weixin_39859061
2021-01-11 12:10 阅读 0

Webhook secrets

We would like to have ArgoCD sync its own config, and noticed that webhook secret for the git provider is lodged in the argocd-secret Kubernetes secret. We don't want to overwrite other keys in that secret (especially ones that are added at runtime by ArgoCD itself). If you think it's a good idea, I'd be happy to raise a PR that moves the webhook secrets into their own secret, possibly called argocd-webhook-secret.

该提问来源于开源项目:argoproj/argo-cd

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

5条回答 默认 最新

  • weixin_39859061 weixin_39859061 2021-01-11 12:10

    Interestingly, I noticed that our GitHub webhook is accepted by argocd server even if the secret is not set, or does not match.

    点赞 评论 复制链接分享
  • weixin_39574869 weixin_39574869 2021-01-11 12:10

    We don't want to overwrite other keys in that secret (especially ones that are added at runtime by ArgoCD itself).

    Argo CD is supposed to only auto-generate keys when it is missing. All keys of the Argo CD secret can be generated/maintained manually if you prefer, since there is nothing magic about how these values were generated. See: https://github.com/argoproj/argo-cd/blob/master/manifests/base/argocd-secret.yaml

    Given the ability to formulate the secret manually, I feel having a single secret is still desirable.

    I noticed that our GitHub webhook is accepted by argocd server even if the secret is not set, or does not match.

    Yes, Argo CD will respond to webhooks, but the content of the webhook payload is considered untrusted (regardless if backed by the shared secret), and will only glean the git URL from it to refresh the app. See: https://github.com/argoproj/argo-cd/blob/master/docs/security.md#webhook-payloads

    点赞 评论 复制链接分享
  • weixin_39859061 weixin_39859061 2021-01-11 12:10

    Hey Jesse, thanks for your quick response. Also big thanks for everything you guys are doing, it's amazing! Does this mean that the webhook passwords don't actually serve a purpose? Should we remove them?

    点赞 评论 复制链接分享
  • weixin_39574869 weixin_39574869 2021-01-11 12:10

    Thanks for the encouraging word!

    Does this mean that the webhook passwords don't actually serve a purpose? Should we remove them?

    If your Argo CD is on the public internet, I would configure a webhook secret to prevent a DDoS attack. I can imagine an attack where a malicious script keeps posting fake webhook payloads to Argo CD, which causes the Argo CD controller to become busy refreshing applications over and over again. To do this, the attacker would need to know what git repo URL your apps are using, and formulate the payload accordingly. But the worst case is your applications get refreshed unnecessarily, and making your controller slower to refresh other apps.

    点赞 评论 复制链接分享
  • weixin_39859061 weixin_39859061 2021-01-11 12:10

    Thanks Jesse. I'll close for now as no further action is required.

    点赞 评论 复制链接分享

相关推荐