argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Use the TokenRequest API to support >=1.24 clusters

Open crenshaw-dev opened this issue 2 years ago • 15 comments

Summary

2.4 creates a non-expiring ServiceAccount token Secret on argocd cluster add for 1.24 clusters.

Instead, Argo CD should use the TokenRequest API.

Motivation

Kubernetes recommends using the TokenRequest API rather than relying on tokens that don't expire.

crenshaw-dev avatar Jun 08 '22 15:06 crenshaw-dev

Throwing in some notes I kept while implementing the CLI fix: https://docs.google.com/document/d/1MmYIfM8tbEp2irCaLtgrv9jJL-coYG3u-wa3xTVkEOU/edit#heading=h.r5wcd4iwxat8

Kubernetes has a TokenManager concept that creates, refreshes, caches, and rotates tokens from the TokenRequest API. The challenge right now is that some of clusterauth package's funcs are called directly by the argocd CLI, which doesn't allow Argo CD to persist token management. It might make sense to inject this token manager into the cluster server to add support for the TokenRequest API to avoid using these long lived tokens.

danielhelfand avatar Jun 08 '22 16:06 danielhelfand