mziyabo / argocd-masking-proxy

⚠️ Experimental

masking-proxy creates an external Argo CD cluster that proxies connections to a Kubernetes API server in order to mask sensitive data out.

Some data, such as that in ConfigMaps can get leaked out in the ArgoCD UI through the Live Manifest or DIFF, which we wanted to mask out with this proxy.

• Kubernetes 1.18+
• Argo CD

## clone repo
git clone git@github.com:mziyabo/argocd-masking-proxy.git
cd masking-proxy

## install the masking-proxy helm chart
helm install --name masking-proxy ./chart/

After the install, an Argo CD cluster should be added under Settings/Clusters in the UI:

Inspect proxy.conf.json in the configmap to either add or remove masking rules before running below:

cat << EOF | kubectl apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sample
  namespace: argocd
spec:
  destination:
    namespace: sample
    server: https://masking-proxy.masking-proxy.svc.cluster.local
  project: default
  source:
    path: examples/app
    repoURL: https://github.com/mziyabo/masking-proxy
    targetRevision: HEAD
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
EOF

Note we create an application with the destination.server property pointing to the masking-proxy cluster.

Check the Argo CD UI and the configmap will have masked out the regex pattern in the proxy.conf.json i.e. (client(_?Secret|ID)):((\\s?\\\\+\"?)([a-z0-9]*)(\\\\\"|\"|\\s)?)

The pattern matches GitHub OAUTH client details:

Live Manifest:

DIFF:

Proxy configuration is via proxy.conf.json which is mounted into the pods via a ConfigMap.

Config Properties

• The proxy doesn't mask the Desired Manifest or DIFF in the UI details. The workarounds are to either use something like argocd-vault-plugin OR changing tack and masking from UI middleware instead.

This program is Experimental.

Apache-2.0