Argocd application - hide sensitive data

[danielstankw]

Hi all,
I am using application manifest to deploy ArgoCD applications, see example from docs

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
    path: guestbook
  destination:
    server: https://kubernetes.default.svc
    namespace: guestbook

The issue I am facing is that in my case part of Git repo contains sensitive information (its related to the role created to be able to interact with BitBucket). I dont want users who have readonly permissions to be able to view this information in UI.
Is there a way to protect such information and anonymize it?

Example of desired output:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://**********/argocd-example-apps.git
    targetRevision: HEAD
    path: guestbook
  destination:
    server: https://kubernetes.default.svc
    namespace: guestbook

Thanks for the help!

[Babbili]

yes, is it a Kubernetes secret you're having in the git repo ? or some sensitive data like API key

[danielstankw]

As the example states, I want to be able to for example hide the Git repo URL and instead display ******

[kostis-codefresh]

You should hide the application completely from developers in the Argo CD UI.

What is the pointing of hiding the application repo itself? How are developers going to fix an app if they don't know where it it located?

[danielstankw]

@kostis-codefresh thanks for answer,
We have in our organization dev group and read-only.
Devs can fix stuff like that, but read-only should only have access to view the resources. In that case we would like them to view the pod logs, but not see the credentails.

[kostis-codefresh]

But you are not talking about credentials here. You are talking about hiding just the git repo url. Correct?

This is security through obscurity which is always a bad practice.

If devs don't need to look at git contents somewhere then that should be enforced in bit bucket and not just hiding stuff in argocd.

[Babbili]

yes, you need to mask sensitive data from being logged, many log management agents enable sensitive data scanning, and you can always filter and mask these data before it's gone to sdtout by its patterns/regexs