argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard
verified publisher icon argoproj

Support for GCP Workload Identity Federation (multi-cloud environment)

Open filip-kolodziej-synerise opened this issue 1 year ago • 2 comments

Summary

Currently there is no easy way to authenticate to GKE cluster (except using bearer token), while ArgoCD controller cluster is implemented on different cloud e.g. Azure. GCP provides Workload Identity Federation concept, which lets AWS and Azure workloads authenticate to Google Cloud without a service account key. More info here.

tl;dr I would like to implement following scenario: image

Motivation

It would be great if it were possible to authenticate to a GKE cluster (while ArgoCD controller is deployed on K8s on different cloud) without the use of tokens or passwords, especially from a security perspective.

Proposal

In ArgoCD docs we can find the example how to add GKE cluster using workload identity (but this identity is managed by Google Cloud). execProviderConfig includes argocd-k8s-auth command and takes gcp as an argument. The argocd-k8s-auth binary with provided argument under the hood uses gcloud auth login but there is no option to pass any flags.

To authenticate to GKE cluster using workload identity federation following command must be executed: gcloud auth login --cred-file=FILEPATH.json where FILEPATH.json is credential configuration file (unlike a service account key, the credential configuration file doesn't contain a private key and doesn't need to be kept confidential), which can be generated using gcloud iam workload-idenity-pools command and could be mounted to argocd-application-controller pods. I believe support for --cred-file flag in argocd-k8s-auth binary could do the trick.

I've tried some workaround like building my own image with some modifications like here but ideally I don't want to maintain the image myself. I've also nested in Argo image client-go credential helper, which could replace argocd-k8s-auth but it is no longer maintained and implemented client does not support Workload Identity Federation as it is too old.

filip-kolodziej-synerise avatar Jun 03 '24 11:06 filip-kolodziej-synerise

I don't think bundling more cloud-provider specific binaries with the argo cd distribution is the right solution. You can already leverage a sidecar container with the tooling of your choice and use a shared volume to grant argocd-application-controller access to the authentication artifacts.

torfjor avatar Aug 21 '24 05:08 torfjor

I don't have the necessary environment ready to test this, but you should be able to simply point GOOGLE_APPLICATION_CREDENTIALS to your mounted external account credentials file.

The google auth libraries should be able to figure out that you are using external account credentials, and provided that the projected ksa token pointed to by the JSON file exists, should do the token exchange dance for you.

torfjor avatar Aug 21 '24 07:08 torfjor

I can confirm, that using argocd-k8s-auth gcp I was able to issue token for GCP cluster. as @torfjor mentioned, it only needs GOOGLE_APPLICATION_CREDENTIALS to be set. Follow docs here: https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#aks. You need add GCP Service account with principals for argocd-server and argocd-application-controller Kubernetes Service Account

consi avatar Jul 09 '25 14:07 consi