Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: Document access token creation and usage (#3316)
- Loading branch information
Showing
3 changed files
with
66 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# Access Token | ||
|
||
If you want to automate tasks with the Argo Server API or CLI, you will need an access token. | ||
|
||
Firstly, create a role with minimal permissions. This example role for jenkins only permission to update and list workflows: | ||
|
||
```shell script | ||
kubectl create role jenkins --verb=list,update --resource=workflows.argoproj.io | ||
``` | ||
|
||
Create a service account for your service: | ||
|
||
```shell script | ||
kubectl create sa jenkins | ||
``` | ||
|
||
Bind the service account to the role (in this case in the `argo` namespace): | ||
|
||
```shell script | ||
kubectl create rolebinding jenkins --role=jenkins --serviceaccount=argo:jenkins | ||
``` | ||
|
||
You now need to get a token: | ||
|
||
```shell script | ||
SECRET=$(kubectl -n argo get sa jenkins -o=jsonpath='{.secrets[0].name}') | ||
ARGO_TOKEN=$(kubectl -n argo get secret $SECRET -o=jsonpath='{.data.token}' | base64 --decode) | ||
echo $ARGO_TOKEN | ||
ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltS... | ||
``` | ||
|
||
Use that token with the CLI (you need to set `ARGO_SERVER` too): | ||
|
||
```shell script | ||
ARGO_SERVER=http://localhost:2746 | ||
argo list | ||
``` | ||
|
||
Use that token in your API requests, e.g. to list workflows: | ||
|
||
```shell script | ||
curl https://localhost:2746/api/v1/workflows/argo -H "Authorisation: Bearer $ARGO_TOKEN" | ||
# 200 OK | ||
``` | ||
|
||
You should check you cannot do things you're not allowed! | ||
|
||
```shell script | ||
curl https://localhost:2746/api/v1/workflow-templates/argo -H "Authorisation: Bearer $ARGO_TOKEN" | ||
# 403 error | ||
``` | ||
|
||
## Token Revocation | ||
|
||
Token compromised? | ||
|
||
```shell script | ||
kubectl delete secret $SECRET | ||
``` | ||
|
||
A new one will be created. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters