Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Security

Red Hat OpenShift GitOps 1.10

Using security features to configure secure communication and protect the possibly sensitive data in transit

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for using the Transport Layer Security (TLS) encryption with the OpenShift GitOps. It also discusses how to configure secure communication with Redis to protect the possibly sensitive data in transit.

Using the Transport Layer Security (TLS) encryption with Red Hat OpenShift GitOps, you can secure the communication between the Argo CD components and Redis cache and protect the possibly sensitive data in transit.

You can secure communication with Redis by using one of the following configurations:

  • Enable the autotls setting to issue an appropriate certificate for TLS encryption.
  • Manually configure the TLS encryption by creating the argocd-operator-redis-tls secret with a key and certificate pair.

Both configurations are possible with or without the High Availability (HA) enabled.

1.1. Prerequisites
Copy link

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • Red Hat OpenShift GitOps Operator is installed on your cluster.

You can configure TLS encryption for Redis by enabling the autotls setting on a new or already existing Argo CD instance. The configuration automatically provisions the argocd-operator-redis-tls secret and does not require further steps. Currently, OpenShift Container Platform is the only supported secret provider.

Note

By default, the autotls setting is disabled.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Create an Argo CD instance with autotls enabled:

    1. In the Administrator perspective of the web console, use the left navigation panel to go to AdministrationCustomResourceDefinitions.
    2. Search for argocds.argoproj.io and click ArgoCD custom resource definition (CRD).
    3. On the CustomResourceDefinition details page, click the Instances tab, and then click Create ArgoCD.

    4. Edit or replace the YAML similar to the following example:

      Example Argo CD CR with autotls enabled

      apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
      1 
      
  namespace: openshift-gitops
      2 
      
spec:
  redis:
    autotls: openshift
      3 
      
  ha:
    enabled: true
      4
      Copy to Clipboard Toggle word wrap

      1
      The name of the Argo CD instance.
      2
      The namespace where you want to run the Argo CD instance.
      3
      The flag that enables the autotls setting and creates a TLS certificate for Redis.
      4
      The flag value that enables the HA feature. If you do not want to enable HA, do not include this line or set the flag value as false.
      Tip

      Alternatively, you can enable the autotls setting on an already existing Argo CD instance by running the following command: 

      $ oc patch argocds.argoproj.io <instance-name> --type=merge -p '{"spec":{"redis":{"autotls":"openshift"}}}'
      Copy to Clipboard Toggle word wrap
    5. Click Create.

    6. Verify that the Argo CD pods are ready and running: 

      $ oc get pods -n <namespace>
      1
      Copy to Clipboard Toggle word wrap
      1
      Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

      Example output with HA disabled

      NAME                                  READY   STATUS    RESTARTS   AGE
argocd-application-controller-0       1/1     Running   0          26s
argocd-redis-84b77d4f58-vp6zm         1/1     Running   0          37s
argocd-repo-server-5b959b57f4-znxjq   1/1     Running   0          37s
argocd-server-6b8787d686-wv9zh        1/1     Running   0          37s
      Copy to Clipboard Toggle word wrap

      Note

      The HA-enabled TLS configuration requires a cluster with at least three worker nodes. It can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.

      Example output with HA enabled

      NAME                                       READY   STATUS    RESTARTS   AGE
argocd-application-controller-0            1/1     Running   0          10m
argocd-redis-ha-haproxy-669757fdb7-5xg8h   1/1     Running   0          10m
argocd-redis-ha-server-0                   2/2     Running   0          9m9s
argocd-redis-ha-server-1                   2/2     Running   0          98s
argocd-redis-ha-server-2                   2/2     Running   0          53s
argocd-repo-server-576499d46d-8hgbh        1/1     Running   0          10m
argocd-server-9486f88b7-dk2ks              1/1     Running   0          10m
      Copy to Clipboard Toggle word wrap

  3. Verify that the argocd-operator-redis-tls secret is created: 

    $ oc get secrets argocd-operator-redis-tls -n <namespace>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

    Example output

    NAME                        TYPE                DATA   AGE
argocd-operator-redis-tls   kubernetes.io/tls   2      30s
    Copy to Clipboard Toggle word wrap

    The secret must be of the kubernetes.io/tls type and a size of 2.

You can manually configure TLS encryption for Redis by creating the argocd-operator-redis-tls secret with a key and certificate pair. In addition, you must annotate the secret to indicate that it belongs to the appropriate Argo CD instance. The steps to create a certificate and secret vary for instances with High Availability (HA) enabled.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Create an Argo CD instance:

    1. In the Administrator perspective of the web console, use the left navigation panel to go to AdministrationCustomResourceDefinitions.
    2. Search for argocds.argoproj.io and click ArgoCD custom resource definition (CRD).
    3. On the CustomResourceDefinition details page, click the Instances tab, and then click Create ArgoCD.

    4. Edit or replace the YAML similar to the following example:

      Example ArgoCD CR with autotls disabled

      apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
      1 
      
  namespace: openshift-gitops
      2 
      
spec:
  ha:
    enabled: true
      3
      Copy to Clipboard Toggle word wrap

      1
      The name of the Argo CD instance.
      2
      The namespace where you want to run the Argo CD instance.
      3
      The flag value that enables the HA feature. If you do not want to enable HA, do not include this line or set the flag value as false.
    5. Click Create.

    6. Verify that the Argo CD pods are ready and running: 

      $ oc get pods -n <namespace>
      1
      Copy to Clipboard Toggle word wrap
      1
      Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

      Example output with HA disabled

      NAME                                  READY   STATUS    RESTARTS   AGE
argocd-application-controller-0       1/1     Running   0          26s
argocd-redis-84b77d4f58-vp6zm         1/1     Running   0          37s
argocd-repo-server-5b959b57f4-znxjq   1/1     Running   0          37s
argocd-server-6b8787d686-wv9zh        1/1     Running   0          37s
      Copy to Clipboard Toggle word wrap

      Note

      The HA-enabled TLS configuration requires a cluster with at least three worker nodes. It can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.

      Example output with HA enabled

      NAME                                       READY   STATUS    RESTARTS   AGE
argocd-application-controller-0            1/1     Running   0          10m
argocd-redis-ha-haproxy-669757fdb7-5xg8h   1/1     Running   0          10m
argocd-redis-ha-server-0                   2/2     Running   0          9m9s
argocd-redis-ha-server-1                   2/2     Running   0          98s
argocd-redis-ha-server-2                   2/2     Running   0          53s
argocd-repo-server-576499d46d-8hgbh        1/1     Running   0          10m
argocd-server-9486f88b7-dk2ks              1/1     Running   0          10m
      Copy to Clipboard Toggle word wrap

  3. Create a self-signed certificate for the Redis server by using one of the following options depending on your HA configuration:

    • For the Argo CD instance with HA disabled, run the following command: 

      $ openssl req -new -x509 -sha256 \
  -subj "/C=XX/ST=XX/O=Testing/CN=redis" \
  -reqexts SAN -extensions SAN \
  -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \
      1 
      
  -keyout /tmp/redis.key \
  -out /tmp/redis.crt \
  -newkey rsa:4096 \
  -nodes \
  -sha256 \
  -days 10
      Copy to Clipboard Toggle word wrap
      1
      Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

      Example output

      Generating a RSA private key
...............++++
............................++++
writing new private key to '/tmp/redis.key'
      Copy to Clipboard Toggle word wrap

    • For the Argo CD instance with HA enabled, run the following command: 

      $ openssl req -new -x509 -sha256 \
  -subj "/C=XX/ST=XX/O=Testing/CN=redis" \
  -reqexts SAN -extensions SAN \
  -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis-ha-haproxy.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \
      1 
      
  -keyout /tmp/redis-ha.key \
  -out /tmp/redis-ha.crt \
  -newkey rsa:4096 \
  -nodes \
  -sha256 \
  -days 10
      Copy to Clipboard Toggle word wrap
      1
      Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

      Example output

      Generating a RSA private key
...............++++
............................++++
writing new private key to '/tmp/redis-ha.key'
      Copy to Clipboard Toggle word wrap

  4. Verify that the generated certificate and key are available in the /tmp directory by running the following commands: 

    $ cd /tmp
    Copy to Clipboard Toggle word wrap 
    $ ls
    Copy to Clipboard Toggle word wrap

    Example output with HA disabled

    ...
redis.crt
redis.key
...
    Copy to Clipboard Toggle word wrap

    Example output with HA enabled

    ...
redis-ha.crt
redis-ha.key
...
    Copy to Clipboard Toggle word wrap

  5. Create the argocd-operator-redis-tls secret by using one of the following options depending on your HA configuration:

    • For the Argo CD instance with HA disabled, run the following command: 

      $ oc create secret tls argocd-operator-redis-tls --key=/tmp/redis.key --cert=/tmp/redis.crt
      Copy to Clipboard Toggle word wrap

    • For the Argo CD instance with HA enabled, run the following command: 

      $ oc create secret tls argocd-operator-redis-tls --key=/tmp/redis-ha.key --cert=/tmp/redis-ha.crt
      Copy to Clipboard Toggle word wrap

      Example output

      secret/argocd-operator-redis-tls created
      Copy to Clipboard Toggle word wrap

  6. Annotate the secret to indicate that it belongs to the Argo CD CR: 

    $ oc annotate secret argocd-operator-redis-tls argocds.argoproj.io/name=<instance-name>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify a name of the Argo CD instance, for example argocd.

    Example output

    secret/argocd-operator-redis-tls annotated
    Copy to Clipboard Toggle word wrap

  7. Verify that the Argo CD pods are ready and running: 

    $ oc get pods -n <namespace>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify a namespace where the Argo CD instance is running, for example openshift-gitops.

    Example output with HA disabled

    NAME                                  READY   STATUS    RESTARTS   AGE
argocd-application-controller-0       1/1     Running   0          26s
argocd-redis-84b77d4f58-vp6zm         1/1     Running   0          37s
argocd-repo-server-5b959b57f4-znxjq   1/1     Running   0          37s
argocd-server-6b8787d686-wv9zh        1/1     Running   0          37s
    Copy to Clipboard Toggle word wrap

    Note

    It can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.

    Example output with HA enabled

    NAME                                       READY   STATUS    RESTARTS   AGE
argocd-application-controller-0            1/1     Running   0          10m
argocd-redis-ha-haproxy-669757fdb7-5xg8h   1/1     Running   0          10m
argocd-redis-ha-server-0                   2/2     Running   0          9m9s
argocd-redis-ha-server-1                   2/2     Running   0          98s
argocd-redis-ha-server-2                   2/2     Running   0          53s
argocd-repo-server-576499d46d-8hgbh        1/1     Running   0          10m
argocd-server-9486f88b7-dk2ks              1/1     Running   0          10m
    Copy to Clipboard Toggle word wrap

Legal Notice
Copy link

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top