-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argo CD Service Account / Local Users #3185
Comments
Also, users should be able to be disabled and enabled:
For consistency, I think the recently added option to disable admin should be changed to follow this convention: stringData:
admin.enabled: "false"
admin.password: <bcrypt hash>
admin.passwordMtime: <updated during password change> |
Another proposal regarding where local account should be stored: I guess the new I propose to allow storing any settings in any secret as long as it has |
For MVP, we need to support:
When JWTs are generated, we need to persist the JWT reference somewhere so that it can be revoked. This will probably be just an adjacent key in the secret stringData:
#accounts.autouser.enabled: "false" # operator managed key
accounts.autouser.apiKey: "true" # operator managed key
accounts.autouser.tokens: "[\"<tokenid-1>\",\"<tokenid-2>\"]" # auto-generated key In the future, we could support:
I think we can continue to |
Thinking about this some more, managing accounts via a secret, may not be the best experience for operators, since it is common to have a separate mechanism for managing secrets with GitOps. For non-sensitive configuration, it is preferable to manage it via git (e.g. to allow pull requests to add/remove/disable accounts). Really, the only thing that needs to be in the secret, is the bcrypt hash of the password. Everything else is configuration and not sensitive data. This is might not be the best solution, but perhaps the configuration should be split into argocd-cm.yaml: data:
# The accounts.XXX entry is a list of the capabilities of that user
accounts.alice: login
accounts.bob: login, apiKey
accounts.bob.enabled: "false"
accounts.autouser: apiKey argocd-secret.yaml: stringData:
# Everything in the secret is typically generated by API server
accounts.alice.password: <bcrypt hash>
accounts.alice.passwordMtime: <updated during password change>
accounts.bob.password: <bcrypt hash>
accounts.bob.passwordMtime: <updated during password change>
accounts.bob.tokens: "[\"<tokenid-1>\",\"<tokenid-2>\"]"
accounts.autouser.tokens: "[\"<tokenid-1>\",\"<tokenid-2>\"]" The above configuration would result in three users:
|
Trying to use this feature. Created a local/service account
I then try to authenticate with that user using the token
But I am then asked for the username and password. |
@cyrus-mc please make sure to have the latest argocd CLI version . |
@cyrus-mc You don't have to login when using tokens. Simply provide the token when running the command. For example:
Also make sure your
|
Summary
Argo CD should introduce service accounts for the purposes of automation/API access. This is a similar request for local users, so we should consider how both use cases might be solved using the same mechanism.
Motivation
Similar to project tokens, there is a use case where a service account is needed be used by automation to perform things like:
The built-in admin account is not well suited for this since:
Project roles are also not suited, because they can only operate on applications within the project, and not control clusters, repos, projects.
Proposal
Argo CD should introduce service accounts, where RBAC privileges can be limited for that account. Service accounts should be able to generate long-lived JWTs for API access. This feature closely overlaps with the request for "local users", so I think service accounts could potentially simply equate to local users, with some controls on whether or not the user can login with a username/password vs. only API keys.
A rough draft of how this might be configured could be in a K8s secret (e.g. a new argocd-accounts secret):
In the above example, autouser, alice, and bob would be used as the
sub
field of the JWT, and is what theargocd-rbac-cm
would use in the RBAC rules.Additional requirements:
A new RBAC control for
account
will probably be need to be introduced, so that a human/admin/SSO user would be able to generate JWTs for a different account, if they had privileges.The identifiers of all vended API keys for an account, should be persisted somewhere (similar to project tokens), so that they can be revoked if necessary.
The text was updated successfully, but these errors were encountered: