diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 000000000..314b3fb5e --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,10 @@ +[allowlist] + description = "Global Allowlist" + + # Ignore based on any subset of the file path + paths = [ + + # Ignore anything with the word anywhere in the path + '''1-005_validate_route_tls''', + + ] diff --git a/api/v1alpha1/argocd_conversion.go b/api/v1alpha1/argocd_conversion.go index 2837c0289..c03615c3c 100644 --- a/api/v1alpha1/argocd_conversion.go +++ b/api/v1alpha1/argocd_conversion.go @@ -13,7 +13,7 @@ var conversionLogger = ctrl.Log.WithName("conversion-webhook") // ConvertTo converts this (v1alpha1) ArgoCD to the Hub version (v1beta1). func (src *ArgoCD) ConvertTo(dstRaw conversion.Hub) error { - conversionLogger.Info("v1alpha1 to v1beta1 conversion requested.") + conversionLogger.V(1).Info("v1alpha1 to v1beta1 conversion requested.") dst := dstRaw.(*v1beta1.ArgoCD) // ObjectMeta conversion @@ -105,7 +105,7 @@ func (src *ArgoCD) ConvertTo(dstRaw conversion.Hub) error { // ConvertFrom converts from the Hub version (v1beta1) to this (v1alpha1) version. func (dst *ArgoCD) ConvertFrom(srcRaw conversion.Hub) error { - conversionLogger.Info("v1beta1 to v1alpha1 conversion requested.") + conversionLogger.V(1).Info("v1beta1 to v1alpha1 conversion requested.") src := srcRaw.(*v1beta1.ArgoCD) @@ -263,10 +263,14 @@ func ConvertAlphaToBetaGrafana(src *ArgoCDGrafanaSpec) *v1beta1.ArgoCDGrafanaSpe var dst *v1beta1.ArgoCDGrafanaSpec if src != nil { dst = &v1beta1.ArgoCDGrafanaSpec{ - Enabled: src.Enabled, - Host: src.Host, - Image: src.Image, - Ingress: v1beta1.ArgoCDIngressSpec(src.Ingress), + Enabled: src.Enabled, + Host: src.Host, + Image: src.Image, + Ingress: v1beta1.ArgoCDIngressSpec(src.Ingress), + Resources: src.Resources, + Route: v1beta1.ArgoCDRouteSpec(src.Route), + Size: src.Size, + Version: src.Version, } } return dst @@ -483,10 +487,14 @@ func ConvertBetaToAlphaGrafana(src *v1beta1.ArgoCDGrafanaSpec) *ArgoCDGrafanaSpe var dst *ArgoCDGrafanaSpec if src != nil { dst = &ArgoCDGrafanaSpec{ - Enabled: src.Enabled, - Host: src.Host, - Image: src.Image, - Ingress: ArgoCDIngressSpec(src.Ingress), + Enabled: src.Enabled, + Host: src.Host, + Image: src.Image, + Ingress: ArgoCDIngressSpec(src.Ingress), + Resources: src.Resources, + Route: ArgoCDRouteSpec(src.Route), + Size: src.Size, + Version: src.Version, } } return dst diff --git a/api/v1alpha1/argocd_conversion_test.go b/api/v1alpha1/argocd_conversion_test.go index 51e7c786e..4290fc563 100644 --- a/api/v1alpha1/argocd_conversion_test.go +++ b/api/v1alpha1/argocd_conversion_test.go @@ -3,6 +3,7 @@ package v1alpha1 import ( "testing" + routev1 "github.com/openshift/api/route/v1" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/networking/v1" @@ -443,6 +444,70 @@ func TestAlphaToBetaConversion(t *testing.T) { } }), }, + { + name: "ArgoCD Example - Route TLS", + input: makeTestArgoCDAlpha(func(cr *ArgoCD) { + cr.Spec.Server.Route = ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + cr.Spec.Prometheus.Route = ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + cr.Spec.Grafana.Route = ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + cr.Spec.ApplicationSet = &ArgoCDApplicationSet{ + WebhookServer: WebhookServerSpec{ + Route: ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + }, + }, + } + }), + expectedOutput: makeTestArgoCDBeta(func(cr *v1beta1.ArgoCD) { + cr.Spec.Server.Route = v1beta1.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + cr.Spec.Prometheus.Route = v1beta1.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + //nolint:staticcheck + cr.Spec.Grafana.Route = v1beta1.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + } + cr.Spec.ApplicationSet = &v1beta1.ArgoCDApplicationSet{ + WebhookServer: v1beta1.WebhookServerSpec{ + Route: v1beta1.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationEdge, + }, + }, + }, + } + }), + }, } for _, test := range tests { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 3b946f2c3..e089557e1 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -738,7 +738,7 @@ func (in *ArgoCDRouteSpec) DeepCopyInto(out *ArgoCDRouteSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(routev1.TLSConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.WildcardPolicy != nil { in, out := &in.WildcardPolicy, &out.WildcardPolicy diff --git a/api/v1beta1/argocd_types.go b/api/v1beta1/argocd_types.go index 665064494..ffafe3326 100644 --- a/api/v1beta1/argocd_types.go +++ b/api/v1beta1/argocd_types.go @@ -1110,3 +1110,11 @@ func (p SSOProviderType) ToLower() SSOProviderType { str := string(p) return SSOProviderType(strings.ToLower(str)) } + +// UseExternalCertificate return true if .route.tls.externalCertificate is set +func (r *ArgoCDRouteSpec) UseExternalCertificate() bool { + if r != nil && r.TLS != nil && r.TLS.ExternalCertificate != nil { + return true + } + return false +} diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 3c4f51a41..bceb4e4bf 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -699,7 +699,7 @@ func (in *ArgoCDRouteSpec) DeepCopyInto(out *ArgoCDRouteSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(routev1.TLSConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.WildcardPolicy != nil { in, out := &in.WildcardPolicy, &out.WildcardPolicy diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml index 60cd86850..b64d71c75 100644 --- a/bundle/manifests/argocd-operator.clusterserviceversion.yaml +++ b/bundle/manifests/argocd-operator.clusterserviceversion.yaml @@ -247,7 +247,7 @@ metadata: capabilities: Deep Insights categories: Integration & Delivery certified: "false" - createdAt: "2024-09-04T11:54:58Z" + createdAt: "2024-09-27T05:27:12Z" description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. operators.operatorframework.io/builder: operator-sdk-v1.35.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 diff --git a/bundle/manifests/argoproj.io_argocds.yaml b/bundle/manifests/argoproj.io_argocds.yaml index f3d428611..f38aefbc6 100644 --- a/bundle/manifests/argoproj.io_argocds.yaml +++ b/bundle/manifests/argoproj.io_argocds.yaml @@ -352,7 +352,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -362,25 +364,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -920,7 +961,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -930,25 +973,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -1470,7 +1552,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -1480,25 +1564,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -6646,7 +6769,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -6656,25 +6781,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -7412,7 +7576,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -7422,25 +7588,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12205,7 +12410,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12215,25 +12422,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12755,7 +13001,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12765,25 +13013,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -19268,7 +19555,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -19278,25 +19567,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. diff --git a/config/crd/bases/argoproj.io_argocds.yaml b/config/crd/bases/argoproj.io_argocds.yaml index f7c0e7181..30486dd91 100644 --- a/config/crd/bases/argoproj.io_argocds.yaml +++ b/config/crd/bases/argoproj.io_argocds.yaml @@ -341,7 +341,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -351,25 +353,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -909,7 +950,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -919,25 +962,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -1459,7 +1541,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -1469,25 +1553,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -6635,7 +6758,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -6645,25 +6770,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -7401,7 +7565,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -7411,25 +7577,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12194,7 +12399,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12204,25 +12411,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12744,7 +12990,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12754,25 +13002,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -19257,7 +19544,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -19267,25 +19556,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. diff --git a/controllers/argocd/custommapper.go b/controllers/argocd/custommapper.go index e3bcc75cd..7e4cb16d9 100644 --- a/controllers/argocd/custommapper.go +++ b/controllers/argocd/custommapper.go @@ -65,11 +65,49 @@ func isOwnerOfInterest(owner v1.OwnerReference) bool { return false } +// isUserManagedSecret checks if the given secret is referenced in the ArgoCD CR for configuring the Argo CD instance. +// User-managed secrets are referenced by the ArgoCD CR but are not owned by Operator itself (i.e. managed by the user). +// Returns the namespaced name of the ArgoCD instance if found and a boolean indicating whether the secret is user-managed. +func (r *ReconcileArgoCD) isUserManagedSecret(ctx context.Context, o client.Object) (client.ObjectKey, bool) { + namespacedName := client.ObjectKey{} + var ok bool + + // List ArgoCD instances in the same namespace as the secret. + argocds := &argoproj.ArgoCDList{} + err := r.Client.List(ctx, argocds, &client.ListOptions{Namespace: o.GetNamespace()}) + if err != nil { + return namespacedName, false + } + // Return false if no ArgoCD instance or more than one is detected in the namespace. + if len(argocds.Items) != 1 { + return namespacedName, false + } + argocd := argocds.Items[0] + namespacedName.Name = argocd.Name + namespacedName.Namespace = argocd.Namespace + + // Check if the secret is referenced in the ArgoCD CR. + if argocd.Spec.Server.Route.UseExternalCertificate() && argocd.Spec.Server.Route.TLS.ExternalCertificate.Name == o.GetName() { + ok = true + } else if argocd.Spec.Prometheus.Route.UseExternalCertificate() && argocd.Spec.Prometheus.Route.TLS.ExternalCertificate.Name == o.GetName() { + ok = true + } else if argocd.Spec.ApplicationSet != nil && argocd.Spec.ApplicationSet.WebhookServer.Route.UseExternalCertificate() && argocd.Spec.ApplicationSet.WebhookServer.Route.TLS.ExternalCertificate.Name == o.GetName() { + ok = true + } + + return namespacedName, ok +} + // tlsSecretMapper maps a watch event on a secret of type TLS back to the // ArgoCD object that we want to reconcile. func (r *ReconcileArgoCD) tlsSecretMapper(ctx context.Context, o client.Object) []reconcile.Request { var result = []reconcile.Request{} + // Check if secret is user-managed, meaning it is referenced in the ArgoCD CR for configuration. + if namespacedName, ok := r.isUserManagedSecret(ctx, o); ok { + return []reconcile.Request{{NamespacedName: namespacedName}} + } + if !isSecretOfInterest(o) { return result } diff --git a/controllers/argocd/custommapper_test.go b/controllers/argocd/custommapper_test.go index 06f1f1843..a272aae1a 100644 --- a/controllers/argocd/custommapper_test.go +++ b/controllers/argocd/custommapper_test.go @@ -942,3 +942,88 @@ func TestReconcileArgoCD_namespaceResourceMapperForWildCardNamespaceWithoutManag }) } } + +func TestReconcileArgoCD_tlsSecretMapperUserManagedSecret(t *testing.T) { + + emptyReq := []reconcile.Request{} + reconcileReq := []reconcile.Request{{ + NamespacedName: client.ObjectKey{ + Name: testArgoCDName, + Namespace: testNamespace, + }, + }} + + tests := []struct { + name string + argocd *argoproj.ArgoCD + expectedReq []reconcile.Request + }{ + { + name: "tls secret for Server in ArgoCD CR", + argocd: makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Server.Route.TLS = &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "user-tls", + }, + } + }), + expectedReq: reconcileReq, + }, + { + name: "tls secret for Prometheus in ArgoCD CR", + argocd: makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Prometheus.Route.TLS = &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "user-tls", + }, + } + }), + expectedReq: reconcileReq, + }, + { + name: "tls secret for ApplicationSet in ArgoCD CR", + argocd: makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.ApplicationSet = &argoproj.ArgoCDApplicationSet{} + a.Spec.ApplicationSet.WebhookServer.Route.TLS = &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "user-tls", + }, + } + }), + expectedReq: reconcileReq, + }, + { + name: "tls secret not referenced in ArgoCD CR", + argocd: makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Server.Route.Enabled = true + }), + expectedReq: emptyReq, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + resObjs := []client.Object{test.argocd} + subresObjs := []client.Object{test.argocd} + runtimeObjs := []runtime.Object{} + sch := makeTestReconcilerScheme(argoproj.AddToScheme, configv1.Install, routev1.Install) + cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs) + r := makeTestReconciler(cl, sch) + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "user-tls", + Namespace: testNamespace, + }, + Type: corev1.SecretTypeTLS, + Data: map[string][]byte{ + corev1.TLSCertKey: []byte("Y2VydGlmY2F0ZQ=="), + corev1.TLSPrivateKeyKey: []byte("cHJpdmF0ZS1rZXk="), + }, + } + + req := r.tlsSecretMapper(context.TODO(), secret) + assert.Equal(t, test.expectedReq, req) + }) + } +} diff --git a/controllers/argocd/route.go b/controllers/argocd/route.go index 46482fecb..f21b1c9a9 100644 --- a/controllers/argocd/route.go +++ b/controllers/argocd/route.go @@ -165,7 +165,10 @@ func (r *ReconcileArgoCD) reconcilePrometheusRoute(cr *argoproj.ArgoCD) error { // Allow override of TLS options for the Route if cr.Spec.Prometheus.Route.TLS != nil { - route.Spec.TLS = cr.Spec.Prometheus.Route.TLS + err := r.overrideRouteTLS(cr.Spec.Prometheus.Route.TLS, route) + if err != nil { + return err + } } route.Spec.To.Kind = "Service" @@ -259,7 +262,10 @@ func (r *ReconcileArgoCD) reconcileServerRoute(cr *argoproj.ArgoCD) error { // Allow override of TLS options for the Route if cr.Spec.Server.Route.TLS != nil { - route.Spec.TLS = cr.Spec.Server.Route.TLS + err := r.overrideRouteTLS(cr.Spec.Server.Route.TLS, route) + if err != nil { + return err + } } log.Info(fmt.Sprintf("Using %s termination policy for the Server Route", string(route.Spec.TLS.Termination))) @@ -355,6 +361,14 @@ func (r *ReconcileArgoCD) reconcileApplicationSetControllerWebhookRoute(cr *argo if cr.Spec.ApplicationSet.WebhookServer.Route.TLS != nil { tls := &routev1.TLSConfig{} + // Set Certificate & Key + routeCopy := route.DeepCopy() + err := r.overrideRouteTLS(cr.Spec.ApplicationSet.WebhookServer.Route.TLS, routeCopy) + if err != nil { + return err + } + tls = routeCopy.Spec.TLS + // Set Termination if cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Termination != "" { tls.Termination = cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Termination @@ -362,16 +376,6 @@ func (r *ReconcileArgoCD) reconcileApplicationSetControllerWebhookRoute(cr *argo tls.Termination = routev1.TLSTerminationEdge } - // Set Certificate - if cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Certificate != "" { - tls.Certificate = cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Certificate - } - - // Set Key - if cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Key != "" { - tls.Key = cr.Spec.ApplicationSet.WebhookServer.Route.TLS.Key - } - // Set CACertificate if cr.Spec.ApplicationSet.WebhookServer.Route.TLS.CACertificate != "" { tls.CACertificate = cr.Spec.ApplicationSet.WebhookServer.Route.TLS.CACertificate @@ -464,3 +468,44 @@ func shortenHostname(hostname string) (string, error) { } return resultHostname, nil } + +// overrideRouteTLS modifies the Route's TLS settings to match the configurations specified in the ArgoCD CR. +// It updates the Route's TLS configuration either by using the fields directly in the TLSConfig or by referencing +// a Kubernetes TLS secret if provided via the ExternalCertificate field. +func (r *ReconcileArgoCD) overrideRouteTLS(tls *routev1.TLSConfig, route *routev1.Route) error { + + route.Spec.TLS = tls.DeepCopy() + if tls.Key != "" || tls.Certificate != "" { + // TODO: Emit a Kubernetes event to notify users about the deprecated `.tls.key` and `.tls.certificate` fields. + // These fields are deprecated in favor of using `.tls.externalCertificate` to reference a Kubernetes TLS secret. + log.Info("Deprecated: Using `.tls.key` and `.tls.certificate` in ArgoCD CR is not recommended. Use `.tls.externalCertificate` to reference a TLS secret instead.") + } + + // Populate the Route's `tls.key` and `tls.certificate` fields with data from the specified Kubernetes TLS secret. + // The secret must be of type `kubernetes.io/tls` and contain `tls.key` and `tls.crt` data. + // Currently, we map data from the secret referenced in `.tls.externalCertificate` to the Route object's `tls.key` and `tls.certificate` fields. + // This is necessary because the `route.spec.tls.externalCertificate` field is Technology Preview (TP) and not available on OCP versions below 4.14. + // TODO: Remove the custom logic below once the feature reaches GA and we stop supporting OCP < 4.14. + // For more details about the feature, see the OpenShift documentation: + // https://docs.openshift.com/container-platform/4.16/networking/routes/secured-routes.html#nw-ingress-route-secret-load-external-cert_secured-routes + if tls.ExternalCertificate != nil && tls.ExternalCertificate.Name != "" { + secret := &corev1.Secret{} + err := argoutil.FetchObject(r.Client, route.ObjectMeta.Namespace, tls.ExternalCertificate.Name, secret) + if err != nil { + return err + } + if secret.Type != corev1.SecretTypeTLS { + return fmt.Errorf("secret %s in namespace %s is not of type kubernetes.io/tls", + secret.ObjectMeta.Name, secret.ObjectMeta.Namespace) + } + + // No need to perform further checks on the secret data, as Kubernetes will reject + // the TLS secret if it does not contain both `tls.key` and `tls.crt` keys. + route.Spec.TLS.Certificate = string(secret.Data[corev1.TLSCertKey]) + route.Spec.TLS.Key = string(secret.Data[corev1.TLSPrivateKeyKey]) + } + // explicitly set `ExternalCertificate` to nil for the actual Route objects to avoid issues on clusters. + route.Spec.TLS.ExternalCertificate = nil + + return nil +} diff --git a/controllers/argocd/route_test.go b/controllers/argocd/route_test.go index ea18cd1ca..aaa5c28ac 100644 --- a/controllers/argocd/route_test.go +++ b/controllers/argocd/route_test.go @@ -24,6 +24,7 @@ import ( argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1" "github.com/argoproj-labs/argocd-operator/common" + "github.com/argoproj-labs/argocd-operator/controllers/argoutil" ) func TestReconcileRouteSetLabels(t *testing.T) { @@ -723,3 +724,227 @@ func testNamespacedName(name string) types.NamespacedName { Namespace: testNamespace, } } + +func TestOverrideRouteTLSData(t *testing.T) { + routeAPIFound = true + logf.SetLogger(ZapLogger(true)) + + argoCD := makeArgoCD() + resObjs := []client.Object{argoCD} + subresObjs := []client.Object{argoCD} + runtimeObjs := []runtime.Object{} + sch := makeTestReconcilerScheme(argoproj.AddToScheme, configv1.Install, routev1.Install) + fakeClient := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs) + r := makeTestReconciler(fakeClient, sch) + + crt := []byte("Y2VydGlmY2F0ZQ==") + key := []byte("cHJpdmF0ZS1rZXk=") + tlsData := map[string][]byte{ + "tls.crt": crt, + "tls.key": key, + } + assert.NoError(t, argoutil.CreateTLSSecret(r.Client, "valid-secret", testNamespace, tlsData)) + assert.NoError(t, argoutil.CreateSecret(r.Client, "non-tls-secret", testNamespace, tlsData)) + + tests := []struct { + name string + newTLSConfig *routev1.TLSConfig + expectErr bool + expectedRouteTLS *routev1.TLSConfig + }{ + { + name: "embedded tls data", + newTLSConfig: &routev1.TLSConfig{ + Certificate: "crt", + Key: "key", + }, + expectedRouteTLS: &routev1.TLSConfig{ + Certificate: "crt", + Key: "key", + }, + }, + { + name: "tls data in secret", + newTLSConfig: &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "valid-secret", + }, + }, + expectedRouteTLS: &routev1.TLSConfig{ + Certificate: string(crt), + Key: string(key), + }, + }, + { + name: "conflicting TLS data", + newTLSConfig: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationReencrypt, + Certificate: "embedded-crt", + Key: "embedded-key", + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "valid-secret", + }, + }, + expectedRouteTLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationReencrypt, + Certificate: string(crt), + Key: string(key), + }, + }, + { + name: "invalid secret type", + newTLSConfig: &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "non-tls-secret", + }, + }, + expectErr: true, + }, + { + name: "non-existing secret", + newTLSConfig: &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "non-existing-secret", + }, + }, + expectErr: true, + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + route := routev1.Route{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-route", + Namespace: testNamespace, + }, + } + + err := r.overrideRouteTLS(test.newTLSConfig, &route) + + if test.expectErr { + assert.Error(t, err) + } else { + assert.Equal(t, *test.expectedRouteTLS, *route.Spec.TLS) + } + }) + } +} + +func TestReconilePrometheusRouteWithExternalTLSData(t *testing.T) { + + prometheusRouteName := testArgoCDName + "-prometheus" + + crt := []byte("Y2VydGlmY2F0ZQ==") + key := []byte("cHJpdmF0ZS1rZXk=") + + tests := []struct { + name string + argocd argoproj.ArgoCD + routeName string + expectErr bool + expectedTLS *routev1.TLSConfig + }{ + { + name: "prometheus route without tls data", + argocd: *makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Prometheus = argoproj.ArgoCDPrometheusSpec{ + Enabled: true, + Route: argoproj.ArgoCDRouteSpec{ + Enabled: true, + }, + } + }), + routeName: prometheusRouteName, + expectedTLS: nil, + }, + { + name: "prometheus route with embedded tls data (deprecated method)", + argocd: *makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Prometheus.Enabled = true + a.Spec.Prometheus.Route = argoproj.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationPassthrough, + Key: "key", + Certificate: "crt", + }, + } + }), + routeName: prometheusRouteName, + expectedTLS: &routev1.TLSConfig{ + Termination: routev1.TLSTerminationPassthrough, + Key: "key", + Certificate: "crt", + }, + }, + { + name: "prometheus route with tls data in secret", + argocd: *makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Prometheus.Enabled = true + a.Spec.Prometheus.Route = argoproj.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "valid-secret", + }, + }, + } + }), + routeName: prometheusRouteName, + expectedTLS: &routev1.TLSConfig{ + Certificate: string(crt), + Key: string(key), + }, + }, + { + name: "prometheus route with non-existing secret", + argocd: *makeArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Prometheus.Enabled = true + a.Spec.Prometheus.Route = argoproj.ArgoCDRouteSpec{ + Enabled: true, + TLS: &routev1.TLSConfig{ + ExternalCertificate: &routev1.LocalObjectReference{ + Name: "non-existing-secret", + }, + }, + } + }), + routeName: prometheusRouteName, + expectErr: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + routeAPIFound = true + ctx := context.TODO() + a := &test.argocd + logf.SetLogger(ZapLogger(true)) + resObjs := []client.Object{a} + subresObjs := []client.Object{a} + runtimeObjs := []runtime.Object{} + sch := makeTestReconcilerScheme(argoproj.AddToScheme, configv1.Install, routev1.Install) + fakeClient := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs) + r := makeTestReconciler(fakeClient, sch) + tlsData := map[string][]byte{ + "tls.crt": crt, + "tls.key": key, + } + assert.NoError(t, argoutil.CreateTLSSecret(r.Client, "valid-secret", testNamespace, tlsData)) + req := reconcile.Request{ + NamespacedName: testNamespacedName(testArgoCDName), + } + + _, err := r.Reconcile(ctx, req) + if test.expectErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + route := routev1.Route{} + err = argoutil.FetchObject(r.Client, a.Namespace, test.routeName, &route) + assert.NoError(t, err) + assert.Equal(t, test.expectedTLS, route.Spec.TLS) + } + }) + } +} diff --git a/controllers/argoutil/secret.go b/controllers/argoutil/secret.go index 7ed01ee91..83a014d1d 100644 --- a/controllers/argoutil/secret.go +++ b/controllers/argoutil/secret.go @@ -15,6 +15,7 @@ package argoutil import ( + "context" "fmt" corev1 "k8s.io/api/core/v1" @@ -66,3 +67,26 @@ func NewSecretWithName(cr *argoproj.ArgoCD, name string) *corev1.Secret { func NewSecretWithSuffix(cr *argoproj.ArgoCD, suffix string) *corev1.Secret { return NewSecretWithName(cr, fmt.Sprintf("%s-%s", cr.Name, suffix)) } + +func CreateTLSSecret(client client.Client, name string, namespace string, data map[string][]byte) error { + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Type: corev1.SecretTypeTLS, + Data: data, + } + return client.Create(context.TODO(), &secret) +} + +func CreateSecret(client client.Client, name string, namespace string, data map[string][]byte) error { + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Data: data, + } + return client.Create(context.TODO(), &secret) +} diff --git a/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml index 60cd86850..b64d71c75 100644 --- a/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml @@ -247,7 +247,7 @@ metadata: capabilities: Deep Insights categories: Integration & Delivery certified: "false" - createdAt: "2024-09-04T11:54:58Z" + createdAt: "2024-09-27T05:27:12Z" description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. operators.operatorframework.io/builder: operator-sdk-v1.35.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 diff --git a/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml b/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml index f3d428611..f38aefbc6 100644 --- a/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml +++ b/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml @@ -352,7 +352,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -362,25 +364,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -920,7 +961,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -930,25 +973,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -1470,7 +1552,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -1480,25 +1564,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -6646,7 +6769,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -6656,25 +6781,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -7412,7 +7576,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -7422,25 +7588,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12205,7 +12410,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12215,25 +12422,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -12755,7 +13001,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -12765,25 +13013,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. @@ -19268,7 +19555,9 @@ spec: certificate contents type: string certificate: - description: certificate provides certificate contents + description: |- + certificate provides certificate contents. This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. type: string destinationCACertificate: description: |- @@ -19278,25 +19567,64 @@ spec: the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify. type: string + externalCertificate: + description: |- + externalCertificate provides certificate contents as a secret reference. + This should be a single serving certificate, not a certificate + chain. Do not include a CA certificate. The secret referenced should + be present in the same namespace as that of the Route. + Forbidden when `certificate` is set. + properties: + name: + description: |- + name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic insecureEdgeTerminationPolicy: description: |- insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. - * Allow - traffic is sent to the server on the insecure port (default) - * Disable - no traffic is allowed on the insecure port. + * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). + * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port. + enum: + - Allow + - None + - Redirect + - "" type: string key: description: key provides key file contents type: string termination: - description: termination indicates termination type. + description: |- + termination indicates termination type. + + + * edge - TLS termination is done by the router and http is used to communicate with the backend (default) + * passthrough - Traffic is sent straight to the destination without the router providing TLS termination + * reencrypt - TLS termination is done by the router and https is used to communicate with the backend + + + Note: passthrough termination is incompatible with httpHeader actions + enum: + - edge + - reencrypt + - passthrough type: string required: - termination type: object + x-kubernetes-validations: + - message: 'cannot have both spec.tls.termination: passthrough + and spec.tls.insecureEdgeTerminationPolicy: Allow' + rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) + ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) + : true' wildcardPolicy: description: WildcardPolicy if any for the route. Currently only 'Subdomain' or 'None' is allowed. diff --git a/go.mod b/go.mod index 67d753fc5..d184f198d 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/json-iterator/go v1.1.12 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.34.0 - github.com/openshift/api v3.9.1-0.20190916204813-cdbe64fb0c91+incompatible + github.com/openshift/api v0.0.0-20240906151052-5d963dce87aa github.com/openshift/client-go v0.0.0-20200325131901-f7baeb993edb github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.19.1 diff --git a/go.sum b/go.sum index 012e93560..63335fd43 100644 --- a/go.sum +++ b/go.sum @@ -1376,8 +1376,8 @@ github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/openshift/api v0.0.0-20200324160301-f91f52aea878/go.mod h1:7k3+uZYOir97walbYUqApHUA2OPhkQpVJHt0n7GJ6P4= -github.com/openshift/api v3.9.1-0.20190916204813-cdbe64fb0c91+incompatible h1:XKVBXsObu4jv2nzgvjnTZ7eBlM3G9H3mrG8yP4TE61U= -github.com/openshift/api v3.9.1-0.20190916204813-cdbe64fb0c91+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY= +github.com/openshift/api v0.0.0-20240906151052-5d963dce87aa h1:RMI6Xa+l8KriyoxsRO/swMDPyCwrxJNA9H67K0Jod/w= +github.com/openshift/api v0.0.0-20240906151052-5d963dce87aa/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs= github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc= github.com/openshift/client-go v0.0.0-20200325131901-f7baeb993edb h1:h/pmujsUIaL6f/9U83Hiyb02wUuY+Hn7vNk4UZSsRVU= github.com/openshift/client-go v0.0.0-20200325131901-f7baeb993edb/go.mod h1:rAML9NXVUNqFcjFAxml+MtOS0ia2Tp3mjlvfofyurss= diff --git a/tests/ocp/1-005_validate_route_tls/01-assert.yaml b/tests/ocp/1-005_validate_route_tls/01-assert.yaml new file mode 100644 index 000000000..6e489fbc9 --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/01-assert.yaml @@ -0,0 +1,34 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +status: + phase: Available + applicationSetController: Running + server: Running +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-server +spec: + to: + kind: Service + name: example-server + weight: 100 + tls: + insecureEdgeTerminationPolicy: Redirect + termination: reencrypt +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-applicationset-controller-webhook +spec: + to: + kind: Service + name: example-applicationset-controller + weight: 100 + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/tests/ocp/1-005_validate_route_tls/01-install.yaml b/tests/ocp/1-005_validate_route_tls/01-install.yaml new file mode 100644 index 000000000..8dd4cb5b2 --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/01-install.yaml @@ -0,0 +1,14 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +spec: + server: + route: + enabled: true + applicationSet: + enabled: true + webhookServer: + host: example.com + route: + enabled: true \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/02-assert.yaml b/tests/ocp/1-005_validate_route_tls/02-assert.yaml new file mode 100644 index 000000000..4ae649f0e --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/02-assert.yaml @@ -0,0 +1,168 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +status: + phase: Available + applicationSetController: Running + server: Running +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-server +spec: + to: + kind: Service + name: example-server + weight: 100 + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-applicationset-controller-webhook +spec: + to: + kind: Service + name: example-applicationset-controller + weight: 100 + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/02-embedded-tls-data.yaml b/tests/ocp/1-005_validate_route_tls/02-embedded-tls-data.yaml new file mode 100644 index 000000000..19ea5f180 --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/02-embedded-tls-data.yaml @@ -0,0 +1,154 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +spec: + server: + route: + enabled: true + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- + applicationSet: + enabled: true + webhookServer: + host: example.com + route: + enabled: true + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/03-assert.yaml b/tests/ocp/1-005_validate_route_tls/03-assert.yaml new file mode 100644 index 000000000..accab332a --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/03-assert.yaml @@ -0,0 +1,206 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +status: + phase: Available + applicationSetController: Running + server: Running +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-server +spec: + to: + kind: Service + name: example-server + weight: 100 + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIFrjCCA5agAwIBAgIUbM9O0W6IdumLQodDCDqyckYDr2IwDQYJKoZIhvcNAQEL + BQAwTTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAoMBFRlc3Qx + DTALBgNVBAsMBFRlc3QxETAPBgNVBAMMCHRlc3QuY29tMCAXDTIzMTEyNjIyMTg0 + N1oYDzIxMjMxMTI3MjIxODQ3WjBNMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVGVz + dDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDERMA8GA1UEAwwIdGVzdC5j + b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbgAmnUjFux9u2Xzhi + mno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2tN9UA + ebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3xc0uz + /sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWTmlsv + ppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTRJ2o4 + MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8gbpUW + nLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI7mPW + 12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aURRuQ + C0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/1Qrq + VBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjWcElw + etcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNuUa2i + 5azKnIf439Cmfww7ImxIpOR5nQIDAQABo4GDMIGAMB0GA1UdDgQWBBQfe95iWKlT + K6BGFov9JFXQTQN0ZjAfBgNVHSMEGDAWgBQfe95iWKlTK6BGFov9JFXQTQN0ZjAP + BgNVHRMBAf8EBTADAQH/MC0GA1UdEQQmMCSCB3dlYmhvb2uCDndlYmhvb2stc2Vy + dmVygglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggIBAH7Vv+Iar1UbF41c9I88 + oIu8iWfLVnAfe/64tULy77x4nfEQiukBJDoZ9m19KEVdPqsFzT6lFB7Fu1oc9A28 + 5b1+PEynHcopNK41zF4n4FnIy9h8zJfaPYYCPPMT0v9LzuT5zyF5sXCz0o4KwQJ6 + zrggZme8udl9sWyDxZyFoFPLWtnQFY7vJ9LSM2Gt+XUIuYNwDkvGFs6RfBYJGarX + qq7YHYj0H2x/us3KQCXGX5GzSmM9ewHvaScRpFcCdVwszKwWF0vMvdnh+3P72/Yy + dQvZXyfNiwqaIdznJn/AjzR9K4dHfbY7wMm83WHwWyjzV6CybHbtWpoUIlZtW3TT + gz6MP2z+BhOdMiQA33aO38J2TX/CMkEvkagEiZdS9t3xtpF2LOb5bRIdlENtZU0i + LnhgWEpJmswxBtuJ0d/zcyUlvK7FYoJZB7pT3YX/321HXZVCKyw+xrinwQoI3RnX + 7u0TZ3MqtSKEwCyDWYRJDbs6XUX1G0q7jXBf1+3cd+lBdOZ4Kl5B4YSU9hcFxAuO + 4a1eFXBdmT8PnwoTizFvag3IgBXkf8PqcKNvSMU6UKcD5LYTwRGK3JVl1L79gkrb + LmWEfOXFHgSlMIZkEs41TiopXy8p/LSera8NR86Q3mTZ7rRdEveOb6ZLJksRqaqr + UVwpFuaKz5vTCD36Gmmy/u8y + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQDbgAmnUjFux9u2 + Xzhimno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2t + N9UAebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3x + c0uz/sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWT + mlsvppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTR + J2o4MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8g + bpUWnLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI + 7mPW12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aU + RRuQC0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/ + 1QrqVBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjW + cElwetcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNu + Ua2i5azKnIf439Cmfww7ImxIpOR5nQIDAQABAoIB/2wImLfBvJLJy1n3g8kEPyQ0 + V4rbFJyTwEAOrj58Z5KQZYLdgr91xtt/acYOX+C0qrqhaaV338c14sVetXeGbS65 + BAzczeIURuol/q2pUhJX91+JR3Ps3RBDXImGLxBWj8jHPmd3mb99bx9nn9r3izWP + 8GjTyyWo64OcuHC3irI9pe/3olOiphlx0ng0IZDZdgTmIL+JRu/ptpTvY/IQDB6Z + 4rVDn79zj3X6RN2GO74aiaDtsLJAkyDs6zJliWJYnrQ2UwlE6PpKnXRT8fO1zntW + WCnlM5ZSomX0TlpNV9kB9ToI48vkChE/UrCb0N5ufPJS2WU/HIgn4WoVA0wd1rqO + OYfJB1IMY2RoWR9CXO0U51tCji+M83ATq+Fl0Xbxl8grn/q0PWlhmUvS9/Fe8aPA + yVTkEjT2j7MQGtqAO7L+xTUfVfGpFkDUn+QkM8BgNcygagN5ViOfWDFgMgjaFLrd + RZMh9kBi3Qjigj0NP4RaK4/ixURMT/FfwiRwEaH/1O1KXB3a0vanVuiXj5+oCrSE + gRBXdRt2+5FOtli8asre7NLk9unTDY1iEiIsVY8nIV+zmWhf2mR5MB34EoTEIunb + OaP9kbiJI6MctKoCsfsWNHfUDPsvriQevG65WETZ1/JKxxjxYlv/Xg702Cnk91Qv + DPrdZCbunMTP3pk5KMECggEBAO0W6hWye+r6e8aBX431Vhv78FDE/suE4iWeCCbA + to7gTnwWZfAB9ynp61bJDS7jXon7Vk0ExkB6nxNTIEj+Yn86M3+UjjuoadCL6hhL + h6xpkc1h1mj5A4IR/yi7RQgHmjKGHURgKyFIwAMYPXNVYD1Ozn9DyGmhG4LcGVQS + zfqclJu5oBCegAkf8EjIaDqMZGJZefxp8UYQy9FjAH1zzG/DXiEWgSPuwoeAu8Ep + SCKsc8EbmxLl9HvJCwvrVaqfuUygLESc/hZZoUFN6fAOQst2B5FS/ZklUECCGiiW + 7/8nnL7wbILV+AcGYVQrUBij9CtUzBZpcMMkHREkmZeN6wkCggEBAO0B+C+kAoat + UCfFG5I2Ds4Cro71AEpuWvEl6wtp5WKiZYuHR4ssGDUOshD4uLb44y4mqTphTiU+ + REV0RLQ/9mgFEmErK2glqkRKdskophbPTGQgwxgmfdQWe0Q42yuo47ljNZVEO201 + SxgpOrHlRYzOQ9XGJmuduKxnrarOYfEXJu1WiGbsiEtY/mrMOov6rcbNsZqsWYqG + kmE5Msg1PsuFvlQ9ndVmE+pd3rEIhYxicD8pyFvonvi2uMmR8HmNShWKi1FZxq8e + OlIgdsY4BuqnNUrnQprhm0hG5cGwcl5auL2+Jc5Uagm/egvtwxPhx+pVYcimKOL9 + CutpY7BeuvUCggEAC6UrfENXCNSizb4/Bkb9osQ+KolyhmaRgQ2BEv42OVBVKo0j + FqXSERH3SDz508rBMv/QXloUrsgXFijoFg3AosUmEGcokU+VWvP0XJshH9vTmIXs + tR0+Cd5+bO691kYhUcf6mggrNihPnhdLtWWFI53CUMfwiRertULAT7vYuC2Gsxtr + /ET8vvX9pGWLkQyiRZ5lenttqWZbzH4TYRYV/YtYDUIAt9YbYfJ1xmgTrfhQezSy + 6ju3RXk7fKtjesz7mgLoCbq4VDq0y/NawTrCFyJF/uJXqHUHuxNo24OGaD722P4Q + JmECHL44e5zhA0TSUmqI17T4H+2fK99jV+lVmQKCAQB2nTi3pw54ln56GOSOjS1l + nuP7udQWbBppe7+ha7MYZQwLA34jwcKvsxYc9k2DjRYtf73L8OzqKLqERAcqaqSI + NJmZNcC4k7keCmJelFBjNAYYSmk5SfJJVaMFZqsRs6mcm3Eyrf5LzpMxmVi9tW/U + Y1qBv3R1AW9uIUlCJZ3QyfR6bYdAc3pWs0hI7MMUUTXtO/552W3KrUTPEZA/sJ4n + v1yczmWSak7nSWltEkW8F3vzsJaMoOQGt3PNtZMzUinUlAzbfuG3vJoVhhfLZjjX + 8Szzur+Twfsz9f+Aqyzh2eeBVouXMpoLHOAY3jp2VdX2ihqxD6+AwoFXhdwVZaON + AoIBAF0/qvwsFThhB9a1wnXuGx1OBY+9owIoinIF2qNcHuqeontxfLWBg1izelJg + gxaATIMvpXgt7y5cBx6fLnylpLgl+TNXCrsrcLnXwJz0Neg/gcSZfcnqwhAhTio9 + iYLVJiK8wnh0pXONutGSasgq3tJLyrzT2+1L5jYKUaFkojIR16sHjo3/MJMPTHvL + fF1DX7y6acz3JXrGJYQsqcrVodSfcGZK/RJQkdvrSdBRZYgWq+CBYViOxkN7cscr + ruQ/DZH/ZCIxVckbuVsAMqdCqAO0gX83eEp7elfAVlnLhvxPluxISuXaJmhJNafr + Xq+NinfrqOLJkIZ/u/PJu4KqN3M= + -----END PRIVATE KEY----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-applicationset-controller-webhook +spec: + to: + kind: Service + name: example-applicationset-controller + weight: 100 + tls: + termination: reencrypt + certificate: |- + -----BEGIN CERTIFICATE----- + MIIFrjCCA5agAwIBAgIUbM9O0W6IdumLQodDCDqyckYDr2IwDQYJKoZIhvcNAQEL + BQAwTTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAoMBFRlc3Qx + DTALBgNVBAsMBFRlc3QxETAPBgNVBAMMCHRlc3QuY29tMCAXDTIzMTEyNjIyMTg0 + N1oYDzIxMjMxMTI3MjIxODQ3WjBNMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVGVz + dDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDERMA8GA1UEAwwIdGVzdC5j + b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbgAmnUjFux9u2Xzhi + mno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2tN9UA + ebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3xc0uz + /sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWTmlsv + ppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTRJ2o4 + MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8gbpUW + nLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI7mPW + 12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aURRuQ + C0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/1Qrq + VBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjWcElw + etcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNuUa2i + 5azKnIf439Cmfww7ImxIpOR5nQIDAQABo4GDMIGAMB0GA1UdDgQWBBQfe95iWKlT + K6BGFov9JFXQTQN0ZjAfBgNVHSMEGDAWgBQfe95iWKlTK6BGFov9JFXQTQN0ZjAP + BgNVHRMBAf8EBTADAQH/MC0GA1UdEQQmMCSCB3dlYmhvb2uCDndlYmhvb2stc2Vy + dmVygglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggIBAH7Vv+Iar1UbF41c9I88 + oIu8iWfLVnAfe/64tULy77x4nfEQiukBJDoZ9m19KEVdPqsFzT6lFB7Fu1oc9A28 + 5b1+PEynHcopNK41zF4n4FnIy9h8zJfaPYYCPPMT0v9LzuT5zyF5sXCz0o4KwQJ6 + zrggZme8udl9sWyDxZyFoFPLWtnQFY7vJ9LSM2Gt+XUIuYNwDkvGFs6RfBYJGarX + qq7YHYj0H2x/us3KQCXGX5GzSmM9ewHvaScRpFcCdVwszKwWF0vMvdnh+3P72/Yy + dQvZXyfNiwqaIdznJn/AjzR9K4dHfbY7wMm83WHwWyjzV6CybHbtWpoUIlZtW3TT + gz6MP2z+BhOdMiQA33aO38J2TX/CMkEvkagEiZdS9t3xtpF2LOb5bRIdlENtZU0i + LnhgWEpJmswxBtuJ0d/zcyUlvK7FYoJZB7pT3YX/321HXZVCKyw+xrinwQoI3RnX + 7u0TZ3MqtSKEwCyDWYRJDbs6XUX1G0q7jXBf1+3cd+lBdOZ4Kl5B4YSU9hcFxAuO + 4a1eFXBdmT8PnwoTizFvag3IgBXkf8PqcKNvSMU6UKcD5LYTwRGK3JVl1L79gkrb + LmWEfOXFHgSlMIZkEs41TiopXy8p/LSera8NR86Q3mTZ7rRdEveOb6ZLJksRqaqr + UVwpFuaKz5vTCD36Gmmy/u8y + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQDbgAmnUjFux9u2 + Xzhimno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2t + N9UAebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3x + c0uz/sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWT + mlsvppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTR + J2o4MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8g + bpUWnLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI + 7mPW12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aU + RRuQC0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/ + 1QrqVBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjW + cElwetcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNu + Ua2i5azKnIf439Cmfww7ImxIpOR5nQIDAQABAoIB/2wImLfBvJLJy1n3g8kEPyQ0 + V4rbFJyTwEAOrj58Z5KQZYLdgr91xtt/acYOX+C0qrqhaaV338c14sVetXeGbS65 + BAzczeIURuol/q2pUhJX91+JR3Ps3RBDXImGLxBWj8jHPmd3mb99bx9nn9r3izWP + 8GjTyyWo64OcuHC3irI9pe/3olOiphlx0ng0IZDZdgTmIL+JRu/ptpTvY/IQDB6Z + 4rVDn79zj3X6RN2GO74aiaDtsLJAkyDs6zJliWJYnrQ2UwlE6PpKnXRT8fO1zntW + WCnlM5ZSomX0TlpNV9kB9ToI48vkChE/UrCb0N5ufPJS2WU/HIgn4WoVA0wd1rqO + OYfJB1IMY2RoWR9CXO0U51tCji+M83ATq+Fl0Xbxl8grn/q0PWlhmUvS9/Fe8aPA + yVTkEjT2j7MQGtqAO7L+xTUfVfGpFkDUn+QkM8BgNcygagN5ViOfWDFgMgjaFLrd + RZMh9kBi3Qjigj0NP4RaK4/ixURMT/FfwiRwEaH/1O1KXB3a0vanVuiXj5+oCrSE + gRBXdRt2+5FOtli8asre7NLk9unTDY1iEiIsVY8nIV+zmWhf2mR5MB34EoTEIunb + OaP9kbiJI6MctKoCsfsWNHfUDPsvriQevG65WETZ1/JKxxjxYlv/Xg702Cnk91Qv + DPrdZCbunMTP3pk5KMECggEBAO0W6hWye+r6e8aBX431Vhv78FDE/suE4iWeCCbA + to7gTnwWZfAB9ynp61bJDS7jXon7Vk0ExkB6nxNTIEj+Yn86M3+UjjuoadCL6hhL + h6xpkc1h1mj5A4IR/yi7RQgHmjKGHURgKyFIwAMYPXNVYD1Ozn9DyGmhG4LcGVQS + zfqclJu5oBCegAkf8EjIaDqMZGJZefxp8UYQy9FjAH1zzG/DXiEWgSPuwoeAu8Ep + SCKsc8EbmxLl9HvJCwvrVaqfuUygLESc/hZZoUFN6fAOQst2B5FS/ZklUECCGiiW + 7/8nnL7wbILV+AcGYVQrUBij9CtUzBZpcMMkHREkmZeN6wkCggEBAO0B+C+kAoat + UCfFG5I2Ds4Cro71AEpuWvEl6wtp5WKiZYuHR4ssGDUOshD4uLb44y4mqTphTiU+ + REV0RLQ/9mgFEmErK2glqkRKdskophbPTGQgwxgmfdQWe0Q42yuo47ljNZVEO201 + SxgpOrHlRYzOQ9XGJmuduKxnrarOYfEXJu1WiGbsiEtY/mrMOov6rcbNsZqsWYqG + kmE5Msg1PsuFvlQ9ndVmE+pd3rEIhYxicD8pyFvonvi2uMmR8HmNShWKi1FZxq8e + OlIgdsY4BuqnNUrnQprhm0hG5cGwcl5auL2+Jc5Uagm/egvtwxPhx+pVYcimKOL9 + CutpY7BeuvUCggEAC6UrfENXCNSizb4/Bkb9osQ+KolyhmaRgQ2BEv42OVBVKo0j + FqXSERH3SDz508rBMv/QXloUrsgXFijoFg3AosUmEGcokU+VWvP0XJshH9vTmIXs + tR0+Cd5+bO691kYhUcf6mggrNihPnhdLtWWFI53CUMfwiRertULAT7vYuC2Gsxtr + /ET8vvX9pGWLkQyiRZ5lenttqWZbzH4TYRYV/YtYDUIAt9YbYfJ1xmgTrfhQezSy + 6ju3RXk7fKtjesz7mgLoCbq4VDq0y/NawTrCFyJF/uJXqHUHuxNo24OGaD722P4Q + JmECHL44e5zhA0TSUmqI17T4H+2fK99jV+lVmQKCAQB2nTi3pw54ln56GOSOjS1l + nuP7udQWbBppe7+ha7MYZQwLA34jwcKvsxYc9k2DjRYtf73L8OzqKLqERAcqaqSI + NJmZNcC4k7keCmJelFBjNAYYSmk5SfJJVaMFZqsRs6mcm3Eyrf5LzpMxmVi9tW/U + Y1qBv3R1AW9uIUlCJZ3QyfR6bYdAc3pWs0hI7MMUUTXtO/552W3KrUTPEZA/sJ4n + v1yczmWSak7nSWltEkW8F3vzsJaMoOQGt3PNtZMzUinUlAzbfuG3vJoVhhfLZjjX + 8Szzur+Twfsz9f+Aqyzh2eeBVouXMpoLHOAY3jp2VdX2ihqxD6+AwoFXhdwVZaON + AoIBAF0/qvwsFThhB9a1wnXuGx1OBY+9owIoinIF2qNcHuqeontxfLWBg1izelJg + gxaATIMvpXgt7y5cBx6fLnylpLgl+TNXCrsrcLnXwJz0Neg/gcSZfcnqwhAhTio9 + iYLVJiK8wnh0pXONutGSasgq3tJLyrzT2+1L5jYKUaFkojIR16sHjo3/MJMPTHvL + fF1DX7y6acz3JXrGJYQsqcrVodSfcGZK/RJQkdvrSdBRZYgWq+CBYViOxkN7cscr + ruQ/DZH/ZCIxVckbuVsAMqdCqAO0gX83eEp7elfAVlnLhvxPluxISuXaJmhJNafr + Xq+NinfrqOLJkIZ/u/PJu4KqN3M= + -----END PRIVATE KEY----- \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/03-secret-tls-data.yaml b/tests/ocp/1-005_validate_route_tls/03-secret-tls-data.yaml new file mode 100644 index 000000000..08a91b149 --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/03-secret-tls-data.yaml @@ -0,0 +1,116 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +spec: + server: + route: + enabled: true + tls: + externalCertificate: + name: tls-data-secret + termination: reencrypt + applicationSet: + enabled: true + webhookServer: + host: example.com + route: + enabled: true + tls: + externalCertificate: + name: tls-data-secret + termination: reencrypt +--- +apiVersion: v1 +kind: Secret +metadata: + name: tls-data-secret +type: kubernetes.io/tls +stringData: + tls.crt: |- + -----BEGIN CERTIFICATE----- + MIIFrjCCA5agAwIBAgIUbM9O0W6IdumLQodDCDqyckYDr2IwDQYJKoZIhvcNAQEL + BQAwTTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAoMBFRlc3Qx + DTALBgNVBAsMBFRlc3QxETAPBgNVBAMMCHRlc3QuY29tMCAXDTIzMTEyNjIyMTg0 + N1oYDzIxMjMxMTI3MjIxODQ3WjBNMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVGVz + dDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDERMA8GA1UEAwwIdGVzdC5j + b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbgAmnUjFux9u2Xzhi + mno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2tN9UA + ebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3xc0uz + /sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWTmlsv + ppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTRJ2o4 + MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8gbpUW + nLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI7mPW + 12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aURRuQ + C0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/1Qrq + VBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjWcElw + etcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNuUa2i + 5azKnIf439Cmfww7ImxIpOR5nQIDAQABo4GDMIGAMB0GA1UdDgQWBBQfe95iWKlT + K6BGFov9JFXQTQN0ZjAfBgNVHSMEGDAWgBQfe95iWKlTK6BGFov9JFXQTQN0ZjAP + BgNVHRMBAf8EBTADAQH/MC0GA1UdEQQmMCSCB3dlYmhvb2uCDndlYmhvb2stc2Vy + dmVygglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggIBAH7Vv+Iar1UbF41c9I88 + oIu8iWfLVnAfe/64tULy77x4nfEQiukBJDoZ9m19KEVdPqsFzT6lFB7Fu1oc9A28 + 5b1+PEynHcopNK41zF4n4FnIy9h8zJfaPYYCPPMT0v9LzuT5zyF5sXCz0o4KwQJ6 + zrggZme8udl9sWyDxZyFoFPLWtnQFY7vJ9LSM2Gt+XUIuYNwDkvGFs6RfBYJGarX + qq7YHYj0H2x/us3KQCXGX5GzSmM9ewHvaScRpFcCdVwszKwWF0vMvdnh+3P72/Yy + dQvZXyfNiwqaIdznJn/AjzR9K4dHfbY7wMm83WHwWyjzV6CybHbtWpoUIlZtW3TT + gz6MP2z+BhOdMiQA33aO38J2TX/CMkEvkagEiZdS9t3xtpF2LOb5bRIdlENtZU0i + LnhgWEpJmswxBtuJ0d/zcyUlvK7FYoJZB7pT3YX/321HXZVCKyw+xrinwQoI3RnX + 7u0TZ3MqtSKEwCyDWYRJDbs6XUX1G0q7jXBf1+3cd+lBdOZ4Kl5B4YSU9hcFxAuO + 4a1eFXBdmT8PnwoTizFvag3IgBXkf8PqcKNvSMU6UKcD5LYTwRGK3JVl1L79gkrb + LmWEfOXFHgSlMIZkEs41TiopXy8p/LSera8NR86Q3mTZ7rRdEveOb6ZLJksRqaqr + UVwpFuaKz5vTCD36Gmmy/u8y + -----END CERTIFICATE----- + tls.key: |- + -----BEGIN PRIVATE KEY----- + MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQDbgAmnUjFux9u2 + Xzhimno5zjA/YsoXr3eFtK9XtByQMLLyT0hbXoa9gpTeafOs3IkCotPdN+omxm2t + N9UAebAq+EamWyIF28EA3UbCWWULghveezrmAKSMcqQqby3knbcbGng+ZZjRdC3x + c0uz/sd4FqaLt0UHBDMlpxRskj/S3CDetfyIrKYQcZ5NQjx75aRN8At5OPC1NiWT + mlsvppa4LLV0HR6AJzq+C6RAmJTcHQOFAq33wZEHHIpoQoGWHHPpT0ut54KIiVTR + J2o4MEV4KlBBgL3ux4+v7R0RfVmzgaMEDG1fC9tX8pIofv7wP7WX/5XHTjyAiv8g + bpUWnLiU8FoTDZWxZN+MiCkUvZl8KqotbcUPjhnRdnq4anFwywY1lKILnCIayqzI + 7mPW12h39fNwprFz9YFYbLLoQHekir2nLw8ZH83nNyD82YQ3EFm7UnOld6zw/8aU + RRuQC0oOEHyAXsvIyaWAb6lWvplDdCUGQWWr7MVp5YPPhWdtAv7B4QLDUNHGQMU/ + 1QrqVBH22lcU7XrCh6GXrRVm+gF7kAuJzkuae0txvk9mHc+8Y0C4/i9C3xU2qHjW + cElwetcHbqOZjDtC8+n8mDD4hDYEMGV54VhXCKwoFLneT2no27S3SVPvNbMfyyNu + Ua2i5azKnIf439Cmfww7ImxIpOR5nQIDAQABAoIB/2wImLfBvJLJy1n3g8kEPyQ0 + V4rbFJyTwEAOrj58Z5KQZYLdgr91xtt/acYOX+C0qrqhaaV338c14sVetXeGbS65 + BAzczeIURuol/q2pUhJX91+JR3Ps3RBDXImGLxBWj8jHPmd3mb99bx9nn9r3izWP + 8GjTyyWo64OcuHC3irI9pe/3olOiphlx0ng0IZDZdgTmIL+JRu/ptpTvY/IQDB6Z + 4rVDn79zj3X6RN2GO74aiaDtsLJAkyDs6zJliWJYnrQ2UwlE6PpKnXRT8fO1zntW + WCnlM5ZSomX0TlpNV9kB9ToI48vkChE/UrCb0N5ufPJS2WU/HIgn4WoVA0wd1rqO + OYfJB1IMY2RoWR9CXO0U51tCji+M83ATq+Fl0Xbxl8grn/q0PWlhmUvS9/Fe8aPA + yVTkEjT2j7MQGtqAO7L+xTUfVfGpFkDUn+QkM8BgNcygagN5ViOfWDFgMgjaFLrd + RZMh9kBi3Qjigj0NP4RaK4/ixURMT/FfwiRwEaH/1O1KXB3a0vanVuiXj5+oCrSE + gRBXdRt2+5FOtli8asre7NLk9unTDY1iEiIsVY8nIV+zmWhf2mR5MB34EoTEIunb + OaP9kbiJI6MctKoCsfsWNHfUDPsvriQevG65WETZ1/JKxxjxYlv/Xg702Cnk91Qv + DPrdZCbunMTP3pk5KMECggEBAO0W6hWye+r6e8aBX431Vhv78FDE/suE4iWeCCbA + to7gTnwWZfAB9ynp61bJDS7jXon7Vk0ExkB6nxNTIEj+Yn86M3+UjjuoadCL6hhL + h6xpkc1h1mj5A4IR/yi7RQgHmjKGHURgKyFIwAMYPXNVYD1Ozn9DyGmhG4LcGVQS + zfqclJu5oBCegAkf8EjIaDqMZGJZefxp8UYQy9FjAH1zzG/DXiEWgSPuwoeAu8Ep + SCKsc8EbmxLl9HvJCwvrVaqfuUygLESc/hZZoUFN6fAOQst2B5FS/ZklUECCGiiW + 7/8nnL7wbILV+AcGYVQrUBij9CtUzBZpcMMkHREkmZeN6wkCggEBAO0B+C+kAoat + UCfFG5I2Ds4Cro71AEpuWvEl6wtp5WKiZYuHR4ssGDUOshD4uLb44y4mqTphTiU+ + REV0RLQ/9mgFEmErK2glqkRKdskophbPTGQgwxgmfdQWe0Q42yuo47ljNZVEO201 + SxgpOrHlRYzOQ9XGJmuduKxnrarOYfEXJu1WiGbsiEtY/mrMOov6rcbNsZqsWYqG + kmE5Msg1PsuFvlQ9ndVmE+pd3rEIhYxicD8pyFvonvi2uMmR8HmNShWKi1FZxq8e + OlIgdsY4BuqnNUrnQprhm0hG5cGwcl5auL2+Jc5Uagm/egvtwxPhx+pVYcimKOL9 + CutpY7BeuvUCggEAC6UrfENXCNSizb4/Bkb9osQ+KolyhmaRgQ2BEv42OVBVKo0j + FqXSERH3SDz508rBMv/QXloUrsgXFijoFg3AosUmEGcokU+VWvP0XJshH9vTmIXs + tR0+Cd5+bO691kYhUcf6mggrNihPnhdLtWWFI53CUMfwiRertULAT7vYuC2Gsxtr + /ET8vvX9pGWLkQyiRZ5lenttqWZbzH4TYRYV/YtYDUIAt9YbYfJ1xmgTrfhQezSy + 6ju3RXk7fKtjesz7mgLoCbq4VDq0y/NawTrCFyJF/uJXqHUHuxNo24OGaD722P4Q + JmECHL44e5zhA0TSUmqI17T4H+2fK99jV+lVmQKCAQB2nTi3pw54ln56GOSOjS1l + nuP7udQWbBppe7+ha7MYZQwLA34jwcKvsxYc9k2DjRYtf73L8OzqKLqERAcqaqSI + NJmZNcC4k7keCmJelFBjNAYYSmk5SfJJVaMFZqsRs6mcm3Eyrf5LzpMxmVi9tW/U + Y1qBv3R1AW9uIUlCJZ3QyfR6bYdAc3pWs0hI7MMUUTXtO/552W3KrUTPEZA/sJ4n + v1yczmWSak7nSWltEkW8F3vzsJaMoOQGt3PNtZMzUinUlAzbfuG3vJoVhhfLZjjX + 8Szzur+Twfsz9f+Aqyzh2eeBVouXMpoLHOAY3jp2VdX2ihqxD6+AwoFXhdwVZaON + AoIBAF0/qvwsFThhB9a1wnXuGx1OBY+9owIoinIF2qNcHuqeontxfLWBg1izelJg + gxaATIMvpXgt7y5cBx6fLnylpLgl+TNXCrsrcLnXwJz0Neg/gcSZfcnqwhAhTio9 + iYLVJiK8wnh0pXONutGSasgq3tJLyrzT2+1L5jYKUaFkojIR16sHjo3/MJMPTHvL + fF1DX7y6acz3JXrGJYQsqcrVodSfcGZK/RJQkdvrSdBRZYgWq+CBYViOxkN7cscr + ruQ/DZH/ZCIxVckbuVsAMqdCqAO0gX83eEp7elfAVlnLhvxPluxISuXaJmhJNafr + Xq+NinfrqOLJkIZ/u/PJu4KqN3M= + -----END PRIVATE KEY----- \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/04-assert.yaml b/tests/ocp/1-005_validate_route_tls/04-assert.yaml new file mode 100644 index 000000000..281015a8e --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/04-assert.yaml @@ -0,0 +1,170 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example +status: + phase: Available + applicationSetController: Running + server: Running +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-server +spec: + to: + kind: Service + name: example-server + weight: 100 + tls: + termination: reencrypt + # latest data from secret + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: example-applicationset-controller-webhook +spec: + to: + kind: Service + name: example-applicationset-controller + weight: 100 + tls: + termination: reencrypt + # latest data from secret + certificate: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- \ No newline at end of file diff --git a/tests/ocp/1-005_validate_route_tls/04-update-secret-tls-data.yaml b/tests/ocp/1-005_validate_route_tls/04-update-secret-tls-data.yaml new file mode 100644 index 000000000..47f0599cd --- /dev/null +++ b/tests/ocp/1-005_validate_route_tls/04-update-secret-tls-data.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tls-data-secret +type: kubernetes.io/tls +stringData: + tls.crt: |- + -----BEGIN CERTIFICATE----- + MIIEbTCCAtWgAwIBAgIUA80/UfgNcx8tYz/XXlo6X8DJzXQwDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA5MjUwNDM4MjdaGA8yMTIz + MDQyMDA0MzgyN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx + ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN + AQEBBQADggGPADCCAYoCggGBAJUuv+nO7S02+BHo5zkVg/IwUNSqQhsgKe3Djzsm + ISctrzNgrtUPqxYU0XDPXIS/v4wrtXrbXjlEaVgpTToqt/DRITH/I9FZzFQRQWKb + Gx0g3aH/LFJHHix4KCMPzEcykXba3zJqZei4NeJ7ym/Z5g/gJjGOE2SDVJN7YA9p + WKEgf/+TB6uPkEcgNc+8rFKbwQ63IhqOnHZq0mFaT/DWQUWYqLNZOHIiXjIELjGe + RjzmxlTQd9hWrC+FP1fOz9Ahpnw8oJ+wEpMUSpsAd3FFYUDZW/bj3jwWLT3WtmTb + d5ehpeE/zM5twy4rZXzT43+fsO/ns2YDxsSiujrtwm/Ar5k86S2XTkWro6f/t/Ml + dcIGzUZm2lSRacX1brIhNryHU2ZyVsEKJbS4/7N/wHTqhctSZlJRXkfjPiIC2KHV + YngPAtJ+fSmdULd7rIWcaxsrpnyozVpzYm5U8XRGm/pj2FFHVKPdSBoo2GrkVMyh + oU3+YiFno57wNbrm9ROzMIHhhwIDAQABo1MwUTAdBgNVHQ4EFgQUTbU3O3JsKBC6 + jCLjxTX4zWEAgc8wHwYDVR0jBBgwFoAUTbU3O3JsKBC6jCLjxTX4zWEAgc8wDwYD + VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAMthyYhEUf5GdrKSMBuWR + +QlsBau/6N2nSxRxM2g4oexQOGUny1r76KrW6o/2V/PYyz/3WgOgSB/4sZxNoeu8 + rsjY9sp/bCWJ6jEmhm2kkVeb3Arix0iNt7BviOCjoVchc31R20JLP0a6WK+KtiV2 + C8qbuOQEkVWY/NVy+buHKqJjNZXyj8ADX0It8rAmaEGMEGkEFtYTnjEYHdkPWfYx + 6P9C12PrZySu9+L3eGmylKeDU7dWvBAONbHfHL8W/8pxG1CwObfkTEpzVTlR0SfI + W1dZ9YXb7S5F/0j6GLeUSgvnQZxH4rbc699wC9Y/kt5EozT1xvmKgZ6G6vaU2Mhb + jZnrbB4swXCVf98HDAy8PWrn7BWky9G8SbM5kS6Mj9pQwZnnfF6VLg+uWBBjMh7g + 0Ntf+Lv/IC5v+jC7TDKRPCAUGYzBRLMbT0WvK0BVXhp6swCi4qtME/BTsqXA6zzk + 5PfEh1b+yuqxbF3bU8rII1LIsXxr96lssl+H0HxPpQKv + -----END CERTIFICATE----- + tls.key: |- + -----BEGIN PRIVATE KEY----- + MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCVLr/pzu0tNvgR + 6Oc5FYPyMFDUqkIbICntw487JiEnLa8zYK7VD6sWFNFwz1yEv7+MK7V62145RGlY + KU06Krfw0SEx/yPRWcxUEUFimxsdIN2h/yxSRx4seCgjD8xHMpF22t8yamXouDXi + e8pv2eYP4CYxjhNkg1STe2APaVihIH//kwerj5BHIDXPvKxSm8EOtyIajpx2atJh + Wk/w1kFFmKizWThyIl4yBC4xnkY85sZU0HfYVqwvhT9Xzs/QIaZ8PKCfsBKTFEqb + AHdxRWFA2Vv24948Fi091rZk23eXoaXhP8zObcMuK2V80+N/n7Dv57NmA8bEoro6 + 7cJvwK+ZPOktl05Fq6On/7fzJXXCBs1GZtpUkWnF9W6yITa8h1NmclbBCiW0uP+z + f8B06oXLUmZSUV5H4z4iAtih1WJ4DwLSfn0pnVC3e6yFnGsbK6Z8qM1ac2JuVPF0 + Rpv6Y9hRR1Sj3UgaKNhq5FTMoaFN/mIhZ6Oe8DW65vUTszCB4YcCAwEAAQKCAYBJ + 9tTF6odjTIav8oZ5ofY6ZMQevI9r/YVsUfI4xE3Zq+falEv6bPtJRmcVBGp9ksg4 + ig8/a3YK9KU6Rbf5Z+as6jMII9SxXlFVOPzvE7HcvkfEosxpusL2D1jvEU0Z27ON + dzUEPQZr3LEyqmeTDzjmlB67oRJyWj7bpGbbHUMJGCD+KPq7j8Fb0ld7uLLDfl+4 + mQm6mwxuFcZa6DkMUl4oUGkMCudWhz2mlLYGec+fMFgTAwz4YPib0ve15F7adWPh + EYqE8cqz3p1r2b9O6MNu0GTK16+388AFVSULImag/525pddohZgPHU8BJAKffGL6 + XCCfQrQBbe6geYsNANx8E34M3fbmkeby41oLY8v8PJOMHvoDREqD7tgqlPgozlD0 + BXlDaxTYLAwbyK+jARvQT60a4V744MMhsJ57GMC69R/YDW7Qbd4hiD3P4XEmqHBz + a/dhsNsJylgTMLFOIr4RnH/82yXyG3J0WTtZP+kRxq1aHaTduSif1SQkFqhr+MkC + gcEAxxmX9UAChk+DuOPsYYtx+kl/0aR8B5tvVQRQDxfij0Km9nXEyTsRE34sFlAk + RxgVUb+DjARPn5OuST/v3HHemGUU2x/L5BYYgtn9waI6vpTA3lllPzTYIr6aZfkb + yaX6UbHk5C9af/0F+xq4pNoSpcafdrE5dJ9JyM/20Q3DRxCN+RY2alezO/UCe0Sf + 3OH7Qk2RYgbP1lADV/58oqGpU079N1M4yt6ziyltPC8y/laGOAA00ZGFBPzySs2J + 3yXbAoHBAL/RI4s2WsX8ERaa/GXo85q0/LK2Wq8LICm/jxrMAZrVK1u9kSEKgps2 + pGV9hE73y7gBgstrfrUKghSsqwtIwQCXVYFKEzu4l2fojukJ13eCR7YSBqGTM3Jn + PhyjvxoAcmBsKjkoaXAt5+6DtuTVlQmElJB1s/A8us6rwy2GaXAWTHhNGJ5xuSAd + h3nW1Bsg84f5J6Vx0mnW85kAipB16LZFKUSqHpWYZ+Qe9yT0+iS0Fexz/dHmX4WA + eBZ0rulAxQKBwAutkKAt9PfzygIaPE8sYq8PiJO/VhcMIueVrSx1djB49FoYZkZ3 + VHUUPXnBkZ8p5nY5CXo49oKhouNhAKypcSj3JNYFc2wZb66dIqks3s025GkmTS37 + 54GCNIQurFaTia8pBAfuTxyatrMXyiTBNb7Le6b2liwk+6rvp8ZzTDTq36jwiJiM + NFMb991LFSVbi+VDr3dUdvRXFRsgLidL3Caqx2drVjVwAo/zChkxm4gXgx/dwztX + kbnNLFj+3UtdaQKBwBfHGRzctAvu3z9qHveTFP+Mh/avXDZurqH+OQMdXuWOnz1U + FnV+FAqhj2d1U71mQj6hEVGeFarjjpR5gwp3DlXAbL0GLbQtgbdDwNNqgOczoygS + u/ezg6Ee4zgxpDLY81S4k9NaCxf42NNcSIO9Zigz4ya1MIULQiz0ZdFy5Acc/IW9 + KNwbRNOSVYTo+IoUX5vvata7cVXla3T/+C1IMHzHvgHhBMGOjvJcVE6kf42lNUKG + bmRiplyqPDisZjJL8QKBwQCupVWTNeEy0YZ+7mwyJZ1DLURRlgUOKx7LhkO1MDn4 + YyjJrDm1Ne3XjNXq/wjaQX5KuUdkXoqAp1emo2nKGqqVjwSkWX6ordO6mLYhGDiA + vDydisaLX4I8x6NZFIabzqpZbmf6pWlxXVsEptXdAeALpxNZ/r/P34UOgF/g5jZB + /r8qFYC5HnDCY72bY52UXON3ktVmhC7PK3JNmruJgunEfC/yOk8YB9Eks7+3+9SR + HkXkOt1cAbJWZruf4j13X4s= + -----END PRIVATE KEY----- +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: sleep 10