Added ReadOnlyRootFileSystem to the Argo CD components #1659
Conversation
The readonlyfs flag is set for statefulset in
Also, for argocd-server we are missing some mounts |
anandf
force-pushed
the
fix_read_only_root_fs
branch
from
6ed2830 to
95f2e3c
Compare
There was a problem hiding this comment.
I have reviewed and the changes LGTM! Nothing jumped out at me as incorrect, and I verified that the volumes/paths we are adding are consistent with what is upstream.
If you haven't already, you may want to run the upstream Argo CD E2E tests (in remote mode[1]) against the argocd-operator, to ensure that we've not regressed any upstream features.
Since this is potentially a risky change, I recommmend NOT backporting this to 1.15.x, and only supporting it in 1.16.x. (Or, at least, not backporting it YET, until it soaks)
[1] https://github.com/argoproj/argo-cd/blob/master/test/remote/README.md or https://gitlab.cee.redhat.com/gitops/gitops-components-automated-testing
|
/retest |
… volumes Signed-off-by: Anand Francis Joseph <[email protected]>
anandf
force-pushed
the
fix_read_only_root_fs
branch
from
ed13a71 to
853710e
Compare
Signed-off-by: Anand Francis Joseph <[email protected]>
|
The latest ApplicationSet updates on PR re: removing unused repo server TLS volume LGTM! |
Signed-off-by: Anand Francis Joseph <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>
There is no plan to backport this PR to 1.15.x. It will be only for 1.16.x and future versions. |
Signed-off-by: Anand Francis Joseph <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>
Signed-off-by: Anand Francis Joseph <[email protected]>
What type of PR is this?
What does this PR do / why we need it:
Upstream Argo CD has all components running with
readOnlyRootFileSystemset totrue. For security reasons this needs to be enabled even for the components that are created by the operator.Application Controller:
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml#L263
Note: Stateful set based application controller does not have this flag set. So need to validate if enabling it will cause any breaking change
https://github.com/argoproj/argo-cd/blob/master/manifests/base/application-controller-deployment/argocd-application-controller-statefulset.yaml
AppSet Controller: https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml#L202
Notification Controller :
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/notification/argocd-notifications-controller-deployment.yaml#L92
Dex:
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/dex/argocd-dex-server-deployment.yaml#L34
Redis:
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/redis/argocd-redis-deployment.yaml#L31
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/redis/argocd-redis-deployment.yaml#L60
RepoServer:
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/repo-server/argocd-repo-server-deployment.yaml#L261
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/repo-server/argocd-repo-server-deployment.yaml#L295
Server:
https://github.com/argoproj/argo-cd/blob/d183d9c614d05979f1327a554942a9e656f1c2ec/manifests/base/server/argocd-server-deployment.yaml#L340
Have you updated the necessary documentation?
Which issue(s) this PR fixes:
Fixes #?
How to test changes / Special notes to the reviewer: