feat: add gke auth command to argocd-k8s-auth (#5958) #9190
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for GKE authentication to argocd-k8s-auth CLI introduced by #8032.
AWS (EKS) has first-class support for managing external clusters with IAM authentication since #588 but other cloud providers don't have such an easy configuration option.
Previously, with regard to GKE, we had to build custom image following the instruction described in BYOI (Build Your Own Image) and manually install gke-gcloud-auth-plugin (
currently not open sourced?gke-gcloud-auth-plugin) or third party tools like sl1pm4t/gcp-exec-creds. Then register cluster usingexecProviderConfig
to specify the command for thoese auth plugins.Recently, #8032 introduced the mechanism to extend support for more cloud providers to add their own auth methods, so I added built-in support for GKE clusters. This PR requires neither extra dependencies nor complicated logic so I think it's easy to maintain like aws auth feature.
Use this feature to manage external clusters with Workload Identity:
Create GKE cluster and enable Workload Identity
Create GCP service account for ArgoCD
Add appropriate role to GCP service account and optionally restrict access to the K8s resources using K8s RBAC. See Authenticating services.
Bind GCP service account to K8s service account and set annotation to K8s service account for argocd-application-controller and argocd-server. See Configure applications to use Workload Identity.
Edit cluster
config
field on existing Secret and replaceexecProviderConfig
to use built-inargocd-k8s-auth
binary described in updated doc. Don't forget to Base64 encode value in case of using data with Secret.Closes #5958
Checklist:
* [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.* [ ] Optional. My organization is added to USERS.md.* [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.