-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow argocd-cm to reference K8S Secrets (#4188) #4342
feat: allow argocd-cm to reference K8S Secrets (#4188) #4342
Conversation
Codecov Report
@@ Coverage Diff @@
## master #4342 +/- ##
==========================================
+ Coverage 41.30% 41.31% +0.01%
==========================================
Files 156 156
Lines 20702 20709 +7
==========================================
+ Hits 8550 8556 +6
+ Misses 10944 10942 -2
- Partials 1208 1211 +3
Continue to review full report at Codecov.
|
This PR might also address #4052 and allow arbitrary Kubernetes XXXSecretRef:
name: <my secret>
key: <key in my secret'data> that we look for recursively in XXX: <secret found in my secret> So with following example (which is slightly modified form of proposal of #4188), assuming we have data:
url: https://argocd.example.com
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: aabbccddeeff00112233
clientSecretSecretRef: # Note the SecretRef prefix
name: whatever
key: myGitHubClientSecret
orgs:
- name: your-github-org
oidcConfig: |
name: SSO
clientID: argocd
clientSecretSecretRef: # Note the SecretRef prefix
name: whatever
key: mySSOClientSecret in data:
myGitHubClientSecret: a-value
mySSOClientSecret: another-value will produce data:
url: https://argocd.example.com
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: aabbccddeeff00112233
clientSecret: a-value
orgs:
- name: your-github-org
oidcConfig: |
name: SSO
clientID: argocd
clientSecret: another-value |
d128611
to
d837e89
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @nbendafi-yseop ! Added two enhancement proposals.
util/settings/settings.go
Outdated
} | ||
|
||
// Fetch K8S Secret | ||
k8sSecret, err := mgr.clientset.CoreV1().Secrets(mgr.namespace).Get(context.Background(), secretRef.Name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Argo CD executes getConfigMap
method very frequently. It is too expensive to make K8S API request. Please use mgr.GetSecretsLister
instead:
lister, err := mgr.GetSecretsLister()
if err != nil {
return nil
}
lister.Secrets(mgr.namespace).Get(secretRef.Name)
As a side effect, each referenced secret must have "app.kubernetes.io/part-of": "argocd"
label but I cannot see any other way to avoid performance degradation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can live with it. Even if secrets are not withing argocd-secret
K8S secret, they are still part-of argocd. I'll update my code (and tests) accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After further testing, looks like "app.kubernetes.io/part-of": "argocd"
only applies to ArgoCD ConfigMap
, meaning lister.Secrets
is able to look for K8S Secret
even if they are not label with "app.kubernetes.io/part-of": "argocd"
. But I might be wrong.
util/settings/settings_test.go
Outdated
name: GitHub | ||
config: | ||
clientID: aabbccddeeff00112233 | ||
clientSecretSecretRef: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Argo CD already supports referencing values from argocd-secret
Secret. E.g. $dex.github.clientSecret
. Can we keep using similar syntax for consistency. For example: $<secretName>:<key>
. where <secretName>
is optional secret name.
In this case secret sample config would looks like following:
config:
clientID: aabbccddeeff00112233
clientSecret: $google:clientSecret
It is safe to use :
as a delimiter since it cannot be used in secret name/secret data key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can understand the need for consistency. Here, I just wanted to be closer to SecretKeySelector
type that exists in Kubernetes (cf. https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1984) or in FluxCD's helm-operator (cf. https://github.com/fluxcd/helm-operator/blob/68de5288b733c42a316e03f9c01e7505cd6985b3/pkg/apis/helm.fluxcd.io/v1/types.go#L48).
I'm relatively new in this world, so I do not really have arguments against your proposal.
(And we do ArcgoCD
here, not FluxCD
😄 )
211f5a2
to
746b96e
Compare
@alexmt do you have time for another review? This would make it eaiser setup when integrating with oauth providers |
USERS.md
Outdated
@@ -80,6 +80,7 @@ Currently, the following organizations are **officially** using Argo CD: | |||
1. [Walkbase](https://www.walkbase.com/) | |||
1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli | |||
1. [Yieldlab](https://www.yieldlab.de/) | |||
1. [Yseop](https://www.yseop.com/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add this change in a different PR ? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that can make a difference, I've removed it from this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Could you please add PR description explaining the rationale of this change?
- If this needs docs changes, could you add those to this PR too, please?
util/settings/settings_test.go
Outdated
name: GitHub | ||
config: | ||
clientID: aabbccddeeff00112233 | ||
clientSecret: $google:clientSecret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I'm having a hard time understanding the "why" of this PR :-)
Are we switching from $google.clientSecret
to $google:clientSecret
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello. The why is #4188 (as referred to the title of current PR).
To summarise, one would refer to secret that live outside of argocd-secret K8S Secret
's data.
I'm not switching, rather adding another syntax.
Explanation by example (the one in settings_test
is not obvious apparently), to clear the things out:
- As defined (and limited by) in current documentation:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
type: Opaque
data:
...
# Store client secret like below.
# Ensure the secret is base64 encoded
oidc.auth0.clientSecret: <client-secret-base64-encoded>
...
...
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
...
oidc.config: |
name: Auth0
clientID: aabbccddeeff00112233
# Reference key in argocd-secret
clientSecret: $oidc.auth0.clientSecret
so in clientSecret: $oidc.auth0.clientSecret
, oidc...
should be in argocd-secret
's data
, right ?
- Now (after this PR, I mean), we can also have
apiVersion: v1
kind: Secret
metadata:
name: another-secret # that is not _handled_ by Argocd, and eventually synced by tools such as External-secret
data:
...
# Store client secret like below.
# Ensure the secret is base64 encoded
oidc.auth0.clientSecret: <client-secret-base64-encoded>
...
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
...
oidc.config: |
name: Auth0
clientID: aabbccddeeff00112233
# Reference key in argocd-secret
clientSecret: $another-secret:oidc.auth0.clientSecret
where oidc.auth0.clientSecret
is in data
field of another K8S secret.
I was personally motivated to answer this issue because we have tool that sync secrets with external secret management tool (such as Vault or AWS secret manager) and periodically updates the whole K8S Secret
which have the effect to be override the content of argocd-secret
that ArgoCD
updates as well (with its admin password, its certificates...)
So, yes, it indeed lakes of some documentation; that I'm gonna add.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense, thank you very much!
34c5378
to
be10a12
Compare
any updates for this PR? We just ran into this problem with kubernetes-external-secrets and SSO config. |
be10a12
to
0331e36
Compare
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
0331e36
to
bea4b5f
Compare
It would be nice if this PR did not die, it would make ArgoCD integrate with the Keycloak Operator nicely. |
Sorry for letting this PR slip. Looking at it this week. |
…ngsManager Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
@nbendafi-yseop Sorry for the delay again. Better later than never. I'm concerned that we start replacing secrets in all fields in Argo CD config map. It might cause unexpected side effects like white space removals etc. I would like to propose a slightly different and safer implementation: change the existing GetSettings method to load secret values from multiple secrets, instead of only |
refactor: fetch values for all secrets in GetSettings method of SettingsManager
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added one more comment about go linter failure. Also can you merge master to include documentation website build fix?
util/settings/settings_test.go
Outdated
} | ||
kubeClient := fake.NewSimpleClientset(cm, secret, argocdSecret) | ||
settingsManager := NewSettingsManager(context.Background(), kubeClient, "default") | ||
cm, err := kubeClient.CoreV1().ConfigMaps("default").Get(context.Background(), common.ArgoCDConfigMapName, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like linter is not happy because cm
variable is no longer needed in test . Please remove lines 925~926.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✔️
Signed-off-by: Nabil BENDAFI <nbendafi@yseop.com>
3230193
to
80e915f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @nbendafi-yseop ! LGTM
Checklist: