forked from argoproj/argo-cd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
48 changed files
with
2,894 additions
and
674 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Argo CD Manifest Hydrator | ||
|
|
||
| Most Argo CD Applications don't directly use plain Kubernetes manifests. They reference a Helm chart or some Kustomize manifests, and then Argo CD transforms those sources into their final form (plain Kubernetes manifests). | ||
|
|
||
| Having Argo CD quietly do this transformation behind the scenes is convenient. But it can make it harder for developers to understand the full state of their application, both current and past. Hydrating (also known as "rendering") the sources and pushing the hydrated manifests to git is a common technique to preserve a full history of an Application's state. | ||
|
|
||
| Argo CD provides first-class tooling to hydrate manifests and push them to git. This document explains how to take advantage of that tooling. | ||
|
|
||
| ## Setting up git Push Access | ||
|
|
||
| To use Argo CD's source hydration tooling, you have to grant Argo CD push access to all the repositories for apps using the source hydrator. | ||
|
|
||
| ### Security Considerations | ||
|
|
||
| Argo CD stores git push secrets separately from the main Argo CD components and separately from git pull credentials to minimize the possibility of a malicious actor stealing the secrets or hijacking Argo CD components to push malicious changes. | ||
|
|
||
| Pushing hydrated manifests to git can improve security by ensuring that all state changes are stored and auditable. If a malicious actor does manage to produce malicious changes in manifests, those changes will be discoverable in git instead of living only in the live cluster state. | ||
|
|
||
| You should use your SCM's security mechanisms to ensure that Argo CD can only push to the allowed repositories and branches. | ||
|
|
||
| ### Adding the Access Credentials | ||
|
|
||
| To set up push access, add a secret to the `argocd-push` namespace with the following format: | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: argocd-example-apps | ||
| labels: | ||
| # Note that this is "repository-push" instead of "repository". The same secret should never be used for both push and pull access. | ||
| argocd.argoproj.io/secret-type: repository-push | ||
| type: Opaque | ||
| stringData: | ||
| url: https://github.com/argoproj/argocd-example-apps.git | ||
| username: '****' | ||
| password: '****' | ||
| ``` | ||
| Once the secret is available, any Application which has pull access to a given repo will be able to use the source hydration tooling to also push to that repo. | ||
| ## Using the `sourceHydrator` Field | ||
|
|
||
| ## Migrating from the `source` or `sources` Field |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Commit Server | ||
|
|
||
| The Argo CD Commit Server provides push access to git repositories for hydrated manifests. | ||
|
|
||
| The server exposes a gRPC service which accepts requests to push hydrated manifests to a git repository. This is the interface: | ||
|
|
||
| ```protobuf | ||
| // CommitManifests represents the caller's request for some Kubernetes manifests to be pushed to a git repository. | ||
| message CommitManifests { | ||
| // repoURL is the URL of the repo we're pushing to. HTTPS or SSH URLs are acceptable. | ||
| required string repoURL = 1; | ||
| // targetBranch is the name of the branch we're pushing to. | ||
| required string targetBranch = 2; | ||
| // drySHA is the full SHA256 hash of the "dry commit" from which the manifests were hydrated. | ||
| required string drySHA = 3; | ||
| // commitAuthor is the name of the author of the dry commit. | ||
| required string commitAuthor = 4; | ||
| // commitMessage is the short commit message from the dry commit. | ||
| required string commitMessage = 5; | ||
| // commitTime is the dry commit timestamp. | ||
| required string commitTime = 6; | ||
| // details holds the information about the actual hydrated manifests. | ||
| repeated CommitPathDetails details = 7; | ||
| } | ||
| // CommitManifestDetails represents the details about a | ||
| message CommitPathDetails { | ||
| // path is the path to the directory to which these manifests should be written. | ||
| required string path = 1; | ||
| // manifests is a list of JSON documents representing the Kubernetes manifests. | ||
| repeated string manifests = 2; | ||
| // readme is a string which will be written to a README.md alongside the manifest.yaml. | ||
| required string readme = 3; | ||
| } | ||
| message CommitManifestsResponse { | ||
| } | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,7 @@ | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> | ||
| <title>Snyk test report</title> | ||
| <meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths."> | ||
| <meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths."> | ||
| <base target="_blank"> | ||
| <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" | ||
| sizes="194x194"> | ||
|
|
@@ -456,7 +456,7 @@ | |
| <div class="header-wrap"> | ||
| <h1 class="project__header__title">Snyk test report</h1> | ||
|
|
||
| <p class="timestamp">December 8th 2024, 12:21:06 am (UTC+00:00)</p> | ||
| <p class="timestamp">December 15th 2024, 12:21:47 am (UTC+00:00)</p> | ||
| </div> | ||
| <div class="source-panel"> | ||
| <span>Scanned the following paths:</span> | ||
|
|
@@ -469,8 +469,8 @@ <h1 class="project__header__title">Snyk test report</h1> | |
| </div> | ||
|
|
||
| <div class="meta-counts"> | ||
| <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div> | ||
| <div class="meta-count"><span>43 vulnerable dependency paths</span></div> | ||
| <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div> | ||
| <div class="meta-count"><span>44 vulnerable dependency paths</span></div> | ||
| <div class="meta-count"><span>969</span> <span>dependencies</span></div> | ||
| </div><!-- .meta-counts --> | ||
| </div><!-- .layout-container--short --> | ||
|
|
@@ -479,6 +479,80 @@ <h1 class="project__header__title">Snyk test report</h1> | |
|
|
||
| <div class="layout-container" style="padding-top: 35px;"> | ||
| <div class="cards--vuln filter--patch filter--ignore"> | ||
| <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> | ||
| <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2> | ||
| <div class="card__section"> | ||
|
|
||
| <div class="label label--critical"> | ||
| <span class="label__text">critical severity</span> | ||
| </div> | ||
|
|
||
| <hr/> | ||
|
|
||
| <ul class="card__meta"> | ||
| <li class="card__meta__item"> | ||
| Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate | ||
| </li> | ||
| <li class="card__meta__item"> | ||
| Package Manager: golang | ||
| </li> | ||
| <li class="card__meta__item"> | ||
| Vulnerable module: | ||
|
|
||
| golang.org/x/crypto/ssh | ||
| </li> | ||
|
|
||
| <li class="card__meta__item">Introduced through: | ||
|
|
||
| github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/[email protected] | ||
|
|
||
| </li> | ||
| </ul> | ||
|
|
||
| <hr/> | ||
|
|
||
|
|
||
| <h3 class="card__section__title">Detailed paths</h3> | ||
|
|
||
| <ul class="card__meta__paths"> | ||
| <li> | ||
| <span class="list-paths__item__introduced"><em>Introduced through</em>: | ||
| github.com/hairyhenderson/gomplate/v4@* | ||
| <span class="list-paths__item__arrow">›</span> | ||
| golang.org/x/crypto/[email protected] | ||
|
|
||
| </span> | ||
|
|
||
| </li> | ||
| </ul><!-- .list-paths --> | ||
|
|
||
| </div><!-- .card__section --> | ||
|
|
||
| <hr/> | ||
| <!-- Overview --> | ||
| <h2 id="overview">Overview</h2> | ||
| <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p> | ||
| <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p> | ||
| <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states "A call to this function does not guarantee that the key offered is in fact used to authenticate." The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p> | ||
| <h2 id="remediation">Remediation</h2> | ||
| <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p> | ||
| <h2 id="references">References</h2> | ||
| <ul> | ||
| <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li> | ||
| <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li> | ||
| <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li> | ||
| <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li> | ||
| <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li> | ||
| <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li> | ||
| </ul> | ||
|
|
||
| <hr/> | ||
|
|
||
| <div class="cta card__cta"> | ||
| <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p> | ||
| </div> | ||
|
|
||
| </div><!-- .card --> | ||
| <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> | ||
| <h2 class="card__title">Insertion of Sensitive Information into Log File</h2> | ||
| <div class="card__section"> | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.