diff --git a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go index 9ae7e6a93761f..410364e6429df 100644 --- a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go +++ b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go @@ -19,6 +19,7 @@ func NewCommand() *cobra.Command { } command.AddCommand(newAWSCommand()) + command.AddCommand(newGCPCommand()) return command } diff --git a/cmd/argocd-k8s-auth/commands/gcp.go b/cmd/argocd-k8s-auth/commands/gcp.go new file mode 100644 index 0000000000000..8d7bd975a9ede --- /dev/null +++ b/cmd/argocd-k8s-auth/commands/gcp.go @@ -0,0 +1,40 @@ +package commands + +import ( + "context" + "fmt" + "os" + + "github.com/spf13/cobra" + "golang.org/x/oauth2/google" + + "github.com/argoproj/argo-cd/v2/util/errors" +) + +var ( + // defaultGCPScopes: + // - cloud-platform is the base scope to authenticate to GCP. + // - userinfo.email is used to authenticate to GKE APIs with gserviceaccount + // email instead of numeric uniqueID. + // https://github.com/kubernetes/client-go/blob/be758edd136e61a1bffadf1c0235fceb8aee8e9e/plugin/pkg/client/auth/gcp/gcp.go#L59 + defaultGCPScopes = []string{ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + } +) + +func newGCPCommand() *cobra.Command { + var command = &cobra.Command{ + Use: "gcp", + Run: func(c *cobra.Command, args []string) { + // Preferred way to retrieve GCP credentials + // https://github.com/golang/oauth2/blob/9780585627b5122c8cc9c6a378ac9861507e7551/google/doc.go#L54-L68 + cred, err := google.FindDefaultCredentials(context.Background(), defaultGCPScopes...) + errors.CheckError(err) + token, err := cred.TokenSource.Token() + errors.CheckError(err) + _, _ = fmt.Fprint(os.Stdout, formatJSON(token.AccessToken, token.Expiry)) + }, + } + return command +} diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md index 2cc61a26a0672..d6dd17f6fbb15 100644 --- a/docs/operator-manual/declarative-setup.md +++ b/docs/operator-manual/declarative-setup.md @@ -554,6 +554,35 @@ stringData: } ``` +GKE cluster secret example using argocd-k8s-auth and [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity): + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: mycluster-secret + labels: + argocd.argoproj.io/secret-type: cluster +type: Opaque +stringData: + name: mycluster.com + server: https://mycluster.com + config: | + { + "execProviderConfig": { + "command": "argocd-k8s-auth", + "args": ["gcp"], + "apiVersion": "client.authentication.k8s.io/v1beta1" + }, + "tlsClientConfig": { + "insecure": false, + "caData": "" + } + } +``` + +Note that you must enable Workload Identity on your GKE cluster, create GCP service account with appropriate IAM role and bind it to Kubernetes service account for argocd-application-controller and argocd-server (showing Pod logs on UI). See [Use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) and [Authenticating to the Kubernetes API server](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication). + ## Helm Chart Repositories Non standard Helm Chart repositories have to be registered explicitly.