Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automate creation of API tokens #14

Closed
ONordander opened this issue Jan 14, 2022 · 7 comments
Closed

Automate creation of API tokens #14

ONordander opened this issue Jan 14, 2022 · 7 comments
Labels
enhancement New feature or request stale

Comments

@ONordander
Copy link

What problem are you facing?

I want to use provider-argocd for automatically adding provisioned clusters to ArgoCD.
However the provider needs the initial ArgoCD API-token to communicate with ArgoCD, I want to automate as much as possible, so I also want to automate the token creation and it should ultimately be stored in a Secret that the ProviderConfig can use.

How could Crossplane help solve your problem?

Make it possible to automate creation of API tokens to be used by the ProviderConfig.

@ONordander ONordander added the enhancement New feature or request label Jan 14, 2022
@ONordander ONordander changed the title Make creating API tokens easier Automate creation of API tokens Jan 14, 2022
@janwillies
Copy link
Collaborator

janwillies commented Jan 14, 2022

Hey Otto, thanks for opening this!

Currently provider-argocd needs a dedicated account at argocd (with scope: apiKey) and a corresponding account token (currently not very clear from the api docs, but stated in the readme).

If I understand correctly you are looking to automate the following initial account token creation for the user provider-argocd:

ARGOCD_ADMIN_SECRET=$(kubectl view-secret argocd-initial-admin-secret -n argocd -q)
ARGOCD_ADMIN_TOKEN=$(curl -s -X POST -k -H "Content-Type: application/json" --data '{"username":"admin","password":"'$ARGOCD_ADMIN_SECRET'"}' https://localhost:8443/api/v1/session | jq -r .token)
ARGOCD_TOKEN=$(curl -s -X POST -k -H "Authorization: Bearer $ARGOCD_ADMIN_TOKEN" -H "Content-Type: application/json" https://localhost:8443/api/v1/account/provider-argocd/token | jq -r .token)
kubectl create secret generic argocd-credentials -n crossplane-system --from-literal=authToken="$ARGOCD_TOKEN"

That means the starting point is the initial admin account with user/pass?

  1. With the initial admin user/pass we can connect to /v1/session and get a session token.
  2. With the session token we can connect to /v1/account/<name>/token and create an account token.
  3. Everything else will be via this account token (like implemented today)

Did I get this right?

This probably means implementing the account API and making some changes to providerConfig so that it understands the initial admin user/pass and initiates a session based on that.

@ONordander
Copy link
Author

Yes that sounds right to me.
I'll try to get some time to work on this and keep you posted.
For now, I'll leave it open if anyone else wants to work on this.

@github-actions
Copy link

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 7 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@nabuskey
Copy link

nabuskey commented Jan 5, 2024

This would be a great enhancement for this provider. My use case:

I want to spin up a local cluster with ArgoCD and Crossplane installed. Once they are available, I want to add an ArgoCD application that creates a non-local cluster through Crossplane. Once the cluster is ready and kubeconfig secret created, make the cluster one of destination clusters in ArgoCD.

It's not possible to do this without scripts right now. You either have to:

  1. ArgoCD resource hook to invoke a scrip that obtains token from ArgoCD API server, then store it in a secret for this proivder to use.
  2. Don't use this provider. Use ArgoCD resource hook and cron jobs to create and update the secret that ArgoCD expects.

I've opted to the second option for now but I think this is definitely something a controller should take on.

Ideally though, ArgoCD should accept kubeconfig. But it seems like it's not happening anytime soon.

@ONordander @janwillies If no one is working on this, I may be able to work on this.

@janwillies
Copy link
Collaborator

Hey @nabuskey,

Thanks for bringing this up again. I agree with your observation that Argo CD won't accept a plain kubeconfig anytime soon, unfortunately.
In the meantime, the next-best place would indeed be this provider. I would be very happy to review a PR for this.

@janwillies janwillies reopened this Jan 11, 2024
@github-actions github-actions bot removed the stale label Jan 12, 2024
@joebowbeer
Copy link

#66 provides support for kubeconfig authentication

Copy link

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 7 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request stale
Projects
None yet
Development

No branches or pull requests

4 participants