argo-cd: argocd-server services randomly new / old / expired cerificate from secret argocd-server-tls
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
Describe the bug
Since version 2.4.3 I noticed argocd-server is sometimes serving older / expired certs that should not be served any more. We first noticed this after the upgrade from 2.2.5 to 2.4.11. The problem exists in 2.4.12 too.
To Reproduce Use this https://github.com/vx-github/vx-argocd-cert-bug to easily reproduce the issue locally in a kind cluster.
Expected behavior
Expected behavior would be that argcd-server only serves / uses the cert in argocd-server-tls secret if it exists and doesn’t serves / uses certs it was not supposed to (old / expired ones).
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 3
- Comments: 15 (6 by maintainers)
Commits related to this issue
- fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certificate` is used. It's still a bit of a mystery to me as to wh... — committed to blakepettersson/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certi... — committed to argoproj/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certi... — committed to argoproj/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certi... — committed to argoproj/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certi... — committed to argoproj/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) (#12694) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.setti... — committed to argoproj/argo-cd by gcp-cherry-pick-bot[bot] a year ago
- fix: ensure certificate gets updated on reload (#12076) (#12695) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.setti... — committed to argoproj/argo-cd by gcp-cherry-pick-bot[bot] a year ago
- fix: ensure certificate gets updated on reload (#12076) (#12696) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.setti... — committed to argoproj/argo-cd by gcp-cherry-pick-bot[bot] a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certific... — committed to rumstead/argo-cd by blakepettersson a year ago
- fix: ensure certificate gets updated on reload (#12076) * fix: ensure certificate gets updated on reload Fixes #10707. `GetCertificate` ensures that the most current version of `a.settings.Certi... — committed to yyzxw/argo-cd by blakepettersson a year ago
I can confirm this is happening to me as well, in fact argo seems to cycle between certs. However it only happens if the
argocd-server-tlssecret doesn’t exist.Killing the pod works as a workaround.