Red Hat SummitChapter 1. Configuring secure communication with Redis
Using the Transport Layer Security (TLS) encryption with Red Hat OpenShift GitOps, you can secure the communication between the Argo CD components and Redis cache and protect the possibly sensitive data in transit.
You can secure communication with Redis by using one of the following configurations:
-
Enable the
autotlssetting to issue an appropriate certificate for TLS encryption. -
Manually configure the TLS encryption by creating the
argocd-operator-redis-tlssecret with a key and certificate pair.
Both configurations are possible with or without the High Availability (HA) enabled.
1.1. Prerequisites
-
You have access to the cluster with
cluster-adminprivileges. - You have access to the OpenShift Container Platform web console.
- Red Hat OpenShift GitOps Operator is installed on your cluster.
1.2. Configuring TLS for Redis with autotls enabled
You can configure TLS encryption for Redis by enabling the autotls setting on a new or already existing Argo CD instance. The configuration automatically provisions the argocd-operator-redis-tls secret and does not require further steps. Currently, OpenShift Container Platform is the only supported secret provider.
By default, the autotls setting is disabled.
Procedure
- Log in to the OpenShift Container Platform web console.
Create an Argo CD instance with
autotlsenabled:-
In the Administrator perspective of the web console, use the left navigation panel to go to Administration
CustomResourceDefinitions. -
Search for
argocds.argoproj.ioand clickArgoCDcustom resource definition (CRD). - On the CustomResourceDefinition details page, click the Instances tab, and then click Create ArgoCD.
Edit or replace the YAML similar to the following example:
Example Argo CD CR with autotls enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd namespace: openshift-gitops spec: redis: autotls: openshift ha: enabled: trueapiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd1 namespace: openshift-gitops2 spec: redis: autotls: openshift3 ha: enabled: true4 - 1
- The name of the Argo CD instance.
- 2
- The namespace where you want to run the Argo CD instance.
- 3
- The flag that enables the
autotlssetting and creates a TLS certificate for Redis. - 4
- The flag value that enables the HA feature. If you do not want to enable HA, do not include this line or set the flag value as
false.
TipAlternatively, you can enable the
autotlssetting on an already existing Argo CD instance by running the following command:Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc patch argocds.argoproj.io <instance-name> --type=merge -p '{"spec":{"redis":{"autotls":"openshift"}}}'$ oc patch argocds.argoproj.io <instance-name> --type=merge -p '{"spec":{"redis":{"autotls":"openshift"}}}'- Click Create.
Verify that the Argo CD pods are ready and running:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pods -n <namespace>
$ oc get pods -n <namespace>1 - 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output with HA disabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37s
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37sNoteThe HA-enabled TLS configuration requires a cluster with at least three worker nodes. It can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.
Example output with HA enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
-
In the Administrator perspective of the web console, use the left navigation panel to go to Administration
Verify that the
argocd-operator-redis-tlssecret is created:Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get secrets argocd-operator-redis-tls -n <namespace>
$ oc get secrets argocd-operator-redis-tls -n <namespace>1 - 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME TYPE DATA AGE argocd-operator-redis-tls kubernetes.io/tls 2 30s
NAME TYPE DATA AGE argocd-operator-redis-tls kubernetes.io/tls 2 30sThe secret must be of the
kubernetes.io/tlstype and a size of2.
1.3. Configuring TLS for Redis with autotls disabled
You can manually configure TLS encryption for Redis by creating the argocd-operator-redis-tls secret with a key and certificate pair. In addition, you must annotate the secret to indicate that it belongs to the appropriate Argo CD instance. The steps to create a certificate and secret vary for instances with High Availability (HA) enabled.
Procedure
- Log in to the OpenShift Container Platform web console.
Create an Argo CD instance:
-
In the Administrator perspective of the web console, use the left navigation panel to go to Administration
CustomResourceDefinitions. -
Search for
argocds.argoproj.ioand clickArgoCDcustom resource definition (CRD). - On the CustomResourceDefinition details page, click the Instances tab, and then click Create ArgoCD.
Edit or replace the YAML similar to the following example:
Example ArgoCD CR with autotls disabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd namespace: openshift-gitops spec: ha: enabled: trueapiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd1 namespace: openshift-gitops2 spec: ha: enabled: true3 - Click Create.
Verify that the Argo CD pods are ready and running:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pods -n <namespace>
$ oc get pods -n <namespace>1 - 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output with HA disabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37s
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37sNoteThe HA-enabled TLS configuration requires a cluster with at least three worker nodes. It can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.
Example output with HA enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
-
In the Administrator perspective of the web console, use the left navigation panel to go to Administration
Create a self-signed certificate for the Redis server by using one of the following options depending on your HA configuration:
For the Argo CD instance with HA disabled, run the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl req -new -x509 -sha256 \ -subj "/C=XX/ST=XX/O=Testing/CN=redis" \ -reqexts SAN -extensions SAN \ -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \ -keyout /tmp/redis.key \ -out /tmp/redis.crt \ -newkey rsa:4096 \ -nodes \ -sha256 \ -days 10
$ openssl req -new -x509 -sha256 \ -subj "/C=XX/ST=XX/O=Testing/CN=redis" \ -reqexts SAN -extensions SAN \ -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \1 -keyout /tmp/redis.key \ -out /tmp/redis.crt \ -newkey rsa:4096 \ -nodes \ -sha256 \ -days 10- 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generating a RSA private key ...............++++ ............................++++ writing new private key to '/tmp/redis.key'
Generating a RSA private key ...............++++ ............................++++ writing new private key to '/tmp/redis.key'For the Argo CD instance with HA enabled, run the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl req -new -x509 -sha256 \ -subj "/C=XX/ST=XX/O=Testing/CN=redis" \ -reqexts SAN -extensions SAN \ -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis-ha-haproxy.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \ -keyout /tmp/redis-ha.key \ -out /tmp/redis-ha.crt \ -newkey rsa:4096 \ -nodes \ -sha256 \ -days 10
$ openssl req -new -x509 -sha256 \ -subj "/C=XX/ST=XX/O=Testing/CN=redis" \ -reqexts SAN -extensions SAN \ -config <(printf "\n[SAN]\nsubjectAltName=DNS:argocd-redis-ha-haproxy.<namespace>.svc.cluster.local\n[req]\ndistinguished_name=req") \1 -keyout /tmp/redis-ha.key \ -out /tmp/redis-ha.crt \ -newkey rsa:4096 \ -nodes \ -sha256 \ -days 10- 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generating a RSA private key ...............++++ ............................++++ writing new private key to '/tmp/redis-ha.key'
Generating a RSA private key ...............++++ ............................++++ writing new private key to '/tmp/redis-ha.key'
Verify that the generated certificate and key are available in the
/tmpdirectory by running the following commands:Copy to Clipboard Copied! Toggle word wrap Toggle overflow cd /tmp
$ cd /tmpCopy to Clipboard Copied! Toggle word wrap Toggle overflow ls
$ lsExample output with HA disabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ... redis.crt redis.key ...
... redis.crt redis.key ...Example output with HA enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ... redis-ha.crt redis-ha.key ...
... redis-ha.crt redis-ha.key ...Create the
argocd-operator-redis-tlssecret by using one of the following options depending on your HA configuration:For the Argo CD instance with HA disabled, run the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc create secret tls argocd-operator-redis-tls --key=/tmp/redis.key --cert=/tmp/redis.crt
$ oc create secret tls argocd-operator-redis-tls --key=/tmp/redis.key --cert=/tmp/redis.crtFor the Argo CD instance with HA enabled, run the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc create secret tls argocd-operator-redis-tls --key=/tmp/redis-ha.key --cert=/tmp/redis-ha.crt
$ oc create secret tls argocd-operator-redis-tls --key=/tmp/redis-ha.key --cert=/tmp/redis-ha.crtExample output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow secret/argocd-operator-redis-tls created
secret/argocd-operator-redis-tls created
Annotate the secret to indicate that it belongs to the Argo CD CR:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc annotate secret argocd-operator-redis-tls argocds.argoproj.io/name=<instance-name>
$ oc annotate secret argocd-operator-redis-tls argocds.argoproj.io/name=<instance-name>1 - 1
- Specify a name of the Argo CD instance, for example
argocd.
Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow secret/argocd-operator-redis-tls annotated
secret/argocd-operator-redis-tls annotatedVerify that the Argo CD pods are ready and running:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pods -n <namespace>
$ oc get pods -n <namespace>1 - 1
- Specify a namespace where the Argo CD instance is running, for example
openshift-gitops.
Example output with HA disabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37s
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 26s argocd-redis-84b77d4f58-vp6zm 1/1 Running 0 37s argocd-repo-server-5b959b57f4-znxjq 1/1 Running 0 37s argocd-server-6b8787d686-wv9zh 1/1 Running 0 37sNoteIt can take a few minutes for the output to appear if you have enabled the Argo CD instances with HA configuration.
Example output with HA enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 10m argocd-redis-ha-haproxy-669757fdb7-5xg8h 1/1 Running 0 10m argocd-redis-ha-server-0 2/2 Running 0 9m9s argocd-redis-ha-server-1 2/2 Running 0 98s argocd-redis-ha-server-2 2/2 Running 0 53s argocd-repo-server-576499d46d-8hgbh 1/1 Running 0 10m argocd-server-9486f88b7-dk2ks 1/1 Running 0 10m
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}