Argo Workflows Adding signed certificate

[sharadhirao]

Hi Team,

For now argo workflows is creating self signed certificate when I made secure: true in values.yaml. I have my own cert to add. How to add it? I tried reading through this article:https://argoproj.github.io/argo-workflows/tls/ this seems only for CLI and I did not understand clealy from it. I did my installation through helm.

I have added cert to argocd, but argocd provided me to add certificate value as secret in secretName: argocd-server-tls in server. I can't seem to get same thing in argo-workflows.
Can anyone give the steps or process to add cert to argo-workflows?

Thanks in advance.

[sharadhirao]

Hi team,

I have this dependency to add my own cert to the argo-workflow. I have created ingress controller and created ingress. As i am using helm installation of argo-workflows my ingress looks like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argo-workflows-server
  namespace: argo
  annotations:
    kubernetes.io/ingress.class: nginx
    # nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
    # networking.gke.io/managed-certificates: managed-cert
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
    nginx.ingress.kubernetes.io/backend-protocol: https
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
  rules:
    - host: "argo-workflow.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: argo-workflows-server
                port:
                  number: 443
  tls:
    - hosts:
      - argo-workflow.com
      secretName: argoworkflows-example-tls

In deployment file i added basehref as /.
Even now I am not able to remove the self-signed certificate. Can anyone suggest me where i am going wrong? @alexec @pdrastil

Thanks in advance.

[sharadhirao]

Hi Team,

Can anyone help in this?
@alexec @pdrastil
Thanks in advance

[vitalyrychkov]

Hi @sharadhirao , the only way of providing your trusted certificates to Argo Workflows I know is to save it in a secret and mount it as a volume. Save the certificate or certificate chain in a secret in the namespace where Argo Workflows has been deployed:

kubectl create secret generic ca --from-file=ca.crt=ca.crt -n <argo namespace>

Add the following section to the controller: and server: container specs of your manifest or Helm values file, for example:

volumeMounts: 
- name: ca
  mountPath: /etc/ssl/certs/ca.crt
  subPath: ca.crt 
volumes: 
- name: ca
  secret:
    secretName: ca

[bd-bord1]

Hi vitalyrychkov,
I tried it however all the changes I do are being overwritten by the operator.
I tried many solutions provided on the internet and all my changes are being overwritten.

Feeling quite pessimistic

[sharadhirao]

@bd-bord1 have you tried this approach: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server
I have done like this for argocd and it worked. I created the secret like this with same name. https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml#L2093 and here enable it.

[bd-bord1]

Hi, Thank you.
Our ArgoCD has been already created.
Once it has been created, I think it is not possible to use the values.yaml because values.yaml is usually used at the initial deployment.
Please correct me if I am wrong...

[vitalyrychkov]

Hi, that depends on you situation, but one of the main purposes of Helm to easily upgrade a release (deployment etc) with an updated values.yaml file as many times as necessary. If you are allowed to change the values file update the deployment, this is the best way to consistently upgrade Helm releases. Hope I understood your last question correctly.

[sharadhirao]

@bd-bord1 , yeah vitalyrychkov is correct helm will allow you to update the releases even after deploying things by helm upgrade commands. So you will be able to change the values.yml refer this once if you are new to helm: https://helm.sh/docs/helm/helm_upgrade/

[bd-bord1]

Thanks a lot @sharadhirao for your help!
In my case the deployment of argocd crds was triggered from a pipeline and I needed to add a new cm argocd-cm in the pipeline with these configurations:

oidc.config: |
  ...
  rootCA: |
    -----BEGIN CERTIFICATE-----
    ... encoded certificate data here ...
    -----END CERTIFICATE-----

++ these 2 labels:

kind: ConfigMap
metadata:
  name: argocd-cm
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd

Everything works now. Thank you for your help once again.
This case can be closed now.

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider

[sharadhirao]

ohh this is OIDC intergration cert that you configured. the solution we were discussing was to add SSL certificate to the ArgoCD and Argo workflows URL.

[prashamtated]

@sharadhirao , you can pass TLS secret as extra argument to Argo-workflow-server chart .

example -

server:
extraArgs:
- "--tls-certificate-secret-name=argo-workflows-server-tls"