Red Hat SummitChapter 3. Masking sensitive annotations in the Argo CD Web UI
Argo CD hides sensitive annotation values on Secret resources from the Argo CD user interface (UI) and command-line interface (CLI). Users can configure this by specifying annotation keys to be masked in the Argo CD custom resource (CR). This feature enhances security by preventing accidental exposure of sensitive information, such as tokens or API keys, stored in annotations on Secret resources.
To enable this feature, add the resource.sensitive.mask.annotations key under .spec.extraConfig in the Argo CD CR. Specify a comma-separated list of annotation keys to mask.
Ensure that the annotation keys listed in resource.sensitive.mask.annotations are accurate and relevant to your use case. This feature does not support wildcards and requires explicit configuration in the Argo CD CR.
Prerequisites
- You have created an Argo CD instance. For more information, see "Installing a user-defined Argo CD instance".
3.1. Enabling sensitive annotations masking in the Argo CD Web UI
To enable sensitive annotations masking in the Argo CD user interface (UI), you can add the annotation key, resource.sensitive.mask.annotations, in the Argo CD custom resource (CR).
Procedure
- Log in to the OpenShift Container Platform web console.
-
In the Administrator perspective of the web console, click Operators
Installed Operators. - From the Project list, create or select the project where you want to install the user-defined Argo CD instance.
- From the installed Operators list, select Red Hat OpenShift GitOps, and then click the Argo CD tab.
To edit the Argo CD CR, complete the following steps:
-
Under the
.spec.extraConfigsection, add theresource.sensitive.mask.annotationskey. To mask a comma-separated list of values, specify the annotation key in the following YAML snippet:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specify a comma-separated list of sensitive annotation values, such as
openshift.io/token-secret.value,api-key, andtoken.
-
Under the
To verify that the value in the Argo CD resource has been updated successfully, complete the following steps:
-
In the Administrator perspective of the web console, click Operators
Installed Operators. -
In the Project option, select the
Argo CDnamespace. - From the installed Operators list, select Red Hat OpenShift GitOps, and then click the Argo CD tab.
- Verify that the Status field of the ArgoCD instance shows as Phase: Available.
-
In the Administrator perspective of the web console, click Operators
Argo CD hides the values of the specified annotation keys in the Argo CD UI.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}