New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingest https://api.github.com/meta #8271
Comments
While it may sound tempting, I think we shouldn't do this. What if people decide to remove github.com SSH keys from their configuration, because they don't use GitHub? Will they automatically be re-added? Or what if they are in a disconnect environment, and don't have access to github.com (or the Internet) at all? Or what if GitHub delivers "garbage" by accident from that endpoint for a while? I can imagine this can be provided as a script that can be used to to retrieve the keys from GitHub API and feed it into Argo CD's certificate store via We could also integrate a proper check in our CI system to verify the SSH host keys we ship against the ones shipped officially by GitHub to detect any configuration drift between them, to enable us to evaluate & possibly act on those. |
There should be a flag to turn it on/off. The alternative of adding a check to CI seems like a good first step. |
I think there is an assumption here that everyone is running the latest ArgoCD.
This solution would support all ArgoCD from version X, no matter if they run the latest version of not |
I was giving this a little more thought, and I'm still opposing having this feature in the core as automated means to update the Argo CD configuration. For one (and this is a weaker concern), this would (presumably) only solve an issue for one very vendor specific use-case (i.e. for Second, I believe that this pretty much has some security implications. We'd put some trust in an API endpoint returning data to configure some security relevant piece of information, and the data gathered from that endpoint is not even authenticated (as in, it does not provide proper message authentication or an externally verifiable signature). We have all the pieces in the puzzle to help people automate this, if they really want to (e.g. user can set up a recurring job to fetch data and re-configure Argo CD using the CLI). But I don't think we should automate this as part of core Argo CD. I would even go as far as to propose a radical change and say we should stop shipping the SSH host keys provided with our manifests, because this somehow implies control or authority over this data where we clearly don't have that. |
I'm sure that BitBucket and GitLab can be convinced to offer similar APIs. The data is validated by TLS which is definitely a validated source. I think a job that does this instead of burning in the values might be better. Clearly burning in the values had bad results. |
No, it is not. I don't want to nit on that, but simplified speaking, TLS only validates whether the peer you are talking to is indeed the one you think it is, and it makes some promises about the integrity of the data that the peer sent (i.e. that it was not modified on the way from system a to system b) - hence the name "Transport Layer Security", as it secures the transport layer between two systems. However, it makes no assumption about the integrity or validity of the actual meaning of the data that is being sent or received. Also, with TLS you usually delegate trust to a third-party (the Certificate Authority that issued the server's certificate), and there are many of such authorities trusted by default these days. You can workaround this by pinning your trust to a specific CA, or even to a specific certificate, but well - for this special use-case we'd then have a chicken-egg problem. A good analogy to that would be the actual connection to a Git repository: Just because you are talking through a valid TLS (or also SSH for that matter) connection to the Git repository's server does not mean that your repository wasn't compromised or could contain commits by rogue actors, possibly resulting in malicious data being returned for your consumption. That's why you would ensure that the data being returned (e.g. the commits to the repository) is actually what they are intended to be, and originate from the person or entity you'd assume it would, by using strict enforcement of commit signatures (using PGP or a similar strong protocol that supports message authentication). |
Ok, you're right, this is pointless. PGP keys only assert that someone either had access to keys, access to enough computing power to forge a signature, access to your computer to hack its processing path, or access to the supply chain for the software running on your computer. The same applies for TLS. If your supply chain is compromised that you can't properly validate a TLS connection, then, sure, you aren't doing what you think you're doing. |
Summary
GitHub has added their ssh keys to https://api.github.com/meta
Motivation
A number of us suffered a major GitHub driven CI outage as covered by #7723 and temporarily fixed by #7722
Proposal
How do you think this should be implemented?
Parse https://api.github.com/meta to extract the
ssh_keys
array (probably at start of the proper module).At present, it has this content:
This would allow ArgoCD to automatically ingest the latest version of the SSH keys in a secure manner (as long as ArgoCD properly validates the TLS cert for the domain).
The text was updated successfully, but these errors were encountered: