docs: note risks of secret-injection plugins (#11617)

* docs: note risks of secret-injection plugins Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * grammar tweaks Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * grammar tweaks Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
argoproj · Jan 9, 2023 · 69b3651 · 69b3651
1 parent 79bcaa6
commit 69b3651
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/docs/operator-manual/secret-management.md b/docs/operator-manual/secret-management.md
@@ -1,6 +1,11 @@
 # Secret Management
 
-Argo CD is un-opinionated about how secrets are managed. There's many ways to do it and there's no one-size-fits-all solution. Here's some ways people are doing GitOps secrets:
+Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
+
+Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
+below to make sure you use those plugins securely.
+
+Here are some ways people are doing GitOps secrets:
 
 * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
@@ -15,3 +20,17 @@ Argo CD is un-opinionated about how secrets are managed. There's many ways to do
 * [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
 
 For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
+
+## Mitigating Risks of Secret-Injection Plugins
+
+Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
+manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
+anyone who has access to the Redis instance or to the repo-server.
+
+Consider these steps to mitigate the risks of secret-injection plugins:
+
+1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
+   cluster supports those network policies and can actually enforce them.
+2. Consider running Argo CD on its own cluster, with no other applications running on it.
+3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
+   only supported for non-HA Argo CD installations).