Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOB-ARGO-024: Toolchain docs should link to Docker docs about not the docker group #9966

Closed
crenshaw-dev opened this issue Jul 12, 2022 · 5 comments · Fixed by #10006
Closed
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@crenshaw-dev
Copy link
Member

crenshaw-dev commented Jul 12, 2022

Summary

The toolchain docs say "don't use root w/ Docker," but it doesn't explain why.

Motivation

People sometimes ignore security recommendations unless they understand why the recommendations were made.

This was pointed out in item 24 of the Trail of Bits security audit. https://github.com/argoproj/argoproj/blob/master/docs/argo_security_final_report.pdf

Proposal

Link to the Docker docs explaining why running Docker as root is a bad idea.

@ahmednreldin
Copy link

Docker recommend to use non-root as a best practice without explain why
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

However, CIS explain this very well
https://www.cisecurity.org/benchmark/docker/
the Container Defense in Depth section clearly illustrates the point, which shows how a container with a mount volume can gain root access to the host,
image
moreover, running a containerized process as a non-root user (e.g. MySQL, Apache.etc.) offers yet another layer of secure.

@Kerwood
Copy link
Contributor

Kerwood commented Jul 13, 2022

The Toolchain docs states:

You should not work as root. Make your local user a member of the docker group to be able to control the Docker service on your machine.

Which refers to not running Docker commands as root, but add your user to the local docker group to avoid using sudo, eg. usermod -a -G docker <username>.

It doesn't matter if you run Docker commands with sudo or not. The Docker daemon still runs with root privileges whether you are in the docker group or not, it just saves you the sudo on every command. That's why its important to not run the container process as the root user.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

The docker group grants privileges equivalent to the root user.
https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

What @ahmednreldin is refering to is running container in privileged mode, which is something different and you shouldn't do unless you have a very explicit reason.

If anything, that phrase in the Toolchain docs, should be removed since it apparently confuses people and it's common Docker knowledge.

@crenshaw-dev
Copy link
Member Author

Apologies, I completely misread the report. It's saying you should use sudo rather than adding your user to the docker group, because the latter effectively gives your user root (according to the Docker docs).

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

@crenshaw-dev crenshaw-dev changed the title Toolchain docs should link to Docker docs about not using root Toolchain docs should link to Docker docs about not the docker group Jul 13, 2022
@Kerwood
Copy link
Contributor

Kerwood commented Jul 13, 2022

Apologies, I completely misread the report. It's saying you should use sudo rather than adding your user to the docker group, because the latter effectively gives your user root (according to the Docker docs).

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

I can't seem to find where it says that you should use sudo instead of the docker group.

The "Before you start" section is a list of tools needed to start developing on ArgoCD. How you use Docker is not a prerequisite for developing on ArgoCD. The documentation shouldn't dictate how to use Docker and it's hardly a security concern if you use sudo or the docker group. If the developer is using MacOS or Windows it's even less of a security concern, since the Docker environment is running in a virtual machine on the host.

My proposal is to remove the part which dictates on how to run Docker since it's not a prerequisite and it's confusing.

You will also need a working Docker runtime environment, to be able to build and run images. The Docker version must be fairly recent, and support multi-stage builds. You should not work as root. Make your local user a member of the docker group to be able to control the Docker service on your machine.

Multi stage build was introduced in Docker 17.05.0, so if you want to short it down a bit and be more specific, it could be rephrased to:

You will also need a working Docker runtime environment version 17.05.0 or higher.

@crenshaw-dev
Copy link
Member Author

My proposal is to remove the part which dictates on how to run Docker since it's not a prerequisite and it's confusing.

Yep, I agree! Thanks for the clarifications. Opened a PR.

@crenshaw-dev crenshaw-dev changed the title Toolchain docs should link to Docker docs about not the docker group TOB-ARGO-024: Toolchain docs should link to Docker docs about not the docker group Jul 15, 2022
Repository owner moved this from Todo to Done in Ada Logics audit follow-up Jul 15, 2022
crenshaw-dev added a commit that referenced this issue Jul 15, 2022
* docs: simplify Docker toolchain docs (#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>
crenshaw-dev added a commit that referenced this issue Jul 15, 2022
* docs: simplify Docker toolchain docs (#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>
crenshaw-dev added a commit that referenced this issue Jul 26, 2022
* docs: simplify Docker toolchain docs (#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>
crenshaw-dev added a commit that referenced this issue Jul 26, 2022
* docs: simplify Docker toolchain docs (#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>
sujeilyfonseca added a commit to sujeilyfonseca/argo-cd that referenced this issue Sep 19, 2022
* Merge pull request from GHSA-pmjg-52h9-72qv

Signed-off-by: Michael Crenshaw <[email protected]>

formatting

Signed-off-by: Michael Crenshaw <[email protected]>

fixes from comments

Signed-off-by: Michael Crenshaw <[email protected]>

fix test

Signed-off-by: Michael Crenshaw <[email protected]>

* Merge pull request from GHSA-7943-82jg-wmw5

* add tests to demonstrate issue

Signed-off-by: Michael Crenshaw <[email protected]>

more

Signed-off-by: Michael Crenshaw <[email protected]>

docs

Signed-off-by: Michael Crenshaw <[email protected]>

settings tests

Signed-off-by: Michael Crenshaw <[email protected]>

tests for OIDC handlers, consolidating test helpers

Signed-off-by: Michael Crenshaw <[email protected]>

consolidate

Signed-off-by: Michael Crenshaw <[email protected]>

consolidate

Signed-off-by: Michael Crenshaw <[email protected]>

docs

Signed-off-by: Michael Crenshaw <[email protected]>

* fix log message

Signed-off-by: Michael Crenshaw <[email protected]>

* Bump version to 2.4.5

* Bump version to 2.4.5

* test: check for error messages from CI env (argoproj#9953)

test: check for error messages from CI env (argoproj#9953)

Signed-off-by: CI <[email protected]>

* docs: getting started notes on self-signed cert (argoproj#9429) (argoproj#9784)

* Fix argoproj#9429: A couple of notes in the docs to explain that the default certificate is insecure.

Signed-off-by: Jim Talbut <[email protected]>

* Fixes argoproj#9429: More verbose, but complete, text for Getting Started.

Signed-off-by: Jim Talbut <[email protected]>

* docs: Document the possibility of rendering Helm charts with Kustomize (argoproj#9841)

* Update kustomize.md

Resolves  argoproj#7835.

Signed-off-by: Didrik Finnøy <[email protected]>

* Removed unnecessary command flag from example. Minor text edits.

Signed-off-by: Didrik Finnøy <[email protected]>

* spelling

Signed-off-by: Didrik Finnøy <[email protected]>

* docs: small fix for plugin stream filtering (argoproj#9871)

Signed-off-by: notfromstatefarm <[email protected]>

* argoproj#9429: Adding blank line so list is formatted correctly. (argoproj#9880)

Signed-off-by: CI <[email protected]>

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) (argoproj#9821)

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118)

Signed-off-by: shunki-fujita <[email protected]>

* Add submodule functions and unit tests
Signed-off-by: shunki-fujita <[email protected]>

* fix: Make change of tracking method work at runtime (argoproj#9820)

* fix: Make change of tracking method work at runtime

Signed-off-by: jannfis <[email protected]>

* GetAppName() will figure tracking label or annotation on its own

Signed-off-by: jannfis <[email protected]>

* Correct test comments and add another test

Signed-off-by: jannfis <[email protected]>

* Add a read lock before getting cache settings

Signed-off-by: jannfis <[email protected]>

* fix: Check tracking annotation for being self-referencing (argoproj#9791)

* fix: Check tracking annotation for being self-referencing

Signed-off-by: jannfis <[email protected]>

* Tweak isManagedLiveObj() logic

Signed-off-by: jannfis <[email protected]>

* Rename isManagedLiveResource to isSelfReferencedObj

Signed-off-by: jannfis <[email protected]>

* Add e2e test

Signed-off-by: jannfis <[email protected]>

* fix: add missing download CLI tool link for ppc64le, s390x (argoproj#9649)

Signed-off-by: Hyeonmin Park <[email protected]>

* fix: NotAfter is not set when ValidFor is set (argoproj#9911)

Signed-off-by: yongguangl <[email protected]>

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (argoproj#9922)

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s

Signed-off-by: notfromstatefarm <[email protected]>

* fix timeouts across all gRPC servers

Signed-off-by: notfromstatefarm <[email protected]>

* use common consts

Signed-off-by: notfromstatefarm <[email protected]>

* fix: argocd login just hangs on 2.4.0 argoproj#9679 (argoproj#9935)

Signed-off-by: Xiao Yang <[email protected]>

Co-authored-by: Michael Crenshaw <[email protected]>
Signed-off-by: CI <[email protected]>

* test: Use dedicated multi-arch workloads in e2e tests (argoproj#9921)

* test: Use dedicated multi-arch workloads in e2e tests

Signed-off-by: jannfis <[email protected]>

* Use correct tag

Signed-off-by: jannfis <[email protected]>

* feat: Treat connection reset as a retryable error (argoproj#9739)

Signed-off-by: Yuan Tang <[email protected]>

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) (argoproj#9895)

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605)

Signed-off-by: Michael Crenshaw <[email protected]>

* make things more like they were originally, since the mutex fixes the problem

Signed-off-by: Michael Crenshaw <[email protected]>

* fix typo, don't pass around a pointer when it isn't necessary

Signed-off-by: Michael Crenshaw <[email protected]>

* apply suggestions

Signed-off-by: Michael Crenshaw <[email protected]>

* docs: add terminal documentation (argoproj#9948)

Signed-off-by: notfromstatefarm <[email protected]>

* docs: fix typo in Generators-Git.md (argoproj#9949)

`ApplictionSet` --> `ApplicationSet`
Signed-off-by: CI <[email protected]>

* chore: fix build error

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.6

* Bump version to 2.4.6

* docs: supported versions (argoproj#9876)

* docs: supported versions

Signed-off-by: Kostis Kapelonis <[email protected]>

* docs: supported versions feedback

Signed-off-by: Kostis Kapelonis <[email protected]>

* fix: add missing download CLI tool URL response for ppc64le, s390x (argoproj#9983)

Signed-off-by: Hyeonmin Park <[email protected]>

* fix: e2e test to use func from clusterauth instead creating one with old logic (argoproj#9989)

Signed-off-by: rishabh625 <[email protected]>

* fix: updated all a tags to Link tags in app summary (argoproj#9777)

* fix: updated all a tags to Link tags

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* fix: revert external links to a tags

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* fix: linting

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* docs: simplify Docker toolchain docs (argoproj#9966) (argoproj#10006)

* docs: simplify Docker toolchain docs (argoproj#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>

* docs: document directory app include/exclude fields (argoproj#9997)

Signed-off-by: CI <[email protected]>

* fix: terminal websocket write lock to avoid races (argoproj#10011)

* fix: protect terminal WriteMessage with a lock

Signed-off-by: CI <[email protected]>

* give write its own lock

Signed-off-by: CI <[email protected]>

* docs: use quotes to emphasize that ConfigMap value is a string (argoproj#9995)

Signed-off-by: CI <[email protected]>

* Support files in argocd.argoproj.io/manifest-generate-paths annotation (argoproj#9908)

Signed-off-by: Jim Wright <[email protected]>

* chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (argoproj#9826)

Signed-off-by: Michael Crenshaw <[email protected]>

* Bump version to 2.4.7

* Bump version to 2.4.7

* chore: update haproxy to 2.0.29 for redis-ha (argoproj#10045)

Signed-off-by: Justin Marquis <[email protected]>

* chore: update redis to avoid CVE-2022-2097 (argoproj#10031)

* chore: update redis to avoid CVE-2022-2097

Signed-off-by: CI <[email protected]>

* codegen

Signed-off-by: CI <[email protected]>

* chore: upgrade Dex to 2.32.0 (argoproj#10036) (argoproj#10042)

Signed-off-by: CI <[email protected]>

* docs: add argocd-server grpc metric usage (argoproj#10007)

Signed-off-by: Ashutosh <[email protected]>

Co-authored-by: Ashutosh <[email protected]>
Signed-off-by: CI <[email protected]>

* chore: update redis to 7.0.4 avoid CVE-2022-30065 (argoproj#10059)

Signed-off-by: Justin Marquis <[email protected]>

* fix: Set HOST_ARCH for yarn build from platform (argoproj#10018)

Signed-off-by: Hyeonmin Park <[email protected]>

* docs: add api field example in the appset security doc (argoproj#10087)

It seems like most of the work for the mentioned issue below is done
under the PR argoproj#9466 but from the issue description, it's probably
worth to mention the example as added here.

Related argoproj#9352

Signed-off-by: Sahdev Zala <[email protected]>

* chore: update parse-url (argoproj#10101)

* chore: upgrade parse-url

Signed-off-by: CI <[email protected]>

* edit a generated file, because that's smart

Signed-off-by: CI <[email protected]>

* fix: avoid CVE-2022-28948 (argoproj#10093)

Signed-off-by: CI <[email protected]>

* docs: add OpenSSH breaking change notes (argoproj#10104)

Signed-off-by: CI <[email protected]>

* fix: skip redirect url validation when it's the base href (argoproj#10058) (argoproj#10116)

* fix: skip redirect url validation when it's the base href (argoproj#10058)

Signed-off-by: CI <[email protected]>

nicer way of doing it

Signed-off-by: CI <[email protected]>

* fix missin arg

Signed-off-by: CI <[email protected]>

* fix: upgrade moment from 2.29.2 to 2.29.3 (argoproj#9330)

Snyk has created this PR to upgrade moment from 2.29.2 to 2.29.3.

See this package in npm:


See this project in Snyk:
https://app.snyk.io/org/argoproj/project/d2931792-eef9-4d7c-b9d6-c0cbd2bd4dbe?utm_source=github&utm_medium=referral&page=upgrade-pr
Signed-off-by: CI <[email protected]>

* chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (argoproj#9897)

Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](moment/moment@2.29.3...2.29.4)

Signed-off-by: CI <[email protected]>
---
updated-dependencies:
- dependency-name: moment
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: support multiple extensions per resource group/kind (argoproj#9834)

* feat: support multiple extensions per resource group/kind

Signed-off-by: Alexander Matyushentsev <[email protected]>

* apply reviewers suggestions

Signed-off-by: Alexander Matyushentsev <[email protected]>

* apply reviewer notes: stream extension files one by one

Signed-off-by: Alexander Matyushentsev <[email protected]>

* wrap errors

Signed-off-by: Alexander Matyushentsev <[email protected]>

* skip symlinks

Signed-off-by: Alexander Matyushentsev <[email protected]>

* feat: support application level extensions (argoproj#9923)

Signed-off-by: Alexander Matyushentsev <[email protected]>

* fix: extensions is not loading for ConfigMap/Pods (argoproj#10010)

Signed-off-by: Alexander Matyushentsev <[email protected]>

* Bump version to 2.4.8

* Bump version to 2.4.8

* docs: Fixed indentation Error (argoproj#10123)

* Fixed indentation Error

Signed-off-by: iflan7744 <[email protected]>

* Fixed indentation Error for top-level data key

Signed-off-by: iflan7744 <[email protected]>

Co-authored-by: iflan7744 <[email protected]>
Signed-off-by: CI <[email protected]>

* docs: fix kustomize namePrefix misconception in application.yaml (argoproj#10162)

* Update docs/operator-manual/application.yaml

- Removed comment about what namePrefix does. (i.e. it does not add a prefix to the image)
- Added examples of other supported transformers. (based on looking at the source code)
- Added link to the kustomize docs where the transormers are described in more detail.

* Update kustomize casing to be consistent

Signed-off-by: whyvez <[email protected]>

* docs: improve Installation.md (argoproj#10173)

Signed-off-by: xin.li <[email protected]>

* docs: Use ConfigMap to disable TLS (argoproj#10106)

* docs: Use ConfigMap to disable TLS

Signed-off-by: Renaud Guerin <[email protected]>

* Fix typo

Signed-off-by: Renaud Guerin <[email protected]>

* docs: correct the api field description for the GitLab example (argoproj#10081)

The api field description for the GitLab example seems mistakenly
copied from the GitHub example.

Signed-off-by: Sahdev Zala <[email protected]>

* fix: Ignore non-self-referencing resources while pruning (argoproj#10198)

* fix: Ignore non-self-referencing resources while pruning

Signed-off-by: jannfis <[email protected]>

* fix: UI part for logs RBAC - do not display the logs tab when no RBAC in place (argoproj#7211) (argoproj#9828)

* show logs tab only upon explicit rbac allow policy

Signed-off-by: reggie-k <[email protected]>

* 2.4.7 docs edit

Signed-off-by: reggie-k <[email protected]>

* fix:  Drop all references to exec unless the feature is enabled (argoproj#9920) (argoproj#10187)

* fix:  Drop all references to exec unless the feature is enabled argoproj#9920

Signed-off-by: Patrick Kerwood <[email protected]>

* fixed tslint issues

Signed-off-by: Patrick Kerwood <[email protected]>

* docs(applicationset): fix layout matrix/merge generator restrictions (argoproj#10246)

Co-authored-by: Michael Crenshaw <[email protected]>

Signed-off-by: Sverre Boschman <[email protected]>

* docs: fix microsoft user management mapping role (argoproj#10251)

Signed-off-by: CI <[email protected]>

* docs: Document ignoreAggregatedRoles setting (argoproj#10206)

Signed-off-by: Brandon High <[email protected]>

* docs: fix version reference for logs UI fix (argoproj#10245)

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.9

* Bump version to 2.4.9

* docs: clusterResources in declarative cluster config (argoproj#10219)

* docs: clusterResources in declarative cluster config

Signed-off-by: CI <[email protected]>

* add article

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) (argoproj#10287)

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285)

Signed-off-by: CI <[email protected]>

* remove duplicate line

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* fix: Suppressed ssh scheme url warn log (argoproj#9836)

* Fixed ssh scheme warn log degrade by argoproj#8508
Signed-off-by: kenchan0130 <[email protected]>

* Expanded repository type getCAPath testing
Signed-off-by: kenchan0130 <[email protected]>

* docs: Document safe concurrent processing of sidecar CMP (argoproj#10336)

Signed-off-by: jsmcnair <[email protected]>

Signed-off-by: jsmcnair <[email protected]>

* docs: Add "Create Namespace" to sync options doc (argoproj#3490) (argoproj#10326)

* Add create namespace to the sync options doc

Signed-off-by: JesseBot <[email protected]>

* Update docs/user-guide/sync-options.md

Co-authored-by: Michael Crenshaw <[email protected]>

Signed-off-by: JesseBot <[email protected]>
Co-authored-by: Michael Crenshaw <[email protected]>

* fix: missing actions (argoproj#10327) (argoproj#10359)

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.10

* Bump version to 2.4.10

* docs: fix typo in upgrade notes (argoproj#10377)

Signed-off-by: Xijun Dai <[email protected]>

Signed-off-by: Xijun Dai <[email protected]>

* fix: Correctly assume cluster-scoped resources to be self-referenced (argoproj#10390)

Signed-off-by: jannfis <[email protected]>

Signed-off-by: jannfis <[email protected]>

* Pin gitops-engine to v0.7.3

Signed-off-by: jannfis <[email protected]>

* Bump version to 2.4.11

* Bump version to 2.4.11

* docs: Changes for v2.4.11

Updated the CHANGES.md to represent what changes the pull request will introduce.

Contributes to: automation-saas/native-AWS#2523

Signed-off-by: Sujeily Fonseca <[email protected]>

Co-authored-by: Michael Crenshaw <[email protected]>
Co-authored-by: argo-bot <[email protected]>
Co-authored-by: YaytayAtWork <[email protected]>
Co-authored-by: Didrik Finnøy <[email protected]>
Co-authored-by: Jake <[email protected]>
Co-authored-by: Shunki <[email protected]>
Co-authored-by: jannfis <[email protected]>
Co-authored-by: Hyeonmin Park <[email protected]>
Co-authored-by: yongguangl <[email protected]>
Co-authored-by: Xiao Yang <[email protected]>
Co-authored-by: Yuan Tang <[email protected]>
Co-authored-by: taksenov <[email protected]>
Co-authored-by: Kostis (Codefresh) <[email protected]>
Co-authored-by: rishabh625 <[email protected]>
Co-authored-by: Soumya Ghosh Dastidar <[email protected]>
Co-authored-by: Jim Wright <[email protected]>
Co-authored-by: 34FathomBelow <[email protected]>
Co-authored-by: Ashutosh <[email protected]>
Co-authored-by: Ashutosh <[email protected]>
Co-authored-by: Sahdev Zala <[email protected]>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexander Matyushentsev <[email protected]>
Co-authored-by: Mohamed Iflan <[email protected]>
Co-authored-by: iflan7744 <[email protected]>
Co-authored-by: Yves Richard <[email protected]>
Co-authored-by: my-git9 <[email protected]>
Co-authored-by: Renaud Guérin <[email protected]>
Co-authored-by: reggie-k <[email protected]>
Co-authored-by: Kerwood <[email protected]>
Co-authored-by: Sverre Boschman <[email protected]>
Co-authored-by: César M. Cristóbal <[email protected]>
Co-authored-by: Brandon High <[email protected]>
Co-authored-by: Tadayuki Onishi <[email protected]>
Co-authored-by: jsmcnair <[email protected]>
Co-authored-by: JesseBot <[email protected]>
Co-authored-by: Xijun Dai <[email protected]>
sujeilyfonseca added a commit to sujeilyfonseca/argo-cd that referenced this issue Dec 15, 2022
* Merge pull request from GHSA-pmjg-52h9-72qv

Signed-off-by: Michael Crenshaw <[email protected]>

formatting

Signed-off-by: Michael Crenshaw <[email protected]>

fixes from comments

Signed-off-by: Michael Crenshaw <[email protected]>

fix test

Signed-off-by: Michael Crenshaw <[email protected]>

* Merge pull request from GHSA-7943-82jg-wmw5

* add tests to demonstrate issue

Signed-off-by: Michael Crenshaw <[email protected]>

more

Signed-off-by: Michael Crenshaw <[email protected]>

docs

Signed-off-by: Michael Crenshaw <[email protected]>

settings tests

Signed-off-by: Michael Crenshaw <[email protected]>

tests for OIDC handlers, consolidating test helpers

Signed-off-by: Michael Crenshaw <[email protected]>

consolidate

Signed-off-by: Michael Crenshaw <[email protected]>

consolidate

Signed-off-by: Michael Crenshaw <[email protected]>

docs

Signed-off-by: Michael Crenshaw <[email protected]>

* fix log message

Signed-off-by: Michael Crenshaw <[email protected]>

* Bump version to 2.4.5

* Bump version to 2.4.5

* test: check for error messages from CI env (argoproj#9953)

test: check for error messages from CI env (argoproj#9953)

Signed-off-by: CI <[email protected]>

* docs: getting started notes on self-signed cert (argoproj#9429) (argoproj#9784)

* Fix argoproj#9429: A couple of notes in the docs to explain that the default certificate is insecure.

Signed-off-by: Jim Talbut <[email protected]>

* Fixes argoproj#9429: More verbose, but complete, text for Getting Started.

Signed-off-by: Jim Talbut <[email protected]>

* docs: Document the possibility of rendering Helm charts with Kustomize (argoproj#9841)

* Update kustomize.md

Resolves  argoproj#7835.

Signed-off-by: Didrik Finnøy <[email protected]>

* Removed unnecessary command flag from example. Minor text edits.

Signed-off-by: Didrik Finnøy <[email protected]>

* spelling

Signed-off-by: Didrik Finnøy <[email protected]>

* docs: small fix for plugin stream filtering (argoproj#9871)

Signed-off-by: notfromstatefarm <[email protected]>

* argoproj#9429: Adding blank line so list is formatted correctly. (argoproj#9880)

Signed-off-by: CI <[email protected]>

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) (argoproj#9821)

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118)

Signed-off-by: shunki-fujita <[email protected]>

* Add submodule functions and unit tests
Signed-off-by: shunki-fujita <[email protected]>

* fix: Make change of tracking method work at runtime (argoproj#9820)

* fix: Make change of tracking method work at runtime

Signed-off-by: jannfis <[email protected]>

* GetAppName() will figure tracking label or annotation on its own

Signed-off-by: jannfis <[email protected]>

* Correct test comments and add another test

Signed-off-by: jannfis <[email protected]>

* Add a read lock before getting cache settings

Signed-off-by: jannfis <[email protected]>

* fix: Check tracking annotation for being self-referencing (argoproj#9791)

* fix: Check tracking annotation for being self-referencing

Signed-off-by: jannfis <[email protected]>

* Tweak isManagedLiveObj() logic

Signed-off-by: jannfis <[email protected]>

* Rename isManagedLiveResource to isSelfReferencedObj

Signed-off-by: jannfis <[email protected]>

* Add e2e test

Signed-off-by: jannfis <[email protected]>

* fix: add missing download CLI tool link for ppc64le, s390x (argoproj#9649)

Signed-off-by: Hyeonmin Park <[email protected]>

* fix: NotAfter is not set when ValidFor is set (argoproj#9911)

Signed-off-by: yongguangl <[email protected]>

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (argoproj#9922)

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s

Signed-off-by: notfromstatefarm <[email protected]>

* fix timeouts across all gRPC servers

Signed-off-by: notfromstatefarm <[email protected]>

* use common consts

Signed-off-by: notfromstatefarm <[email protected]>

* fix: argocd login just hangs on 2.4.0 argoproj#9679 (argoproj#9935)

Signed-off-by: Xiao Yang <[email protected]>

Co-authored-by: Michael Crenshaw <[email protected]>
Signed-off-by: CI <[email protected]>

* test: Use dedicated multi-arch workloads in e2e tests (argoproj#9921)

* test: Use dedicated multi-arch workloads in e2e tests

Signed-off-by: jannfis <[email protected]>

* Use correct tag

Signed-off-by: jannfis <[email protected]>

* feat: Treat connection reset as a retryable error (argoproj#9739)

Signed-off-by: Yuan Tang <[email protected]>

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) (argoproj#9895)

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605)

Signed-off-by: Michael Crenshaw <[email protected]>

* make things more like they were originally, since the mutex fixes the problem

Signed-off-by: Michael Crenshaw <[email protected]>

* fix typo, don't pass around a pointer when it isn't necessary

Signed-off-by: Michael Crenshaw <[email protected]>

* apply suggestions

Signed-off-by: Michael Crenshaw <[email protected]>

* docs: add terminal documentation (argoproj#9948)

Signed-off-by: notfromstatefarm <[email protected]>

* docs: fix typo in Generators-Git.md (argoproj#9949)

`ApplictionSet` --> `ApplicationSet`
Signed-off-by: CI <[email protected]>

* chore: fix build error

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.6

* Bump version to 2.4.6

* docs: supported versions (argoproj#9876)

* docs: supported versions

Signed-off-by: Kostis Kapelonis <[email protected]>

* docs: supported versions feedback

Signed-off-by: Kostis Kapelonis <[email protected]>

* fix: add missing download CLI tool URL response for ppc64le, s390x (argoproj#9983)

Signed-off-by: Hyeonmin Park <[email protected]>

* fix: e2e test to use func from clusterauth instead creating one with old logic (argoproj#9989)

Signed-off-by: rishabh625 <[email protected]>

* fix: updated all a tags to Link tags in app summary (argoproj#9777)

* fix: updated all a tags to Link tags

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* fix: revert external links to a tags

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* fix: linting

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

* docs: simplify Docker toolchain docs (argoproj#9966) (argoproj#10006)

* docs: simplify Docker toolchain docs (argoproj#9966)

Signed-off-by: CI <[email protected]>

* to be or not to be

Signed-off-by: CI <[email protected]>

* pin dependencies to avoid absurdity

Signed-off-by: CI <[email protected]>

* docs: document directory app include/exclude fields (argoproj#9997)

Signed-off-by: CI <[email protected]>

* fix: terminal websocket write lock to avoid races (argoproj#10011)

* fix: protect terminal WriteMessage with a lock

Signed-off-by: CI <[email protected]>

* give write its own lock

Signed-off-by: CI <[email protected]>

* docs: use quotes to emphasize that ConfigMap value is a string (argoproj#9995)

Signed-off-by: CI <[email protected]>

* Support files in argocd.argoproj.io/manifest-generate-paths annotation (argoproj#9908)

Signed-off-by: Jim Wright <[email protected]>

* chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (argoproj#9826)

Signed-off-by: Michael Crenshaw <[email protected]>

* Bump version to 2.4.7

* Bump version to 2.4.7

* chore: update haproxy to 2.0.29 for redis-ha (argoproj#10045)

Signed-off-by: Justin Marquis <[email protected]>

* chore: update redis to avoid CVE-2022-2097 (argoproj#10031)

* chore: update redis to avoid CVE-2022-2097

Signed-off-by: CI <[email protected]>

* codegen

Signed-off-by: CI <[email protected]>

* chore: upgrade Dex to 2.32.0 (argoproj#10036) (argoproj#10042)

Signed-off-by: CI <[email protected]>

* docs: add argocd-server grpc metric usage (argoproj#10007)

Signed-off-by: Ashutosh <[email protected]>

Co-authored-by: Ashutosh <[email protected]>
Signed-off-by: CI <[email protected]>

* chore: update redis to 7.0.4 avoid CVE-2022-30065 (argoproj#10059)

Signed-off-by: Justin Marquis <[email protected]>

* fix: Set HOST_ARCH for yarn build from platform (argoproj#10018)

Signed-off-by: Hyeonmin Park <[email protected]>

* docs: add api field example in the appset security doc (argoproj#10087)

It seems like most of the work for the mentioned issue below is done
under the PR argoproj#9466 but from the issue description, it's probably
worth to mention the example as added here.

Related argoproj#9352

Signed-off-by: Sahdev Zala <[email protected]>

* chore: update parse-url (argoproj#10101)

* chore: upgrade parse-url

Signed-off-by: CI <[email protected]>

* edit a generated file, because that's smart

Signed-off-by: CI <[email protected]>

* fix: avoid CVE-2022-28948 (argoproj#10093)

Signed-off-by: CI <[email protected]>

* docs: add OpenSSH breaking change notes (argoproj#10104)

Signed-off-by: CI <[email protected]>

* fix: skip redirect url validation when it's the base href (argoproj#10058) (argoproj#10116)

* fix: skip redirect url validation when it's the base href (argoproj#10058)

Signed-off-by: CI <[email protected]>

nicer way of doing it

Signed-off-by: CI <[email protected]>

* fix missin arg

Signed-off-by: CI <[email protected]>

* fix: upgrade moment from 2.29.2 to 2.29.3 (argoproj#9330)

Snyk has created this PR to upgrade moment from 2.29.2 to 2.29.3.

See this package in npm:


See this project in Snyk:
https://app.snyk.io/org/argoproj/project/d2931792-eef9-4d7c-b9d6-c0cbd2bd4dbe?utm_source=github&utm_medium=referral&page=upgrade-pr
Signed-off-by: CI <[email protected]>

* chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (argoproj#9897)

Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](moment/moment@2.29.3...2.29.4)

Signed-off-by: CI <[email protected]>
---
updated-dependencies:
- dependency-name: moment
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: support multiple extensions per resource group/kind (argoproj#9834)

* feat: support multiple extensions per resource group/kind

Signed-off-by: Alexander Matyushentsev <[email protected]>

* apply reviewers suggestions

Signed-off-by: Alexander Matyushentsev <[email protected]>

* apply reviewer notes: stream extension files one by one

Signed-off-by: Alexander Matyushentsev <[email protected]>

* wrap errors

Signed-off-by: Alexander Matyushentsev <[email protected]>

* skip symlinks

Signed-off-by: Alexander Matyushentsev <[email protected]>

* feat: support application level extensions (argoproj#9923)

Signed-off-by: Alexander Matyushentsev <[email protected]>

* fix: extensions is not loading for ConfigMap/Pods (argoproj#10010)

Signed-off-by: Alexander Matyushentsev <[email protected]>

* Bump version to 2.4.8

* Bump version to 2.4.8

* docs: Fixed indentation Error (argoproj#10123)

* Fixed indentation Error

Signed-off-by: iflan7744 <[email protected]>

* Fixed indentation Error for top-level data key

Signed-off-by: iflan7744 <[email protected]>

Co-authored-by: iflan7744 <[email protected]>
Signed-off-by: CI <[email protected]>

* docs: fix kustomize namePrefix misconception in application.yaml (argoproj#10162)

* Update docs/operator-manual/application.yaml

- Removed comment about what namePrefix does. (i.e. it does not add a prefix to the image)
- Added examples of other supported transformers. (based on looking at the source code)
- Added link to the kustomize docs where the transormers are described in more detail.

* Update kustomize casing to be consistent

Signed-off-by: whyvez <[email protected]>

* docs: improve Installation.md (argoproj#10173)

Signed-off-by: xin.li <[email protected]>

* docs: Use ConfigMap to disable TLS (argoproj#10106)

* docs: Use ConfigMap to disable TLS

Signed-off-by: Renaud Guerin <[email protected]>

* Fix typo

Signed-off-by: Renaud Guerin <[email protected]>

* docs: correct the api field description for the GitLab example (argoproj#10081)

The api field description for the GitLab example seems mistakenly
copied from the GitHub example.

Signed-off-by: Sahdev Zala <[email protected]>

* fix: Ignore non-self-referencing resources while pruning (argoproj#10198)

* fix: Ignore non-self-referencing resources while pruning

Signed-off-by: jannfis <[email protected]>

* fix: UI part for logs RBAC - do not display the logs tab when no RBAC in place (argoproj#7211) (argoproj#9828)

* show logs tab only upon explicit rbac allow policy

Signed-off-by: reggie-k <[email protected]>

* 2.4.7 docs edit

Signed-off-by: reggie-k <[email protected]>

* fix:  Drop all references to exec unless the feature is enabled (argoproj#9920) (argoproj#10187)

* fix:  Drop all references to exec unless the feature is enabled argoproj#9920

Signed-off-by: Patrick Kerwood <[email protected]>

* fixed tslint issues

Signed-off-by: Patrick Kerwood <[email protected]>

* docs(applicationset): fix layout matrix/merge generator restrictions (argoproj#10246)

Co-authored-by: Michael Crenshaw <[email protected]>

Signed-off-by: Sverre Boschman <[email protected]>

* docs: fix microsoft user management mapping role (argoproj#10251)

Signed-off-by: CI <[email protected]>

* docs: Document ignoreAggregatedRoles setting (argoproj#10206)

Signed-off-by: Brandon High <[email protected]>

* docs: fix version reference for logs UI fix (argoproj#10245)

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.9

* Bump version to 2.4.9

* docs: clusterResources in declarative cluster config (argoproj#10219)

* docs: clusterResources in declarative cluster config

Signed-off-by: CI <[email protected]>

* add article

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) (argoproj#10287)

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285)

Signed-off-by: CI <[email protected]>

* remove duplicate line

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* fix: Suppressed ssh scheme url warn log (argoproj#9836)

* Fixed ssh scheme warn log degrade by argoproj#8508
Signed-off-by: kenchan0130 <[email protected]>

* Expanded repository type getCAPath testing
Signed-off-by: kenchan0130 <[email protected]>

* docs: Document safe concurrent processing of sidecar CMP (argoproj#10336)

Signed-off-by: jsmcnair <[email protected]>

Signed-off-by: jsmcnair <[email protected]>

* docs: Add "Create Namespace" to sync options doc (argoproj#3490) (argoproj#10326)

* Add create namespace to the sync options doc

Signed-off-by: JesseBot <[email protected]>

* Update docs/user-guide/sync-options.md

Co-authored-by: Michael Crenshaw <[email protected]>

Signed-off-by: JesseBot <[email protected]>
Co-authored-by: Michael Crenshaw <[email protected]>

* fix: missing actions (argoproj#10327) (argoproj#10359)

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* Bump version to 2.4.10

* Bump version to 2.4.10

* docs: fix typo in upgrade notes (argoproj#10377)

Signed-off-by: Xijun Dai <[email protected]>

Signed-off-by: Xijun Dai <[email protected]>

* fix: Correctly assume cluster-scoped resources to be self-referenced (argoproj#10390)

Signed-off-by: jannfis <[email protected]>

Signed-off-by: jannfis <[email protected]>

* Pin gitops-engine to v0.7.3

Signed-off-by: jannfis <[email protected]>

* Bump version to 2.4.11

* Bump version to 2.4.11

* fix: invalid error handling (argoproj#10384) (argoproj#10385)

os.IsNotExist only supports errors returned by the os package

Signed-off-by: mikutas <[email protected]>

Signed-off-by: mikutas <[email protected]>

* fix: appset controller should preserve argocd refresh annotation (argoproj#10510)

Signed-off-by: Jesse Suen <[email protected]>

Signed-off-by: Jesse Suen <[email protected]>

* fix: Added mock for gitea response in appset PR,SCM generator (argoproj#9400)

* fix: Added mock for gitea response

Signed-off-by: rishabh625 <[email protected]>

* applied reviewers comment

Signed-off-by: rishabh625 <[email protected]>

* test: fix flaky gitea tests (argoproj#10354)

* test: fix flaky gitea tests

Signed-off-by: CI <[email protected]>

* embed test data

Signed-off-by: CI <[email protected]>

Signed-off-by: CI <[email protected]>

* fix: added github and gitlab response mock and replaced  external calls (argoproj#9305)

* Added mock for gitlab and github for Unit test

Signed-off-by: rishabh625 <[email protected]>

* Added missing mock endpoint

Signed-off-by: rishabh625 <[email protected]>

* removed println and aserted for 1 master branch

Signed-off-by: rishabh625 <[email protected]>

* removed auth header assertion

Signed-off-by: rishabh625 <[email protected]>

* procfile to run binaries instead go run

Signed-off-by: rishabh625 <[email protected]>

* procfile to run binaries instead go run

Signed-off-by: rishabh625 <[email protected]>

* reverted unintentional testdata change

Signed-off-by: rishabh625 <[email protected]>

* Added test for branch do not exists

Signed-off-by: rishabh625 <[email protected]>

* fix: hide terminal on the non-pod resource kind (argoproj#9980) (argoproj#10556)

Signed-off-by: ashutosh16 <[email protected]>

Signed-off-by: ashutosh16 <[email protected]>

* docs: remove duplicate word in user-management doc (argoproj#10546)

Signed-off-by: Mickaël Canévet <[email protected]>

Signed-off-by: Mickaël Canévet <[email protected]>

* fix: update deploymentConfig's healthcheck to wait for replicationController to be Available (argoproj#10462)

* update deploymentConfig's healthcheck to wait for replicationController to be available

Signed-off-by: Roncajolo Gerald <[email protected]>

* Add Softway Medical to users

Signed-off-by: Roncajolo Gerald <[email protected]>

Signed-off-by: Roncajolo Gerald <[email protected]>

* docs: Fix Broken Link in Getting Started Docs (argoproj#10585)

* Fix Broken Link

Signed-off-by: Greg Knoblauch <[email protected]>

* Update docs/getting_started.md

Co-authored-by: asingh <[email protected]>
Signed-off-by: Greg Knoblauch <[email protected]>

Signed-off-by: Greg Knoblauch <[email protected]>
Co-authored-by: asingh <[email protected]>

* docs: update description of policy.csv example in rbac.md (argoproj#10565)

Signed-off-by: Minchao <[email protected]>

Signed-off-by: Minchao <[email protected]>

* fix: add skip-test-tls flag to optionally skip testing for tls (argoproj#9679) (argoproj#10484)

* feat: add skip-test-tls flag to optionally skip testing for tls, fixes argoproj#9679

Signed-off-by: msvechla <[email protected]>

* docs: update cli documentation

Signed-off-by: msvechla <[email protected]>

Signed-off-by: msvechla <[email protected]>

* docs: decision about logs RBAC enforcement in release notes for 2.4 (argoproj#10564)

Signed-off-by: Michael Crenshaw <[email protected]>

Signed-off-by: Michael Crenshaw <[email protected]>

* Bump version to 2.4.12

* Bump version to 2.4.12

* docs: Changes for v2.4.12

Updated the CHANGES.md to represent what changes
the pull request will introduce.

Contributes to: automation-saas/native-AWS#2523

Signed-off-by: Sujeily Fonseca <[email protected]>

Co-authored-by: Michael Crenshaw <[email protected]>
Co-authored-by: argo-bot <[email protected]>
Co-authored-by: YaytayAtWork <[email protected]>
Co-authored-by: Didrik Finnøy <[email protected]>
Co-authored-by: Jake <[email protected]>
Co-authored-by: Shunki <[email protected]>
Co-authored-by: jannfis <[email protected]>
Co-authored-by: Hyeonmin Park <[email protected]>
Co-authored-by: yongguangl <[email protected]>
Co-authored-by: Xiao Yang <[email protected]>
Co-authored-by: Yuan Tang <[email protected]>
Co-authored-by: taksenov <[email protected]>
Co-authored-by: Kostis (Codefresh) <[email protected]>
Co-authored-by: rishabh625 <[email protected]>
Co-authored-by: Soumya Ghosh Dastidar <[email protected]>
Co-authored-by: Jim Wright <[email protected]>
Co-authored-by: 34FathomBelow <[email protected]>
Co-authored-by: Ashutosh <[email protected]>
Co-authored-by: Ashutosh <[email protected]>
Co-authored-by: Sahdev Zala <[email protected]>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexander Matyushentsev <[email protected]>
Co-authored-by: Mohamed Iflan <[email protected]>
Co-authored-by: iflan7744 <[email protected]>
Co-authored-by: Yves Richard <[email protected]>
Co-authored-by: my-git9 <[email protected]>
Co-authored-by: Renaud Guérin <[email protected]>
Co-authored-by: reggie-k <[email protected]>
Co-authored-by: Kerwood <[email protected]>
Co-authored-by: Sverre Boschman <[email protected]>
Co-authored-by: César M. Cristóbal <[email protected]>
Co-authored-by: Brandon High <[email protected]>
Co-authored-by: Tadayuki Onishi <[email protected]>
Co-authored-by: jsmcnair <[email protected]>
Co-authored-by: JesseBot <[email protected]>
Co-authored-by: Xijun Dai <[email protected]>
Co-authored-by: Takumi Sue <[email protected]>
Co-authored-by: Jesse Suen <[email protected]>
Co-authored-by: Mickaël Canévet <[email protected]>
Co-authored-by: Gerald Roncajolo <[email protected]>
Co-authored-by: Greg Knoblauch <[email protected]>
Co-authored-by: Minchao <[email protected]>
Co-authored-by: msvechla <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
Development

Successfully merging a pull request may close this issue.

3 participants