Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add ability to hide certain annotations on secret resources #18216

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat: Add ability to hide certain annotations on secret resources #18216

wants to merge 6 commits into from
+74 −11

Conversation

svghadi
Copy link
Contributor

@svghadi svghadi commented May 14, 2024
edited
Loading

Closes #15693
Implements hide-annotations.md proposal.
Depends on argoproj/gitops-engine#577

This PR adds ability to define a list of annotations to hide on secret resources. A new hide.secret.annotations key is introduced in argocd-cm configmap which can be used to configure a list of annotation keys to hide on secret resources.

hidden-annotations.mov

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@svghadi svghadi changed the title feat: Add option to hide certain annotations on secret resources in the Argo CD Web UI feat: Add option to hide certain annotations on secret resources May 14, 2024
@svghadi svghadi changed the title feat: Add option to hide certain annotations on secret resources feat: Add ability to hide certain annotations on secret resources May 14, 2024
@svghadi svghadi mentioned this pull request May 14, 2024
Open
@svghadi svghadi mentioned this pull request Jun 20, 2024
Open
@codecov Codecov
Copy link

codecov bot commented Jun 20, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 68.18182% with 7 lines in your changes missing coverage. Please review.

Project coverage is 55.84%. Comparing base (0710ff9) to head (5922883).

Files with missing lines Patch % Lines
server/application/application.go 42.85% 4 Missing ⚠️
util/settings/settings.go 78.57% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #18216      +/-   ##
==========================================
+ Coverage   55.81%   55.84%   +0.02%     
==========================================
  Files         320      320              
  Lines       44431    44445      +14     
==========================================
+ Hits        24800    24821      +21     
+ Misses      17066    17054      -12     
- Partials     2565     2570       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pasha-codefresh
Copy link
Member

@CodiumAI-Agent /review

@CodiumAI-Agent
Copy link

CodiumAI-Agent commented Jun 30, 2024
edited
Loading

PR Reviewer Guide 🔍

(Review updated until commit 1bc8297)

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 PR contains tests
🔒 No security concerns identified
⚡ Key issues to review

Code Quality
The method GetHideSecretAnnotations in util/settings/settings.go uses regular expressions to process annotation keys. This could be simplified or better documented to improve maintainability.

Error Handling
In controller/appcontroller.go, the error from HideSecretData is checked, but there's no handling for potential nil objects which might be returned in case of errors. This could lead to runtime panics.

@svghadi svghadi mentioned this pull request Aug 6, 2024
Merged
@danielstankw
Copy link

What is the update on this feature? - we need it

@CodiumAI-Agent
Copy link

Persistent review updated to latest commit 1bc8297

@svghadi
Copy link
Contributor Author

svghadi commented Sep 16, 2024

Hi @danielstankw, it is awaiting review on dependent PR argoproj/gitops-engine#577.

@svghadi svghadi marked this pull request as ready for review September 16, 2024 09:22
@svghadi svghadi requested review from a team as code owners September 16, 2024 09:22
jsoref
jsoref reviewed Sep 19, 2024
View reviewed changes
util/settings/settings.go Outdated Show resolved Hide resolved
agaudreault
agaudreault requested changes Sep 23, 2024
View reviewed changes
docs/operator-manual/argocd-cm.yaml Outdated
@@ -429,3 +429,8 @@ data:

# application.sync.impersonation.enabled indicates whether the application sync can be decoupled from control plane service account using impersonation.
application.sync.impersonation.enabled: "false"

# An optional list of annotation keys to hide in UI on secret resources
hide.secret.annotations: |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not a big fan of the property key. I think it should be something like <group>.<scope>.<feature>. Something like resource.sensitive.mask.annotations. Why?

  • It acts on resource, so it goes in the same category as customization, compare options, etc.
  • The secret is not configurable, it is hardcoded. So I think we can generalize it to "sensitive" resources.
  • We don't hide the annotations, we mask them. I think the configuration should reflect that to the user. (even if the internal functions names use hide)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incorporated this suggestion.

go.mod Outdated
@@ -2,6 +2,8 @@ module github.com/argoproj/argo-cd/v2

go 1.22.0

replace github.com/argoproj/gitops-engine => github.com/svghadi/gitops-engine v0.0.0-20240919034454-2dd3ac24b0a9
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to revert before merge

util/settings/settings.go Outdated
if value, ok := argoCDCM.Data[hideSecretAnnotations]; ok {
annots := strings.Split(value, "\n")
for _, a := range annots {
a = regexp.MustCompile(`^\s*-`).ReplaceAllString(a, "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a kubernetes library function we can use to make sure the annotations follow the Kubernetes guidelines instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex was used to clean up the input annotations from configmap and not validate them. I have removed the regex by updated the code to take in comma-seperated list of annotation keys from configmap instead of a list.

@svghadi
Add option to hide annotations on secrets
795a223 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Retrigger CI
ac7b019 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Return map instead of slice for annotations
83c67d0 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Update gitops-engine
999fada 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Use mask instead of hide
f63e2f4 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Update gitops-commit
5922883 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Copy link
Contributor Author

svghadi commented Sep 24, 2024

Hi @jsoref , @agaudreault,
Thanks for the inputs. I have incorporated your feedback. Please take a look whenever you get time. I am working on updating doc and adding an e2e test.

jsoref
jsoref reviewed Sep 24, 2024
View reviewed changes
docs/operator-manual/argocd-cm.yaml
@@ -428,4 +431,4 @@ data:
webhook.maxPayloadSizeMB: 1024

# application.sync.impersonation.enabled indicates whether the application sync can be decoupled from control plane service account using impersonation.
application.sync.impersonation.enabled: "false"
application.sync.impersonation.enabled: "false"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt you want to remove the end of line from the end of the file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops! My bad. Must have removed it while cleaning up the code. Will fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoref jsoref jsoref left review comments

@agaudreault agaudreault agaudreault requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Provide ability to hide defined annotations in ArgoCD web UI
6 participants
@svghadi @pasha-codefresh @CodiumAI-Agent @danielstankw @jsoref @agaudreault