argoproj
feat: Support service account token for argocd server authentication
Support service account token for argocd server authentication
-
Argocd application and applicationset are already considered highlevel abstractions, however end-users might want to put together argocd offered capabilities into a more simplified interface either as part of an IDP implementation or even for personal convenience
-
This requires setting up and authenticating with argocd server incluster, however the current implementation works well with out of cluster programmatic authentication.
-
For incluster setup a typical flow should be that all authentication and authorization be done incluster
-
The typical way to achieve this as of now , requires using
admin userwithinitial argocd password.
Proposed implementation; Use kubernetes service account token together with admin user.
Expiration tokens can be generated off service account incluster and use for argocd server authentication.
Since the current kubernetes service account token generation is secure and can easily be rotated.
The user can periodically rotate this token , use it for argocd authentication, ensuring simplicity, and security, in addition leveraging kubernetes native implementation of authentication
Update VerifyUsernamePassword function to authenticate with service account token
// Allow service account token authentication only for the 'admin' user
if username == "admin" && mgr.isKubernetesToken(password) {
// Simply verify that the token is valid
valid, err := mgr.verifyKubernetesToken(password,kubeClientset)
if err != nil || !valid {
mgr.updateFailureCount(username, true)
return InvalidLoginErr
}
} else {
// If it's not a token or the username isn't 'admin', proceed with standard password verification
valid, _ := passwordutil.VerifyPassword(password, account.PasswordHash)
if !valid {
mgr.updateFailureCount(username, true)
return InvalidLoginErr
}
}
Usage
sa := &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "test-sa",
Namespace: "default",
},
}
createdSA, err := kubeClientset.CoreV1().ServiceAccounts("default").Create(context.TODO(), sa, metav1.CreateOptions{})
###########################################################
tokenRequest := &authv1.TokenRequest{
Spec: authv1.TokenRequestSpec{
Audiences: []string{"https://kubernetes.default.svc.cluster.local"},
ExpirationSeconds: int64Ptr(3600), // Token valid for 1 hour
},
}
tokenResponse, err := kubeClientset.CoreV1().ServiceAccounts("default").CreateToken(context.TODO(), createdSA.Name, tokenRequest, metav1.CreateOptions{})
password = tokenResponse.Status.Token
A scheduleTokenRefresh() function can be setup by the user in another go routine to periodically refresh token and client
Fixes #19573
Checklist:
- [x] Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
- [x] The title of the PR states what changed and the related issues number (used for the release note).
- [x] The title of the PR conforms to the Toolchain Guide
- [x] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
- [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
- [x] Does this PR require documentation updates?
- [ ] I've updated documentation as required by this PR.
- [x] I have signed off all my commits as required by DCO
- [x] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
- [ ] My build is green (troubleshooting builds).
- [ ] My new feature complies with the feature status guidelines.
- [x] I have added a brief description of why this PR is necessary and/or what this PR solves.
- [ ] Optional. My organization is added to USERS.md.
- [ ] Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).
:exclamation: Preview Environment undeploy from Bunnyshell failed
See: Environment Details | Pipeline Logs
Available commands (reply to this comment):
- :rocket:
/bns:deployto redeploy the environment - :x:
/bns:deleteto try again to remove the environment
![bunnyshell[bot] avatar](https://avatars.githubusercontent.com/in/338154?v=4 "Published by a pub.dev verified publisher"){kind=small}
:white_check_mark: Preview Environment created on Bunnyshell but will not be auto-deployed
See: Environment Details
Available commands (reply to this comment):
- :rocket:
/bns:deployto deploy the environment
Codecov Report
Attention: Patch coverage is 68.75000% with 20 lines in your changes missing coverage. Please review.
Project coverage is 55.90%. Comparing base (
ddd9d6a) to head (a0924a3). Report is 352 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #19572 +/- ##
==========================================
+ Coverage 55.87% 55.90% +0.02%
==========================================
Files 316 316
Lines 43784 43833 +49
==========================================
+ Hits 24465 24503 +38
- Misses 16761 16774 +13
+ Partials 2558 2556 -2
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Feel free to join the community meeting on Thursday morning Pacific time to have a discussion.
https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8/edit?pli=1
