Open fhopfensperger opened 3 years ago
I like this idea, though I think instead of being an attribute of the secret itself, it should be tied into the RBAC permissions for the user/application. Updating many secrets across many clusters is a lot of work (and a leaky abstraction), whereas updating some ArgoCD configuration is simpler and easier.
That's a feature I would be looking forward to a lot. It enables non-developers to obtain information about deployed apps, albeit still doing the base64 decode, which is imho an acceptable burden.
This feature would be a huge win for us. Although I think it would be even better if:
Unfortunately sometimes you just can't get around having config mixed with secrets, in which case your only choice is to put the entire config file in a K8s Secret. Making Secrets more transparent in a customizable way (so that, for example, you can reveal secrets in pre-prod but not prod) would be extremely helpful for those cases.
This feature is probably possible, but maybe a bit more involved than it appears at first. I'd recommend extreme caution. We've dealt with CVEs which would have had far worse consequences if plaintext secrets were accessible via the API.
Here would be my proposal:
secret
RBAC resource which should control the ability to view plaintext secrets in the UI.I think we'd also want to sit down and have a long, careful ponder about our current XSS protections. e.g. are the current CSP headers sufficient?
If this feature were added it would need a specific permission. There are users that I'd want to have readonly access to be able to see a service is running and check logs, but not be permitted to view any sensitive data.
Hey, is there something new with that issue?
should be interesting to have a parameter for enable secret discovery in application
Summary
Currently it's not possible to view the data of a
Secret
in the ArgoCD Web UI, instead of the real base64 encoded values only++++++++
is displayed. To make the values visible, annotate the secret withargocd.argoproj.io/show-secret-value: "true"
.Motivation
If the secret is created by a Kubernetes controller such as a Crossplane provider and the user does not have access to the Kubernetes API, it is impossible for the user to obtain the value of the secret.
Proposal
I've already developed the functionality and it's working fine on my system. For a secret, where we want to view the data inside the WebUI & API, we need to annotate the secret with
argocd.argoproj.io/show-secret-value: "true"
.Example in git:
Example in Argo Web-UI:
Changed code in
server/application/application.go
If this functionality is desired, I would like to create a pull request that includes code & tests.