As a User, I want a default super user so that I have an auth without setting up the connection to my IdP

[foot]

• See a password after running gitops install that you will be prompted for when opening the UI
  • Store the password HASH in a secret in the cluster
  • password generation and secret installation is feature flagged
• Add middleware for checking an auth header against a secret in the cluster that is feature flagged
  • WG UI server doesn’t have a deployment to mount secrets on so should perhaps use kubeclient to grab secret
• Some docs / flow on how to reset / regenerate password
  • Potential security issue here if anyone can do this. (RBAC?)
  • How to use a password?
    • 1password viable on the cli?
    • Save password to ~/.wego/cluster-password
    • GENERATE API TOKENS for our super user, dex can do this basic-auth’d users.
  • Can we use basic-auth and have a pretty login page or have to use a diff authorization header?
    • Could be anything, check out principal getter in POC
• Add middleware to impersonate auth’d user and provider a client
  • For default super user this is cluster-admin? Can be configured?
• Add config to remove super user
  • Maybe just delete secret that stores password hash
  • How do we configure gitops?
• Rate limit our password endpoints!
• Add a login page

[foot]

Even though there might be some churn in gitops-core this feature will still be relevant so we can keep working on it!

[foot]

ArgoCD got in trouble for deriving passwords deterministically from pod names. They did this because of a more gitopsy approach (kubectl apply) to their installation.

We have gitops install which can generate a password. Will document how to DIY first

[foot]

ArgoCD https://nvd.nist.gov/vuln/detail/CVE-2020-8828

[foot]

Rate limiting:

• Probably a nice lib? or patterns at least.