Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

md

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-02-07 21:41:35 +01:00
parent bbc863995d
commit a42e94672e
1 changed files with 3 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ARGOCD_COMPREHENSIVE_ANALYSIS.md
View File

@@ -8,14 +8,13 @@ Analyzed 11 ArgoCD Application manifests in `/argocd/apps/`. This report details
## Critical Issues Summary ## Critical Issues Summary
### 1. Hardcoded Secrets (CRITICAL) ### 1. Hardcoded Secrets (CRITICAL)
**Files:** application.yaml, grafana.yaml **Files:** grafana.yaml
- **application.yaml:** Database password "change-me-in-production"
- **grafana.yaml:** Admin password "forte" in plaintext - **grafana.yaml:** Admin password "forte" in plaintext
- **Impact:** Credentials exposed in Git history forever - **Impact:** Credentials exposed in Git history forever
- **Fix:** Migrate to Sealed Secrets immediately - **Fix:** Migrate to Sealed Secrets immediately
### 2. Floating Versions (CRITICAL) ### 2. Floating Versions (CRITICAL)
**Files:** application.yaml, cluster-resources-application.yaml **Files:** cluster-resources-application.yaml
- Using `HEAD` instead of tagged versions - Using `HEAD` instead of tagged versions
- No audit trail of deployments - No audit trail of deployments
- Unpredictable application behavior - Unpredictable application behavior
@@ -48,7 +47,6 @@ Analyzed 11 ArgoCD Application manifests in `/argocd/apps/`. This report details
| Application | Issues | Priority | Key Recommendation | | Application | Issues | Priority | Key Recommendation |
|-------------|--------|----------|---------------------| |-------------|--------|----------|---------------------|
| **music-man** | Floating HEAD, hardcoded password, no resources | HIGH | Pin version, use Sealed Secrets, add resource limits |
| **cert-manager** | Undersized (100m), single replica, tight webhook timeout | HIGH | Increase CPU to 500m, add replicas (2-3), longer timeout | | **cert-manager** | Undersized (100m), single replica, tight webhook timeout | HIGH | Increase CPU to 500m, add replicas (2-3), longer timeout |
| **cluster-resources** | Floating HEAD, RBAC missing | MEDIUM | Pin version, restrict with AppProject | | **cluster-resources** | Floating HEAD, RBAC missing | MEDIUM | Pin version, restrict with AppProject |
| **fluent-bit** | Placeholder URL, tight CPU (100m), HTTP server wide open | HIGH | Update repo URL, 200m CPU, restrict HTTP to localhost | | **fluent-bit** | Placeholder URL, tight CPU (100m), HTTP server wide open | HIGH | Update repo URL, 200m CPU, restrict HTTP to localhost |
@@ -97,7 +95,6 @@ Analyzed 11 ArgoCD Application manifests in `/argocd/apps/`. This report details
### Phase 1: CRITICAL (Immediate) ### Phase 1: CRITICAL (Immediate)
- [ ] Migrate Grafana admin password to Sealed Secrets - [ ] Migrate Grafana admin password to Sealed Secrets
- [ ] Migrate music-man database password to Sealed Secrets
- [ ] Update placeholder repository URLs - [ ] Update placeholder repository URLs
- [ ] Pin floating versions (HEAD → git tags) - [ ] Pin floating versions (HEAD → git tags)
@@ -147,7 +144,7 @@ Analyzed 11 ArgoCD Application manifests in `/argocd/apps/`. This report details
- **monitoring stack:** Single instances (CONSIDER distributed) - **monitoring stack:** Single instances (CONSIDER distributed)
### Security Gaps ### Security Gaps
- **Secrets in Git:** Grafana, music-man (MIGRATE to Sealed Secrets) - **Secrets in Git:** Grafana
- **No Authentication:** Loki (auth_enabled: false), Prometheus (open HTTP) - **No Authentication:** Loki (auth_enabled: false), Prometheus (open HTTP)
- **Wide Permissions:** kubectl RBAC not restricted (ADD ClusterRole) - **Wide Permissions:** kubectl RBAC not restricted (ADD ClusterRole)
- **No Network Policies:** All apps (ADD NetworkPolicy) - **No Network Policies:** All apps (ADD NetworkPolicy)