argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard

Published 20 hours ago verified publisher icon argoproj

feat: add token auth mode. Fixes #9090

Open LoricAndre opened this issue 2 years ago • 9 comments

Signed-off-by: Loric ANDRE [email protected] Fixes #9090

This implements a new server authentication mode, using a kube secret for static Bearer token authentication. We require this change for cross-cluster workflow submit from other workflows without server auth mode. See #9090 for details This is linked to this chart update PR

LoricAndre avatar Jun 30 '22 13:06 LoricAndre

Any new auth method impact security and therefore has a higher bar to acceptance. A quick visual inspection of the code tells me that I don't think it will work when your run argo server --auth-mode=sso --auth-mode=token.

Before we review this PR, I did not see any enhancement proposal. Can I please ask you to create an issue and explain the use base and get a few 👍 to show that people want this?

alexec avatar Jun 30 '22 17:06 alexec

You're right about the SSO+Token, the previous code made them incompatible. It is fixed now, and I added a test to verify it.

LoricAndre avatar Jul 01 '22 09:07 LoricAndre

The issue is open (https://github.com/argoproj/argo-workflows/issues/9090)

LoricAndre avatar Jul 07 '22 15:07 LoricAndre

I think this is a good idea. I do think that we need the following:

  1. This should be self-serve, I.e. look in the namespace of the request for the secret. This will allow teams in multi-tentant mode to self-serve.
  2. Docs.

alexec avatar Jul 21 '22 18:07 alexec

@alexec about the self-serve part, implementing this would then require secrets in every workflow's namespace, instead of just the server's. This seems pretty heavy to me, I can implement a toggle for this but I'm not sure this is what you mean.

LoricAndre avatar Aug 01 '22 09:08 LoricAndre

What we do for similar self-serve:

  • Is there secret in user namespace? If so, use that.
  • Otherwise, is there secret in install namespace.

Makes sense?

alexec avatar Aug 02 '22 17:08 alexec

I'm not sure I get what you mean by 'user namespace', since there is no user with this auth method. I can use the request's namespace instead, but this doesn't seem very useful in itself.

LoricAndre avatar Aug 05 '22 12:08 LoricAndre

You're correct. I mean "request namespace", not "user namespace".

alexec avatar Aug 10 '22 16:08 alexec

This PR is still a great idea as it makes automation easier and more secure.

alexec avatar Oct 10 '22 16:10 alexec

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.

stale[bot] avatar Oct 29 '22 03:10 stale[bot]

This issue has been closed due to inactivity. Feel free to re-open if you still encounter this issue.

stale[bot] avatar Nov 12 '22 06:11 stale[bot]