Example usage for execProviderConfig?

[dpkirchner]

Does anyone have a complete example declarative cluster config (Secret) that defines a execProviderConfig? I found what I believe is the expected output of the command but I don't know how to get argo-cd to run the command and/or read its result.

[dpkirchner]

I have no idea if this is the best way to go, but here ya go. Based on the Declarative Setup (Clusters) documentation, I created a JSON object specifying a command that echos a JSON object of kind ExecCredentials (k8s API version client.authentication.k8s.io/v1beta1). Something like:

{
  "execProviderConfig": {
    "apiVersion": "client.authentication.k8s.io/v1beta1",
    "args": [
      "-c",
      "print(json.dumps({see below})"
    ],
    "command": "/usr/bin/python3"
  },
  "tlsClientConfig": {
    "caData": "...",
    "insecure": false
  }
}

This object is stored under the key config in the cluster's secret read by argo-cd.

The script should output an object that conforms to the ExecCredentials spec documented here: https://kubernetes.io/docs/reference/access-authn-authz/authentication/ . Here's one of mine:

{"apiVersion": "client.authentication.k8s.io/v1beta1", "kind": "ExecCredential", "status": {"token": "ya29....", "expirationTimestamp": "2020-12-30T17:06:44Z"}}

Implementation specific notes

I'm running argo-cd on GKE and am using Workload Identity bindings for the k8s service accounts so argo-cd may access other clusters without me having to manually muck about with tokens. I'm using a pseudo-one-liner to get a GCP SA bearer token using the pod's k8s SA credentials. I can explain further if anyone's interested but (caveat) I'm not entirely certain I'm doing it right and perfectly securely, and I'm terrible at python3. A smarter person than me would create (and then maintain) an argo-cd image with a more robust script baked in.

Anyway, here's the full config object I'm using, sans CA:

$ kubectl get secret cluster-secret-name -o json | jq -r .data.config | base64 -D | jq -r .

{
  "execProviderConfig": {
    "apiVersion": "client.authentication.k8s.io/v1beta1",
    "args": [
      "-c",
      "import urllib.request, json, datetime; obj = json.loads(urllib.request.urlopen(urllib.request.Request(\"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", headers={\"Metadata-Flavor\":\"Google\"})).read()); delta = datetime.timedelta(seconds=int(obj[\"expires_in\"])); out = {\"apiVersion\":\"client.authentication.k8s.io/v1beta1\",\"kind\":\"ExecCredential\",\"status\":{\"token\":obj[\"access_token\"],\"expirationTimestamp\":(delta + datetime.datetime.utcnow()).strftime(\"%Y-%m-%dT%H:%M:%SZ\")}}; print(json.dumps(out))"
    ],
    "command": "/usr/bin/python3"
  },
  "tlsClientConfig": {
    "caData": "base64-encoded-cert==",
    "insecure": false
  }
}