-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add ability to hide certain annotations on secret resources #18216
base: master
Are you sure you want to change the base?
Conversation
e699991
to
9d72639
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #18216 +/- ##
==========================================
+ Coverage 55.81% 55.84% +0.02%
==========================================
Files 320 320
Lines 44431 44445 +14
==========================================
+ Hits 24800 24821 +21
+ Misses 17066 17054 -12
- Partials 2565 2570 +5 ☔ View full report in Codecov by Sentry. |
@CodiumAI-Agent /review |
PR Reviewer Guide 🔍(Review updated until commit 1bc8297)
|
9d72639
to
1bc8297
Compare
What is the update on this feature? - we need it |
Persistent review updated to latest commit 1bc8297 |
Hi @danielstankw, it is awaiting review on dependent PR argoproj/gitops-engine#577. |
1bc8297
to
ba1ceae
Compare
ba1ceae
to
b8b4896
Compare
docs/operator-manual/argocd-cm.yaml
Outdated
@@ -429,3 +429,8 @@ data: | |||
|
|||
# application.sync.impersonation.enabled indicates whether the application sync can be decoupled from control plane service account using impersonation. | |||
application.sync.impersonation.enabled: "false" | |||
|
|||
# An optional list of annotation keys to hide in UI on secret resources | |||
hide.secret.annotations: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not a big fan of the property key. I think it should be something like <group>.<scope>.<feature>
. Something like resource.sensitive.mask.annotations
. Why?
- It acts on resource, so it goes in the same category as customization, compare options, etc.
- The secret is not configurable, it is hardcoded. So I think we can generalize it to "sensitive" resources.
- We don't hide the annotations, we mask them. I think the configuration should reflect that to the user. (even if the internal functions names use hide)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated this suggestion.
go.mod
Outdated
@@ -2,6 +2,8 @@ module github.com/argoproj/argo-cd/v2 | |||
|
|||
go 1.22.0 | |||
|
|||
replace github.com/argoproj/gitops-engine => github.com/svghadi/gitops-engine v0.0.0-20240919034454-2dd3ac24b0a9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reminder to revert before merge
util/settings/settings.go
Outdated
if value, ok := argoCDCM.Data[hideSecretAnnotations]; ok { | ||
annots := strings.Split(value, "\n") | ||
for _, a := range annots { | ||
a = regexp.MustCompile(`^\s*-`).ReplaceAllString(a, "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a kubernetes library function we can use to make sure the annotations follow the Kubernetes guidelines instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The regex was used to clean up the input annotations from configmap and not validate them. I have removed the regex by updated the code to take in comma-seperated list of annotation keys from configmap instead of a list.
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
6197a8f
to
5922883
Compare
Hi @jsoref , @agaudreault, |
@@ -428,4 +431,4 @@ data: | |||
webhook.maxPayloadSizeMB: 1024 | |||
|
|||
# application.sync.impersonation.enabled indicates whether the application sync can be decoupled from control plane service account using impersonation. | |||
application.sync.impersonation.enabled: "false" | |||
application.sync.impersonation.enabled: "false" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I doubt you want to remove the end of line from the end of the file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops! My bad. Must have removed it while cleaning up the code. Will fix it.
Closes #15693
Implements hide-annotations.md proposal.
Depends on argoproj/gitops-engine#577
This PR adds ability to define a list of annotations to hide on secret resources. A new
hide.secret.annotations
key is introduced inargocd-cm
configmap which can be used to configure a list of annotation keys to hide on secret resources.hidden-annotations.mov
Checklist: