docs: add terminal documentation

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>
argoproj · Jul 12, 2022 · e8ee03f · e8ee03f
1 parent 10324a6
commit e8ee03f
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 16 deletions.
diff --git a/docs/assets/terminal.png b/docs/assets/terminal.png
diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md
@@ -59,22 +59,7 @@ also use glob patterns in the action path: `action/*` (or regex patterns if you
 `exec` is a special resource. When enabled with the `create` action, this privilege allows a user to `exec` into Pods via 
 the Argo CD UI. The functionality is similar to `kubectl exec`.
 
-`exec` is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which
-they have `create` privileges. If the Pod mounts a ServiceAccount token (which is the default behavior of Kubernetes),
-then the user effectively has the same privileges as that ServiceAccount.
-
-The exec feature is disabled entirely by default. To enable it, set the `exec.enabled` key to "true" on the argocd-cm 
-ConfigMap. You will also need to add the following to the argocd-api-server Role (if you're using Argo CD in namespaced
-mode) or ClusterRole (if you're using Argo CD in cluster mode).
-
-```yaml
-- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - create
-```
+See [Web-based Terminal](web_based_terminal.md) for more info.
 
 ## Tying It All Together
 

diff --git a/docs/operator-manual/web_based_terminal.md b/docs/operator-manual/web_based_terminal.md
@@ -0,0 +1,45 @@
+# Web-based Terminal
+
+![Argo CD Terminal](../assets/terminal.png)
+
+Since v2.4, Argo CD has a web-based terminal that allows you to get a shell inside a running pod just like you would with
+`kubectl exec`. It's basically SSH from your browser, full ANSI color support and all! However, for security this feature
+is disabled by default.
+
+This is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which
+they have the `exec/create` privilege. If the Pod mounts a ServiceAccount token (which is the default behavior of 
+Kubernetes), then the user effectively has the same privileges as that ServiceAccount.
+
+## Enabling the terminal
+
+1. Set the `exec.enabled` key to `true` on the `argocd-cm` ConfigMap.
+
+2. Patch the `argocd-server` Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow `argocd-server`
+to exec into pods
+```yaml
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+```
+
+3. Add RBAC rules to allow your users to `create` the `exec` resource, i.e.
+```
+p, role:myrole, exec, create, */*, allow
+```
+
+See [RBAC Configuration](rbac.md#exec-resource) for more info.
+
+## Changing allowed shells
+
+By default, Argo CD attempts to execute shells in this order:
+
+1. bash
+2. sh
+3. powershell
+4. cmd
+
+If none of the shells are found, the terminal session will fail. To add to or change the allowed shells, change the 
+`exec.shells` key in the `argocd-cm` ConfigMap, separating them with commas.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -44,6 +44,7 @@ nav:
   - operator-manual/custom_tools.md
   - operator-manual/custom-styles.md
   - operator-manual/metrics.md
+  - operator-manual/web_based_terminal.md
   - Notification:
     - Overview: operator-manual/notifications/index.md
     - operator-manual/notifications/triggers.md