-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Allow users to disable default project creation (#15518) #15530
feat: Allow users to disable default project creation (#15518) #15530
Conversation
22136a3
to
b46976b
Compare
ListenHost: *address, | ||
RepoClientset: &forwardRepoClientset{namespace: namespace, context: ctxStr, repoServerName: clientOpts.RepoServerName}, | ||
EnableProxyExtension: false, | ||
DisableDefaultProjectCreation: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to disable the default project creation in headless use-case, as I felt it would be side-effect there. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that should happen. If running Argo CD in headless mode, the expectation would be that there should not be any breaking changes (which this would be).
IMO I think the way to go is to add a command line option here (defaulting to false
).
On the other side, it totally makes sense for any command invoking headless to have this set to true
(since as you say, running e.g argocd repo add
should not on its own create a default
AppProject
if it has been disabled in argocd-server
.
Do you have any thoughts on this @crenshaw-dev?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. The more I'm looking at this, I'm starting to wonder if it wouldn't be better if the initDefaultProject
function was instead moved to the application controller, to better accommodate the headless use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO I think the way to go is to add a command line option here (defaulting to false).
Thanks for the suggestion! I've implemented your idea in this commit
Regarding moving initDefaultProject to the application controller, I'm open to it if it better suits headless use cases. 😊
e223f63
to
eb852b7
Compare
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #15530 +/- ##
==========================================
- Coverage 50.00% 50.00% -0.01%
==========================================
Files 266 266
Lines 45631 45638 +7
==========================================
+ Hits 22818 22821 +3
- Misses 20581 20585 +4
Partials 2232 2232
☔ View full report in Codecov by Sentry. |
@@ -241,6 +243,7 @@ func NewCommand() *cobra.Command { | |||
command.Flags().BoolVar(&dexServerStrictTLS, "dex-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_SERVER_DEX_SERVER_STRICT_TLS", false), "Perform strict validation of TLS certificates when connecting to dex server") | |||
command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces where application resources can be managed in") | |||
command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature") | |||
command.Flags().BoolVar(&disableDefaultProjectCreation, "disable-default-project-creation", env.ParseBoolFromEnv("ARGOCD_DISABLE_DEFAULT_PROJECT_CREATION", false), "Disable default project creation") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add an env mapping to the application-controller argocd-server configmap?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
0ff0235
to
054749d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment above, apart from that it LGTM at least 😄
Signed-off-by: Henrik Huitti <henrik.huitti@henhu.fi>
…and reference manifests Signed-off-by: Henrik Huitti <henrik.huitti@henhu.fi>
Signed-off-by: Henrik Huitti <henrik.huitti@henhu.fi>
…in headless mode Signed-off-by: Henrik Huitti <henrik.huitti@henhu.fi>
d105162
to
f5af4ad
Compare
Hm. I'm not sure that disabling the default project is the way to go. There are a couple of places within Argo CD that assume the default project to exist. I may have missed the conversation, but why don't we lock down the default project so it's only able to do... nothing? :) |
Ah, I've missed that! Our use-case for this feature would be to handle the default project CR outside of the argocd-server runtime, so we can restrict it the way we like it (and we don't need to do any convoluted and hack'ish "ensure our custom CR is created before argocd-server starts up" (or even omit it completely, which might not be possible if your statement is correct). This PR provides an "escape hatch" for us, letting us disable a feature in argocd-server that doesn't meet our requirements. We can then implement it externally as we see fit. Importantly, this won't alter the default behavior for other users.
While locking down the default project could work for us, it seems like a non-starter given the discussion in #11058. We can't afford to wait for Argo CD 3.0 for our internal platform needs, so instead, we proposed #15518 |
Thanks @henkka, I've put some of my thoughts around this into the discussion at #11058 (comment) |
Thanks @jannfis for driving this forward. 😊 Closing this PR and associated issue as we monitor the progress on #11058. |
Summary
Allow users to disable the automatic creation of the default project in argocd-server. Closes #15518
Motivation
To enhance Argo CD security, this feature offers an alternative to #11058, inspired by @12345ieee's comment here. This would let us disable
default
project creation during runtime and either create a hardened version declaratively before argocd-server starts or omit thedefault
project entirely.Checklist: