Anton Gilgur
Anton Gilgur
> * I'm using [ingress-nginx](https://github.com/kubernetes/ingress-nginx) + [geoip2](https://www.maxmind.com/en/geoip-databases) data add `x-geoip-city` and more to the headers Workaround would be to exclude Argo when adding this header. Normally this would only be...
> A workaround (on ingress-nginx) is adding the annotation `nginx.ingress.kubernetes.io/configuration-snippet` to the ingress with the `proxy_set_header` directives to set the `x-geoip-city` header to something else Regarding the workaround, as I...
Thanks @CosmicToast for investigating this! > In order for this HTTP header to make it over to be sent via grpc and the error displayed on the webui, argo must...
> I'm not too familiar with argo internals/specifics though. The gRPC and HTTP specific handlers are pretty much limited to that single file, `argoserver.go`, as I wrote above. So fortunately...
> The above wasn't exactly what I was looking for, so I struggled a little bit in setting it up. Sorry about that! You said "as-minimal-as-possible" so I skipped all...
> The problematic threat model goes something like this: if argo is exposed but kubernetes is not (presuming kubernetes is the gRPC endpoint that argo is communicating with post-factum, if...
> I was thinking Argo made requests to the Kubernetes CRI shim No, Argo doesn't touch the CRI, that's lower-level than Argo's internals. The Executors doing a bit of process...
The workaround you mentioned [above](https://github.com/argoproj/argo-workflows/issues/12721#issuecomment-1979791130) works and the one I mentioned just above it is appropriate. This isn't an Argo header and isn't a security issue, so it's very low...
> I see. If it's just as simple as adding one more platform in the workflow, then I don't see why not supporting it. IMO, I would probably reject this...