Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use the TokenRequest API to support >=1.24 clusters #9610

Open
crenshaw-dev opened this issue Jun 8, 2022 · 18 comments
Open

Use the TokenRequest API to support >=1.24 clusters #9610

crenshaw-dev opened this issue Jun 8, 2022 · 18 comments
Labels
bug/enhancement bug/in-triage This issue needs further triage to be correctly classified component:auth component:cli Affects the Argo CD CLI enhancement New feature or request security Security related type:bug type:enhancement type:tech-debt Enhancement invisible for the end user
Milestone

Comments

@crenshaw-dev
Copy link
Member

Summary

2.4 creates a non-expiring ServiceAccount token Secret on argocd cluster add for 1.24 clusters.

Instead, Argo CD should use the TokenRequest API.

Motivation

Kubernetes recommends using the TokenRequest API rather than relying on tokens that don't expire.

@crenshaw-dev crenshaw-dev added enhancement New feature or request security Security related labels Jun 8, 2022
@danielhelfand
Copy link
Contributor

danielhelfand commented Jun 8, 2022

Throwing in some notes I kept while implementing the CLI fix: https://docs.google.com/document/d/1MmYIfM8tbEp2irCaLtgrv9jJL-coYG3u-wa3xTVkEOU/edit#heading=h.r5wcd4iwxat8

Kubernetes has a TokenManager concept that creates, refreshes, caches, and rotates tokens from the TokenRequest API. The challenge right now is that some of clusterauth package's funcs are called directly by the argocd CLI, which doesn't allow Argo CD to persist token management. It might make sense to inject this token manager into the cluster server to add support for the TokenRequest API to avoid using these long lived tokens.

@rishabh625 rishabh625 added the component:cli Affects the Argo CD CLI label Jun 8, 2022
@crenshaw-dev crenshaw-dev added this to the v2.6 milestone Sep 12, 2022
@mabhi
Copy link

mabhi commented Nov 7, 2022

Hi @crenshaw-dev , I am working on this issue. Would be raising a PR soon

@34fathombelow 34fathombelow moved this to To be assigned in Argo CD Roadmap Nov 9, 2022
@34fathombelow 34fathombelow moved this from To be assigned to Release 2.6 (2023-1-2) in Argo CD Roadmap Nov 9, 2022
@34fathombelow 34fathombelow moved this from Release 2.6 (2023-1-2) to To be assigned in Argo CD Roadmap Nov 9, 2022
@mabhi
Copy link

mabhi commented Nov 9, 2022

Hi @crenshaw-dev,
With reference to the document shared by @danielhelfand, while implementing the token request api in argocd-server, the decision whether to go for existing token generation old way or the using the new api in the code should come from ENV of the argocd-server or this can also be overriden with flags ?
What do you recommend here

@mabhi
Copy link

mabhi commented Nov 14, 2022

Hi @crenshaw-dev
While working on the enhancement, I came across few scenarios for which answers from your end would help.
I have the following questions:

  1. Can a cluster user with the certificates be able to create/refresh the service account tokens?
  2. Should a cluster user with a valid bearer token be the only one to create/refresh the service account tokens?
  3. Should an error message be displayed if a cluster user with an expired bearer token tries to create/refresh the service account tokens?

@crenshaw-dev crenshaw-dev removed this from the v2.6 milestone Dec 12, 2022
@crenshaw-dev
Copy link
Member Author

Apologies @mabhi I completely missed your messages. Making a note to follow up on your questions.

@wtam2018 wtam2018 added this to the v2.7 milestone Dec 12, 2022
@mabhi
Copy link

mabhi commented Dec 12, 2022 via email

@Bailey-T
Copy link

Hi Folks - any update on this issue?

@therapy-lf
Copy link

Any updates?

@nicoweisenauer
Copy link

I would also be interested, thx

@vainkop
Copy link

vainkop commented Oct 31, 2023

Any updates?

@crenshaw-dev crenshaw-dev added the type:tech-debt Enhancement invisible for the end user label Oct 31, 2023
@dlorent
Copy link

dlorent commented Jan 10, 2024

Any updates ?

@Kerwood
Copy link
Contributor

Kerwood commented Jan 10, 2024

My application-controller pod is emitting below log continuously and I think that it is because of this. 25k the past 24 hours to be exact.

Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.

@bryanhorstmann
Copy link

Another followup on this. Is there any updates? My application-controller pod is generating about 7.5gb of logs a day and they're mostly:

Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.

4.5 million logs entries in a 24 hour window
image

@ivan-cai
Copy link

Any updates ?

@wellbastos
Copy link

Any updates?

@DanielCastronovo
Copy link

Hello, any updates ?

@DonOtuseGH
Copy link

Would be great to have a smart solution for external managed clusters instead of rolling over the service account bearer token every year, thank you.

@alexmt alexmt added bug/in-triage This issue needs further triage to be correctly classified type:bug labels Jun 26, 2024
@marioanton
Copy link

dead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug/enhancement bug/in-triage This issue needs further triage to be correctly classified component:auth component:cli Affects the Argo CD CLI enhancement New feature or request security Security related type:bug type:enhancement type:tech-debt Enhancement invisible for the end user
Projects
Status: Backlog
Development

No branches or pull requests