search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.06k stars 5.52k forks source link

UI is trying to load JSON from https://plugins.monokle.com #13671

Closed alexmt closed 1 year ago

alexmt commented 1 year ago

Describe the bug

Argo CD UI is trying to load k8s validation schemas from https://plugins.monokle.com/schemas/v1.24.2-standalone/definitions.json

To Reproduce

  1. Create Argo CD application
  2. Click on any resource to see YAML editor
  3. See schemas a loaded from third party domain

Expected behavior

No static assets should be loaded from external website

Screenshots

Version

v2.8 (unreleased)
alexmt commented 1 year ago

Behavior is introduced by https://github.com/argoproj/argo-cd/pull/12778

UI is not crashing if https://plugins.monokle.com/ is not available, but still a lot of users might be concerned that Argo CD is trying to query an external domain.

Argo CD has access to target cluster and probably could generate schema on the fly. Worst case we can bake schemas into binary and update as new versions are getting released.

@WitoDelnat can you please help to make https://plugins.monokle.com/schemas/<version>/definitions.json customizable?

alexmt commented 1 year ago

Another URL is https://plugins.monokle.com/validation/open-policy-agent/trivy.wasm

crenshaw-dev commented 1 year ago

My bad for not catching that. I don't think we should load any assets from any external domain.

crenshaw-dev commented 1 year ago

If we figure out a fix quickly, we can just merge the fix before 2.8. If we don't, we can just revert the commit until we figure out a fix.

WitoDelnat commented 1 year ago

Hi! The design makes it possible to inject different schema loaders, I'll look into building a customisable implementation. Let me get back to you soon with details but this should be do-able before 2.8. What are some of the release dates we should be mindful off?

crenshaw-dev commented 1 year ago

@WitoDelnat thanks! 2.8-RC1 is slated for June 19, but we'll happily cherry-pick a fix any time before the August 7 GA date. https://argo-cd.readthedocs.io/en/latest/developer-guide/release-process-and-cadence/

crenshaw-dev commented 1 year ago

@WitoDelnat any update? We'll need to revert his if we're not able to avoid the external reference.

WitoDelnat commented 1 year ago

@crenshaw-dev I just got around to an update! We unfortunately decided that we will not be able to release this before 2.8-RC1. My suggestion is to revert this for now and we can reconvene in the future. A pity for the current release, but I'm most certain that the effort will not be in vain.

I think the revert should be straightforward, though let me know if my help is needed.

crenshaw-dev commented 1 year ago

@WitoDelnat no worries, I can understand the time constraints. 🙂 Will revert.