Skip to content

Commit 6a69096

Browse files
docs: enforce tokenref strict mode for AppSet-in-anyNS (argoproj-labs#2213)
* docs: enforce tokenref strict mode for AppSet-in-anyNS Assisted-by: Cursor Signed-off-by: nmirasch <neus.miras@gmail.com> * Update docs/usage/appsets-in-any-namespace.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: nmirasch <neus.miras@gmail.com> * Applied revision suggestions Signed-off-by: nmirasch <neus.miras@gmail.com> --------- Signed-off-by: nmirasch <neus.miras@gmail.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
1 parent 2e1cf4d commit 6a69096

2 files changed

Lines changed: 101 additions & 0 deletions

File tree

docs/upgrading.md

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,81 @@
11
# Upgrading
22

33
This page contains upgrade instructions and migration guides for the Argo CD Operator.
4+
## Upgrading from Operator ≤0.18 to Operator 0.19+
5+
6+
### ApplicationSet tokenRef strict mode
7+
If you're upgrading to an operator version that defaults ApplicationSet tokenRef strict mode when ApplicationSets in any namespace are configured, note the following changes:
8+
9+
1. When `.spec.applicationSet.sourceNamespaces` expands to at least one cluster namespace, the operator sets `applicationsetcontroller.enable.tokenref.strict.mode` to `"true"` in `argocd-cmd-params-cm`
10+
2. The ApplicationSet controller requires Secrets referenced by SCM Provider and Pull Request generators via `tokenRef` to be labeled `argocd.argoproj.io/secret-type: scm-creds`
11+
3. Manual edits to this key in `argocd-cmd-params-cm` are corrected on reconcile; use the ArgoCD CR (`.spec.cmdParams`) to change behavior
12+
4. You may opt out via `.spec.cmdParams`, but this is not recommended; see [ApplicationSets in Any Namespace](./usage/appsets-in-any-namespace.md#tokenref-strict-mode)
13+
14+
### Detection
15+
16+
The following users are **unaffected** by this change:
17+
- Users who do not configure `.spec.applicationSet.sourceNamespaces` on their ArgoCD CR
18+
- Users whose `.spec.applicationSet.sourceNamespaces` patterns match no cluster namespace
19+
- Users who do not have ApplicationSets that use an SCM Provider or Pull Request generator with a `tokenRef` pointing at a Secret for API authentication
20+
- Users whose SCM `tokenRef` Secrets already have `argocd.argoproj.io/secret-type: scm-creds`
21+
22+
The following users are **affected** and should perform remediation:
23+
- Users with a non-empty expanded `.spec.applicationSet.sourceNamespaces` list whose ApplicationSets use an **SCM Provider** or **Pull Request** generator with a **`tokenRef`** pointing at a Secret for API authentication
24+
- Users whose referenced Secrets are missing the `argocd.argoproj.io/secret-type: scm-creds` label
25+
26+
### Remediation Steps
27+
28+
1. **Find ApplicationSets using `tokenRef`:**
29+
30+
```bash
31+
kubectl get applicationsets -A -o yaml | grep -B5 -A3 'tokenRef:'
32+
```
33+
34+
Review SCM Provider and Pull Request generator blocks in each ApplicationSet.
35+
36+
2. **Identify referenced Secrets:**
37+
38+
For each `tokenRef`, note `secretName` and namespace (often the Argo CD namespace or the ApplicationSet namespace).
39+
40+
```bash
41+
kubectl get secret -n <namespace> <secretName> -o yaml
42+
```
43+
44+
3. **Label SCM credential Secrets:**
45+
46+
```bash
47+
kubectl label secret -n <namespace> <secretName> \
48+
argocd.argoproj.io/secret-type=scm-creds
49+
```
50+
51+
Or in Git or your secret management workflow:
52+
53+
```yaml
54+
metadata:
55+
labels:
56+
argocd.argoproj.io/secret-type: scm-creds
57+
```
58+
59+
4. **Verify after upgrade or reconcile:**
60+
61+
```bash
62+
kubectl get cm -n <argocd-namespace> argocd-cmd-params-cm -o yaml
63+
kubectl logs -n <argocd-namespace> deploy/<instance>-applicationset-controller --tail=50
64+
```
65+
66+
Confirm `applicationsetcontroller.enable.tokenref.strict.mode` is `"true"` when source namespaces are configured, and that ApplicationSets reconcile without tokenRef or secret errors.
67+
68+
5. **Temporary opt-out (migration only):**
69+
70+
If you need time to label Secrets, set `.spec.cmdParams` on the ArgoCD CR:
71+
72+
```yaml
73+
spec:
74+
cmdParams:
75+
applicationsetcontroller.enable.tokenref.strict.mode: "false"
76+
```
77+
78+
This removes the `scm-creds` label requirement and is **not recommended** for production. Prefer labeling Secrets and keeping strict mode enabled. See [ApplicationSets in Any Namespace](./usage/appsets-in-any-namespace.md#tokenref-strict-mode) for details.
479

580
## Upgrading from Operator ≤0.14 (Argo CD ≤2.14) to Operator 0.15+ (Argo CD 3.0+)
681

docs/usage/appsets-in-any-namespace.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,5 +122,31 @@ This will configure ApplicationSet controller to allow the defined URLs for SCM
122122

123123
Only one of either `managed-by` or `applicationset-managed-by-cluster-argocd` labels can be applied to a given namespace. We will be prioritizing `managed-by` label in case of a conflict as this feature is currently in beta, so the new roles/rolebindings will not be created if namespace is already labelled with `managed-by` label, and they will be deleted if a namespace is first added to the `.spec.applicationSet.sourceNamespaces` list and is later also labelled with `managed-by` label.
124124

125+
## TokenRef strict mode
125126

127+
`tokenRef` allows an ApplicationSet generator to reference a Secret that contains authentication details, such as a Git access token.
128+
129+
When `.spec.applicationSet.sourceNamespaces` is configured on the ArgoCD CR, the Operator enables tokenRef strict mode by default. In this mode, Secrets referenced by SCM Provider or Pull Request generators through `tokenRef` must be labeled `argocd.argoproj.io/secret-type: scm-creds`. This helps prevent ApplicationSets from referencing Secrets outside the allowed namespace scope.
130+
131+
We recommend keeping strict mode enabled. Disabling it can allow ApplicationSets to reference Secrets more broadly, which may increase the risk of accidental or unauthorized Secret access.
132+
133+
For more details, see the upstream [tokenRef restrictions](https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Appset-Any-Namespace/#tokenref-restrictions) documentation. If you are upgrading from a previous operator version, see [ApplicationSet tokenRef strict mode](../upgrading.md#applicationset-tokenref-strict-mode) in the upgrade guide.
134+
135+
If required, you can disable strict mode by setting `.spec.cmdParams` on the ArgoCD CR:
136+
137+
```yaml
138+
apiVersion: argoproj.io/v1beta1
139+
kind: ArgoCD
140+
metadata:
141+
name: example
142+
spec:
143+
applicationSet:
144+
sourceNamespaces:
145+
- foo
146+
cmdParams:
147+
applicationsetcontroller.enable.tokenref.strict.mode: "false"
148+
```
149+
150+
!!! important
151+
Only disable strict mode temporarily during migration, or if you have compensating controls. Prefer labeling Secrets with `argocd.argoproj.io/secret-type: scm-creds` and keeping strict mode enabled.
126152

0 commit comments

Comments
 (0)