TLS support. HTTP/HTTPS/gRPC all serving on single port

Procfile

@@ -1,3 +1,3 @@
 controller: go run ./cmd/argocd-application-controller/main.go --app-resync 10
-api-server: go run ./cmd/argocd-server/main.go
+api-server: go run ./cmd/argocd-server/main.go --insecure
 repo-server: go run ./cmd/argocd-repo-server/main.go

cmd/argocd-server/commands/root.go

@@ -15,6 +15,7 @@ import (
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
+		insecure          bool
 		logLevel          string
 		clientConfig      clientcmd.ClientConfig
 		staticAssetsDir   string
@@ -39,12 +40,21 @@ func NewCommand() *cobra.Command {
 			appclientset := appclientset.NewForConfigOrDie(config)
 			repoclientset := reposerver.NewRepositoryServerClientset(repoServerAddress)
 
-			argocd := server.NewServer(kubeclientset, appclientset, repoclientset, namespace, staticAssetsDir)
+			argoCDOpts := server.ArgoCDServerOpts{
+				Insecure:        insecure,
+				Namespace:       namespace,
+				StaticAssetsDir: staticAssetsDir,
+				KubeClientset:   kubeclientset,
+				AppClientset:    appclientset,
+				RepoClientset:   repoclientset,
+			}
+			argocd := server.NewServer(argoCDOpts)
 			argocd.Run()
 		},
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
 	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", "localhost:8081", "Repo server address.")

cmd/argocd/commands/root.go

@@ -30,7 +30,8 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewUninstallCommand())
 
 	command.PersistentFlags().StringVar(&clientOpts.ServerAddr, "server", "", "ArgoCD server address")
-	command.PersistentFlags().BoolVar(&clientOpts.Insecure, "insecure", true, "Disable transport security for the client connection")
+	command.PersistentFlags().BoolVar(&clientOpts.Insecure, "insecure", false, "Disable transport security for the client connection, including host verification")
+	command.PersistentFlags().StringVar(&clientOpts.CertFile, "server-crt", "", "Server certificate file")
 
 	return command
 }

install/install.go

@@ -12,6 +12,7 @@ import (
 	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/password"
 	"github.com/argoproj/argo-cd/util/session"
+	tlsutil "github.com/argoproj/argo-cd/util/tls"
 	"github.com/ghodss/yaml"
 	"github.com/gobuffalo/packr"
 	log "github.com/sirupsen/logrus"
@@ -132,27 +133,40 @@ func (i *Installer) InstallSettings() {
 	errors.CheckError(err)
 	configManager := config.NewConfigManager(kubeclientset, i.Namespace)
 	_, err = configManager.GetSettings()
-	if err != nil {
-		if !apierr.IsNotFound(err) {
-			log.Fatal(err)
-		}
-		// configmap/secret not yet created
-		signature, err := session.MakeSignature(32)
-		errors.CheckError(err)
-		passwordRaw := readAndConfirmPassword()
-		hashedPassword, err := password.HashPassword(passwordRaw)
-		errors.CheckError(err)
-		newSettings := config.ArgoCDSettings{
-			ServerSignature: signature,
-			LocalUsers: map[string]string{
-				common.ArgoCDAdminUsername: hashedPassword,
-			},
-		}
-		err = configManager.SaveSettings(&newSettings)
-		errors.CheckError(err)
-	} else {
+	if err == nil {
 		log.Infof("Settings already exists. Skipping creation")
+		return
 	}
+	if !apierr.IsNotFound(err) {
+		log.Fatal(err)
+	}
+	// configmap/secret not yet created
+	var newSettings config.ArgoCDSettings
+
+	// set JWT signature
+	signature, err := session.MakeSignature(32)
+	errors.CheckError(err)
+	newSettings.ServerSignature = signature
+
+	// generate admin password
+	passwordRaw := readAndConfirmPassword()
+	hashedPassword, err := password.HashPassword(passwordRaw)
+	errors.CheckError(err)
+	newSettings.LocalUsers = map[string]string{
+		common.ArgoCDAdminUsername: hashedPassword,
+	}
+
+	// generate TLS cert
+	certOpts := tlsutil.CertOptions{
+		Host:         "argocd",
+		Organization: "Argo CD",
+	}
+	cert, err := tlsutil.GenerateX509KeyPair(certOpts)
+	errors.CheckError(err)
+	newSettings.Certificate = cert
+
+	err = configManager.SaveSettings(&newSettings)
+	errors.CheckError(err)
 }
 
 func readAndConfirmPassword() string {

pkg/apiclient/apiclient.go

@@ -1,14 +1,21 @@
 package apiclient
 
 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
+	"fmt"
+	"io/ioutil"
 	"os"
 
 	"github.com/argoproj/argo-cd/server/application"
 	"github.com/argoproj/argo-cd/server/cluster"
 	"github.com/argoproj/argo-cd/server/repository"
+	grpc_util "github.com/argoproj/argo-cd/util/grpc"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )
 
 const (
@@ -29,6 +36,7 @@ type ServerClient interface {
 type ClientOptions struct {
 	ServerAddr string
 	Insecure   bool
+	CertFile   string
 }
 
 type client struct {
@@ -57,15 +65,32 @@ func NewClientOrDie(opts *ClientOptions) ServerClient {
 }
 
 func (c *client) NewConn() (*grpc.ClientConn, error) {
-	var dialOpts []grpc.DialOption
-	if c.Insecure {
-		dialOpts = append(dialOpts, grpc.WithInsecure())
+	var creds credentials.TransportCredentials
+	if c.CertFile != "" {
+		b, err := ioutil.ReadFile(c.CertFile)
+		if err != nil {
+			return nil, err
+		}
+		cp := x509.NewCertPool()
+		if !cp.AppendCertsFromPEM(b) {
+			return nil, fmt.Errorf("credentials: failed to append certificates")
+		}
+		tlsConfig := tls.Config{
+			RootCAs: cp,
+		}
+		if c.Insecure {
+			tlsConfig.InsecureSkipVerify = true
+		}
+		creds = credentials.NewTLS(&tlsConfig)
 	} else {
-		return nil, errors.New("secure authentication unsupported")
-	} // else if opts.Credentials != nil {
-	//	dialOpts = append(dialOpts, grpc.WithTransportCredentials(opts.Credentials))
-	//}
-	return grpc.Dial(c.ServerAddr, dialOpts...)
+		if c.Insecure {
+			tlsConfig := tls.Config{
+				InsecureSkipVerify: true,
+			}
+			creds = credentials.NewTLS(&tlsConfig)
+		}
+	}
+	return grpc_util.BlockingDial(context.Background(), "tcp", c.ServerAddr, creds)
 }
 
 func (c *client) NewRepoClient() (*grpc.ClientConn, repository.RepositoryServiceClient, error) {