If you want to automate tasks with the Argo Server API or CLI, you will need an access token.
Firstly, create a role with minimal permissions. This example role for jenkins only permission to update and list workflows:
kubectl create role jenkins --verb=list,update --resource=workflows.argoproj.io Create a service account for your service:
kubectl create sa jenkinsCreate a unique service account for each client:
- (a) you'll be able to correctly secure your workflows
- (b) revoke the token without impacting other clients.
Bind the service account to the role (in this case in the argo namespace):
kubectl create rolebinding jenkins --role=jenkins --serviceaccount=argo:jenkinsYou now need to get a token:
SECRET=$(kubectl get sa jenkins -o=jsonpath='{.secrets[0].name}')
ARGO_TOKEN="Bearer $(kubectl get secret $SECRET -o=jsonpath='{.data.token}' | base64 --decode)"
echo $ARGO_TOKEN
Bearer ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltS...To use that token with the CLI you need to set ARGO_SERVER (see argo --help).
Use that token in your API requests, e.g. to list workflows:
curl https://localhost:2746/api/v1/workflows/argo -H "Authorization: $ARGO_TOKEN"
# 200 OKYou should check you cannot do things you're not allowed!
curl https://localhost:2746/api/v1/workflow-templates/argo -H "Authorization: $ARGO_TOKEN"
# 403 errorARGO_SERVER="${{HOST}}:443"
KUBECONFIG=/dev/null
ARGO_NAMESPACE=sandboxNote: Example for getting list of templates from an existing namespace
docker run --rm -it \
-e ARGO_SERVER=$ARGO_SERVER \
-e ARGO_TOKEN=$ARGO_TOKEN \
-e ARGO_HTTP=false \
-e ARGO_HTTP1=true \
-e KUBECONFIG=/dev/null \
-e ARGO_NAMESPACE=$ARGO_NAMESPACE \
argoproj/argocli:latest template list -v -e -kToken compromised?
kubectl delete secret $SECRETA new one will be created.