RFE-9358: Add env var to disable Swagger UI exposure

[smahadik-27]

/kind feature

Summary

• Adds ARGOCD_SERVER_DISABLE_SWAGGER=true environment variable to the default ArgoCD server spec
• This addresses penetration test findings (RFE-9358) where unauthenticated API schema disclosure could allow attackers to map endpoints

Test plan

• Verify unit tests pass with go test ./controllers/argocd/...
• Deploy modified operator to test cluster
• Verify ArgoCD server deployment has the new env var set
• Once upstream ArgoCD supports this env var, verify /swagger-ui returns 404

Notes

This change sets the environment variable, but requires a corresponding upstream ArgoCD change to read and act on it.

Jira: RFE-9358

[openshift-ci]

@smahadik-27: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

Details

In response to this:

/kind feature

Summary

• Adds ARGOCD_SERVER_DISABLE_SWAGGER=true environment variable to the default ArgoCD server spec
• This addresses penetration test findings (RFE-9358) where unauthenticated API schema disclosure could allow attackers to map endpoints

Test plan

• Verify unit tests pass with go test ./controllers/argocd/...
• Deploy modified operator to test cluster
• Verify ArgoCD server deployment has the new env var set
• Once upstream ArgoCD supports this env var, verify /swagger-ui returns 404

Notes

This change sets the environment variable, but requires a corresponding upstream ArgoCD change to read and act on it.

Jira: RFE-9358

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jannfis for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @smahadik-27. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d67377ef-45cc-4ace-a69f-4ed47e629154

📥 Commits

Reviewing files that changed from the base of the PR and between 426874a and 6b71fdb.

📒 Files selected for processing (1)

• controllers/argocd/argocd.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Improved Argo CD server security by disabling Swagger UI and OpenAPI specification exposure to prevent unauthorized API schema disclosure.

Walkthrough

In getArgoServerSpec, the Argo CD server route configuration is extended to set the ARGOCD_SERVER_DISABLE_SWAGGER=true environment variable, disabling Swagger UI and OpenAPI spec exposure. Inline comments documenting the security rationale are added alongside the change.

Changes

Disable Swagger/OpenAPI exposure in Argo CD server spec

Layer / File(s)	Summary
Add ARGOCD_SERVER_DISABLE_SWAGGER env to server route spec controllers/argocd/argocd.go	getArgoServerSpec now sets an Env entry with ARGOCD_SERVER_DISABLE_SWAGGER=true in the Route spec, replacing the previous Enabled: true-only configuration, with inline security comments added.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: adding an environment variable to disable Swagger UI exposure, which is the primary modification in the changeset.
Description check	✅ Passed	The description is well-related to the changeset, explaining the security motivation (RFE-9358), the specific environment variable being added, the test plan, and upstream dependencies.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}