Issue argoproj#553 - Turn on TLS for repo server

alexmt · Sep 7, 2018 · da6c502 · da6c502
1 parent ed484c0
commit da6c502
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 14 deletions.
diff --git a/cmd/argocd-repo-server/main.go b/cmd/argocd-repo-server/main.go
@@ -8,6 +8,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/argoproj/argo-cd"
 	"github.com/argoproj/argo-cd/errors"
@@ -17,6 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/util/git"
 	"github.com/argoproj/argo-cd/util/ksonnet"
 	"github.com/argoproj/argo-cd/util/stats"
+	"github.com/argoproj/pkg/kube/cli"
 )
 
 const (
@@ -27,7 +29,8 @@ const (
 
 func newCommand() *cobra.Command {
 	var (
-		logLevel string
+		logLevel     string
+		clientConfig clientcmd.ClientConfig
 	)
 	var command = cobra.Command{
 		Use:   cliName,
@@ -37,7 +40,11 @@ func newCommand() *cobra.Command {
 			errors.CheckError(err)
 			log.SetLevel(level)
 
-			server := reposerver.NewServer(git.NewFactory(), newCache())
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			server, err := reposerver.NewServer(git.NewFactory(), newCache(), namespace)
+			errors.CheckError(err)
 			grpc := server.CreateGRPC()
 			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
 			errors.CheckError(err)
@@ -56,6 +63,7 @@ func newCommand() *cobra.Command {
 		},
 	}
 
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	return &command
 }

diff --git a/reposerver/clientset.go b/reposerver/clientset.go
@@ -1,10 +1,13 @@
 package reposerver
 
 import (
+	"crypto/tls"
+
 	"github.com/argoproj/argo-cd/reposerver/repository"
 	"github.com/argoproj/argo-cd/util"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )
 
 // Clientset represets repository server api clients
@@ -17,7 +20,7 @@ type clientSet struct {
 }
 
 func (c *clientSet) NewRepositoryClient() (util.Closer, repository.RepositoryServiceClient, error) {
-	conn, err := grpc.Dial(c.address, grpc.WithInsecure())
+	conn, err := grpc.Dial(c.address, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true})))
 	if err != nil {
 		log.Errorf("Unable to connect to repository service with address %s", c.address)
 		return nil, nil, err

diff --git a/reposerver/server.go b/reposerver/server.go
@@ -1,15 +1,20 @@
 package reposerver
 
 import (
+	"crypto/tls"
+	"fmt"
+
 	"github.com/argoproj/argo-cd/reposerver/repository"
 	"github.com/argoproj/argo-cd/server/version"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/git"
 	grpc_util "github.com/argoproj/argo-cd/util/grpc"
+	tlsutil "github.com/argoproj/argo-cd/util/tls"
 	"github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/reflection"
 )
 
@@ -18,28 +23,52 @@ type ArgoCDRepoServer struct {
 	log        *log.Entry
 	gitFactory git.ClientFactory
 	cache      cache.Cache
+	opts       []grpc.ServerOption
 }
 
 // NewServer returns a new instance of the ArgoCD Repo server
-func NewServer(gitFactory git.ClientFactory, cache cache.Cache) *ArgoCDRepoServer {
+func NewServer(gitFactory git.ClientFactory, cache cache.Cache, namespace string) (*ArgoCDRepoServer, error) {
+
+	// generate TLS cert
+	hosts := []string{
+		"localhost",
+		"argocd-repo-server",
+		fmt.Sprintf("argocd-repo-server.%s", namespace),
+		fmt.Sprintf("argocd-repo-server.%s.svc", namespace),
+		fmt.Sprintf("argocd-repo-server.%s.svc.cluster.local", namespace),
+	}
+	cert, err := tlsutil.GenerateX509KeyPair(tlsutil.CertOptions{
+		Hosts:        hosts,
+		Organization: "Argo CD",
+		IsCA:         true,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{*cert}}))}
+
 	return &ArgoCDRepoServer{
 		log:        log.NewEntry(log.New()),
 		gitFactory: gitFactory,
 		cache:      cache,
-	}
+		opts:       opts,
+	}, nil
 }
 
 // CreateGRPC creates new configured grpc server
 func (a *ArgoCDRepoServer) CreateGRPC() *grpc.Server {
 	server := grpc.NewServer(
-		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
-			grpc_logrus.StreamServerInterceptor(a.log),
-			grpc_util.PanicLoggerStreamServerInterceptor(a.log),
-		)),
-		grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
-			grpc_logrus.UnaryServerInterceptor(a.log),
-			grpc_util.PanicLoggerUnaryServerInterceptor(a.log),
-		)),
+		append(a.opts,
+			grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
+				grpc_logrus.StreamServerInterceptor(a.log),
+				grpc_util.PanicLoggerStreamServerInterceptor(a.log),
+			)),
+			grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
+				grpc_logrus.UnaryServerInterceptor(a.log),
+				grpc_util.PanicLoggerUnaryServerInterceptor(a.log),
+			)))...,
 	)
 	version.RegisterVersionServiceServer(server, &version.Server{})
 	manifestService := repository.NewService(a.gitFactory, a.cache)

diff --git a/test/e2e/fixture.go b/test/e2e/fixture.go
@@ -127,7 +127,11 @@ func (f *Fixture) setup() error {
 	}
 
 	memCache := cache.NewInMemoryCache(repository.DefaultRepoCacheExpiration)
-	repoServerGRPC := reposerver.NewServer(&FakeGitClientFactory{}, memCache).CreateGRPC()
+	repoSrv, err := reposerver.NewServer(&FakeGitClientFactory{}, memCache, f.Namespace)
+	if err != nil {
+		return err
+	}
+	repoServerGRPC := repoSrv.CreateGRPC()
 	repoServerListener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return err