Add SCM generator API endpoint allowlist support to ApplicationSet controller

[crenshaw-dev]

Summary

The ApplicationSet controller should accept a config item which restricts the allowed API endpoints for SCM generators.

Motivation

At some point, I think we'd like to let non-admins create and edit ApplicationSets. That's currently not possible because of the possibility to use arbitrary project field values and to exfiltrate secrets by setting the api fields of SCM generators to endpoints controlled by malicious users.

To move towards letting non-admins create/edit ApplicationSets, we should allow admins to restrict the acceptable API values at the controller level.

Proposal

We should add a config item (env var and/or ConfigMap) to the ApplicationSet controller accepting a comma-delimited list of acceptable SCM API URLs. The controller should not create Applications if the ApplicationSet SCM generator is configured to use an API not in that list.

[rishabh625]

You mean Applications resource like create delete list should be configurable in application set via service account and that service account will have the role bindings?

[crenshaw-dev]

@rishabh625 nah, not exactly. Here's what I have in mind:

ARGOCD_ALLOWED_SCM_PROVIDERS= https://git.example.com/,https://gitlab.example.com/

So if someone tries to specify something different in an ApplicationSet, the controller will throw an error. For example, this would be rejected:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapps
spec:
  generators:
  - scmProvider:
      gitea:
        # The Gitea owner to scan.
        owner: myorg
        # The Gitea instance url
        api: https://gitea.mydomain.com/
        # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false.
        allBranches: true
        # Reference to a Secret containing an access token. (optional)
        tokenRef:
          secretName: gitea-token
          key: token
  template:

The reason this is important is because of the tokenRef block. If I control gitea.mydomain.com, and I can create ApplicationSets, then I can exfiltrate any secret from the argocd namespace by inspecting request headers.

[speedfl]

Can we consider to add this as part of the AppProject so we can allow scm providers per projects ?

[crenshaw-dev]

I think it's worth considering. It's probably excessive for right now, since I'm not sure there's a use case for "give project A access to SCM A and project B access to SCM B." That kind of selective access could be implemented by simply using different credentials. For now I think the main use case we want to cover is "make sure people can't hit arbitrary endpoints, stealing credentials." For that use case, I think a global allowlist is simpler and sufficient.