From 97b43bc41c128eb5dcd5276b3f44fa42fb12ae28 Mon Sep 17 00:00:00 2001 From: pashakostohrys Date: Mon, 9 Dec 2024 13:51:16 +0200 Subject: [PATCH] chore: reduce default max payload size in webhooks to 50MB Signed-off-by: pashakostohrys --- applicationset/webhook/webhook.go | 1 - docs/operator-manual/argocd-cm.yaml | 2 +- docs/operator-manual/webhook.md | 2 +- util/webhook/webhook_test.go | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/applicationset/webhook/webhook.go b/applicationset/webhook/webhook.go index 5c78001a1deba..e05e6b9a82f24 100644 --- a/applicationset/webhook/webhook.go +++ b/applicationset/webhook/webhook.go @@ -117,7 +117,6 @@ func (h *WebhookHandler) startWorkerPool(webhookParallelism int) { }() } } - func (h *WebhookHandler) HandleEvent(payload interface{}) { gitGenInfo := getGitGeneratorInfo(payload) prGenInfo := getPRGeneratorInfo(payload) diff --git a/docs/operator-manual/argocd-cm.yaml b/docs/operator-manual/argocd-cm.yaml index e00c2f420d240..68b4c0c7302b9 100644 --- a/docs/operator-manual/argocd-cm.yaml +++ b/docs/operator-manual/argocd-cm.yaml @@ -432,7 +432,7 @@ data: name: some-cluster server: https://some-cluster # The maximum size of the payload that can be sent to the webhook server. - webhook.maxPayloadSizeMB: "1024" + webhook.maxPayloadSizeMB: "50" # application.sync.impersonation.enabled enables application sync to use a custom service account, via impersonation. This allows decoupling sync from control-plane service account. application.sync.impersonation.enabled: "false" diff --git a/docs/operator-manual/webhook.md b/docs/operator-manual/webhook.md index 92789e983d3b3..f57918583e3ba 100644 --- a/docs/operator-manual/webhook.md +++ b/docs/operator-manual/webhook.md @@ -19,7 +19,7 @@ URL configured in the Git provider should use the `/api/webhook` endpoint of you (e.g. `https://argocd.example.com/api/webhook`). If you wish to use a shared secret, input an arbitrary value in the secret. This value will be used when configuring the webhook in the next step. -To prevent DDoS attacks with unauthenticated webhook events (the `/api/webhook` endpoint currently lacks rate limiting protection), it is recommended to limit the payload size. You can achieve this by configuring the `argocd-cm` ConfigMap with the `webhook.maxPayloadSizeMB` attribute. The default value is 1GB. +To prevent DDoS attacks with unauthenticated webhook events (the `/api/webhook` endpoint currently lacks rate limiting protection), it is recommended to limit the payload size. You can achieve this by configuring the `argocd-cm` ConfigMap with the `webhook.maxPayloadSizeMB` attribute. The default value is 50MB. ## Github diff --git a/util/webhook/webhook_test.go b/util/webhook/webhook_test.go index 892fbea2038f6..0cb52d8e667b0 100644 --- a/util/webhook/webhook_test.go +++ b/util/webhook/webhook_test.go @@ -60,7 +60,7 @@ type reactorDef struct { } func NewMockHandler(reactor *reactorDef, applicationNamespaces []string, objects ...runtime.Object) *ArgoCDWebhookHandler { - defaultMaxPayloadSize := int64(1) * 1024 * 1024 * 1024 + defaultMaxPayloadSize := int64(50) * 1024 * 1024 return NewMockHandlerWithPayloadLimit(reactor, applicationNamespaces, defaultMaxPayloadSize, objects...) }