Normal Epic Goal
The main goal of this Epic is to research, design, and submit a Design Proposal Document to the Argo CD community for a new feature. This feature will let cluster administrators define rules to hide (mask/scrub) sensitive values in non-Secret Kubernetes resource fields, ensuring they are not exposed in the Argo CD UI or CLI.
Why is this important?
Argo CD currently redacts values on data and stringData within Secret resources. It also supports redacting annotations on Secret resources by specifying keys in resource.sensitive.mask.annotations in argocd-cm.
However, there are other Custom Resources (CRs) such as OpenShift Routes, third-party certificate management CRDs, or database operator CRs, that store sensitive data in their .spec or other fields. Since Argo CD is unaware of these custom sensitive fields, it displays them as is in the UI/CLI, creating a significant security and compliance risk.
Scenarios
As an administrator, I want to ensure sensitive TLS data stored in fields like .spec.tls.certificate and .spec.tls.key within an OpenShift Route Resource is not exposed in the Argo CD UI/CLI. I can configure the Route TLS fields to be masked in the argocd-cm so that Argo CD will scrub this value before displaying it.
This feature will benefit other objects as well which store sensitive data outside of a Kubernetes Secret.
SDLC Questionnaire
| S.No | Questions | Yes/No | Sample JIRA Epic |
|---|---|---|---|
| 1 | Does this Epic address a change in way the product is being used? (eg: Adding support for OpenShift GitOps to be used in ROSA cluster with HCP) | Yes/No | GITOPS-5223 |
| 2 | Does this Epic require a change in the application's runtime - Upgrade of operator-sdk, OLM, client-go, go-toolset ? | Yes/No | GITOPS-8104 |
| 3 | Does this Epic primarily dealing with introducing a new security related feature (eg: Introduce SSO support) | Yes/No | GITOPS-437, GITOPS-547 |
| 4 | Does this Epic primarily dealing with the modification of an existing security feature ? (Eg: Supporting of External Authentication for SSO) | Yes/No | GITOPS-8017 |
| 5 | Does this Epic require changes to any cryptographic library ( Eg: FIPS support for OpenShift GitOps) | Yes/No | |
| 6 | Does this Epic require any new or change in the existing cryptographic algorithms used in the product (Eg: Using GPG verification for manifests, Upgrading from SHA256 to SHA512) | Yes/No | |
| 7 | Does this Epic require any change in existing authentication mechanisms (eg: Argo CD Auth integration with OpenShift, Kerberos to OAuth) | Yes/No | GITOPS-437 GITOPS-547 |
| 8 | Does this Epic require any change in authorisation mechanism (Eg: Using RBAC and service accounts impersonation for App Sync) | Yes/No | |
| 9 | Does this Epic require a change in the Communication protocol ( Eg: Using TLS to encrypt data traffic to/from Redis cache) | Yes/No | GITOPS-720 |
| 10 | Does this Epic require a change in how External Data is parsed and validated ? ( Eg: Change from JSON to Protobuf) | Yes/No | |
| 11 | Does this Epic require a change in core libraries or runtime (Eg: go compiler upgrade, Changing Operator SDK, controller-runtime, client-go versions) | Yes/No | |
| 12 | Does this Epic require exposing any internal service to internet (Eg: Allow exposing Argo CD Agent principal via Route, using ArgoCD CR) | Yes/No | |
| 13 | Does this Epic require a change in any existing gRPC service APIs | Yes/No | |
| 14 | Does this Epic require a change in any new external service (Eg: Support for OCI container registry for storing manifests) | Yes/No | |
| 15 | Does this Epic require a change in the tenancy model ? (Eg: Supporting Apps/Appsets in Any namespace, cluster and repo credentials in any namespace) | Yes/No | |
| 16 | Does this Epic require any addition/modification of RBAC resources (Service Account, Role, RoleBinding, ClusterRole, ClusterRoleBinding) ? | Yes/No | |
| 17 | Does this Epic require a feature that needs to be enabled only for cluster scoped Argo CD instances ? | Yes/No |
Other Considerations
- The goal of this Epic is to create and present a Design Proposal Document to the community for feedback and acceptance. The implementation of the accepted design will be addressed in a separate, subsequent Epic.
- The redaction logic must be applied at the API layer within Argo CD. This means the code changes will primarily target the core gitops-engine, which is responsible for reading and processing resource data from the cluster/Redis. Sensitive fields must be scrubbed before the data is exposed to the UI or CLI clients.
- The design of the new configuration can be modeled after the existing resource exclusion feature. For example:
data: # Proposed new key to mask specific fields resource.sensitive.mask: | - apiGroups: - "route.openshift.io/v1" kinds: - Route fields: - spec.tls.key - spec.tls.certificate
- The existing annotation masking feature can also be used for design inspiration.
GITOPS-4445
Definition of Ready
- The epic has been broken down into stories.
- Stories have been scoped.
- The epic has been stack ranked.
Definition of Done
- Code Complete:
- All code has been written, reviewed, and approved.
- Tested:
- Unit tests have been written and passed.
- Integration tests have been completed.
- System tests have been conducted, and all critical bugs have been fixed.
- Tested on OpenShift either upstream or downstream on a local build.
- Documentation:
- User documentation or release notes have been written.
- Build:
- Code has been successfully built and integrated into the main repository / project.
- Review:
- Code has been peer-reviewed and meets coding standards.
- All acceptance criteria defined in the user story have been met.
- Tested by reviewer on OpenShift.
- Deployment:
- The feature has been deployed on OpenShift cluster for testing.
- Acceptance:
- Product Manager or stakeholder has reviewed and accepted the work.
