
app.kubernetes.io/name: argocd-redis | ||
app.kubernetes.io/part-of: argocd | ||
name: argocd-redis | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
resourceNames: | ||
- argocd-redis | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- create |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
labels: | ||
app.kubernetes.io/component: redis | ||
app.kubernetes.io/name: argocd-redis | ||
app.kubernetes.io/part-of: argocd | ||
name: argocd-redis | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: argocd-redis | ||
subjects: | ||
- kind: ServiceAccount | ||
name: argocd-redis |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.