-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC config should reference dedicated secret instead of key in argocd-secret #4188
Comments
I would add that the same applies to TLS secret. It should be in a separate secret as the argocd-secret is of type Opaque. Plus when using let's encrypt it relies on the fact that cert-manager will happily add the certificate to existing secret instead of overriding the value. |
Totally agreed!
…On Fri, Aug 28, 2020, 10:25 AM Michal Cwienczek ***@***.***> wrote:
I would add that the same applies to TLS secret. It should be in a
separate secret as the argocd-secret is of type Opaque. Plus when using
let's encrypt it relies on the fact that cert-manager will happily add the
certificate to existing secret instead of overriding the value.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4188 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AELXHODHTGA7EUSE3WZWAXDSC645DANCNFSM4QNNULJQ>
.
|
It would be also nice if we could specify the name of the |
I believe this is implemented by #4342 . Now secret value can be referenced from any secret labeled with Let me know if I'm missing something please |
This still work for you guys? I'm trying this and it doesn't appear to be finding the secret:
I can put the same base64encoded value in argocd-secret and the value is found. |
Answering my own question, yes it works. Thought it would search any secret but what this does it allows you "reference" another secret. I used the method from #4342 mentioned above. Here's an example for someone who sees this later, this is a configuration using the argocd helm chart:
Above I'm using a secret 'argocd-oidc' which contains the data 'oidc.azuread.clientSecret' which is the client secret. |
@lknite You the mvp man. Thanks for sharing! Edit: Btw .. sorry for commenting on long closed issue. Happy feelings got the better of me... |
Issues are never closed to happiness. :-) |
I m unable to use this still, i do have the label added and the secret is still not found. is there something else that i m missing while referncig the secret? |
hi @vini-gorillas, we were able to reference any property from any k8s
Additionally, make sure your ArgoCD server has enough RBAC permissions to get/watch Secrets, if not already. |
@davidmontoyago Do you know if we can refer to secret in the allowedAudiences field? This is my use case:
|
Summary
The current oidc client secret allows you to reference a key inside of argocd-secret for this key, but this needs to be added after the argocd instance is created (for instance, with the operator). When modifying the instance, the manual step needs to be performed again, which isn't scalable for bootstrapping clusters.
The suggestion here is simply to reference a dedicated secret that contains this key, which could be prepopulated (or pulled in from an external source).
Motivation
When bootstrapping multiple clusters into ArgoCD to manage their configuration, this step adds manual overhead and the risk of human error. It would be better if humans didn't need to manually insert a key that was base64 encoded from a local terminal.
Proposal
Instead of the argocd-cm (or operator spec) referencing a key in the dedicated
argocd-secret
(which gets manipulated by the operator), allow it to reference a separate secret:The text was updated successfully, but these errors were encountered: