Argo-cd: Server ignores initial TLS cert

Created on 9 Jan 2019  ·  6Comments  ·  Source: argoproj/argo-cd

When I deploy Argo CD for the first time I create argocd-secret with the following manifest (sensitive data redacted):

apiVersion: v1
kind: Secret
metadata:
  annotations:
    certmanager.k8s.io/alt-names: argocd.sandbox113.us-east-1.tktm.io
    certmanager.k8s.io/common-name: argocd.sandbox113.us-east-1.tktm.io
    certmanager.k8s.io/issuer-kind: ClusterIssuer
    certmanager.k8s.io/issuer-name: tktm.io
  labels:
    app: argo-cd
    certmanager.k8s.io/certificate-name: argocd-server
    component: server
  name: argocd-secret
data:
  dex.ldap.bindPW: <base64>
  repo.password: <base64>
  repo.username: <base64>
  tls.crt: <base64>
  tls.key:  <base64>
type: Opaque

All pods start correctly and I'm able to authenticate with LDAP. Argo CD also connects to my repos using the provided credentials. But when I open the dashboard I get a self-signed TLS cert instead of the one I just provided. Running kubectl get secrets argocd-secret -o json|jq -r '.data."tls.crt"'|base64 -D|openssl x509 -noout -textshows that my cert has in fact been overwritten with a self-signed one.

I then have to re-apply my manifest, after which Argo CD will use my cert. (Note: before rc5 I had to delete the argocd-server pod for the cert to be used.)

I know the self-signed cert isn't supposed to be generated unless tls.cert and tls.key are empty, but it seems like it's being created regardless. Happy to provide logs & help troubleshoot.

bug security
Source
picture mgoodness

Most helpful comment

+1

Same issue mentioned above. The self-signed cert embedded below will overwrite my existing certificate requiring me to recreate my Ingress or patch the argocd-secret with my TLS crt and key.

Subject Alternative Names: localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local
Organization: Argo CD
Valid From: June 9, 2019
Valid To: June 8, 2020
Issuer: Argo CD
Serial Number:
picture jd0x on 10 Jul 2019
👍2

All 6 comments

I took a closer look. It seems we consider the settings as “incomplete” when other fields like admin password are missing, and blindly clobber the tls.key/tls.crt. I am working on the fix.

jessesuen picture jessesuen on 9 Jan 2019

This is still happening for me. Even if the cert exists before argo server is started, I need to kill the pod at least once for it not to initialize its own tls.

wreed4 picture wreed4 on 26 Apr 2019
👍1

+1

Same issue mentioned above. The self-signed cert embedded below will overwrite my existing certificate requiring me to recreate my Ingress or patch the argocd-secret with my TLS crt and key.

Subject Alternative Names: localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local
Organization: Argo CD
Valid From: June 9, 2019
Valid To: June 8, 2020
Issuer: Argo CD
Serial Number:
jd0x picture jd0x on 10 Jul 2019
👍2

It would be really useful to have repro steps.

alexec picture alexec on 10 Jul 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 8 Sep 2019

I believe that was fixed in v0.11 which was published on Jan 10, 2019 .

It does not seem to reproducible anymore. Please let us know if you are still seeing it @jd0x , @wreed4

alexmt picture alexmt on 12 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jessesuen picture jessesuen  ·  3Comments
nouseforaname picture nouseforaname  ·  3Comments
turbotankist picture turbotankist  ·  3Comments
jutley picture jutley  ·  3Comments
chiragthaker picture chiragthaker  ·  3Comments