|
| 1 | +# Authentication in Argo CD Image Updater |
| 2 | + |
| 3 | +There are several scenarios where Argo CD Image Updater needs to authenticate |
| 4 | +to external systems in order to fulfil its duties. |
| 5 | + |
| 6 | +## <a name="auth-kubernetes"></a>Authentication to Kubernetes |
| 7 | + |
| 8 | +If you are running Argo CD Image Updater as a Kubernetes workload in the |
| 9 | +`kubernetes` API access mode (which is the default), it uses the token of a |
| 10 | +ServiceAccount mounted to its pod to authenticate at the Kubernetes API. |
| 11 | + |
| 12 | +The name of this ServiceAccount is `argocd-image-updater`, and it gets |
| 13 | +created through the installation manifests in the installation namespace. |
| 14 | +The ServiceAccount is accompanied with an appropriate Kubernetes RBAC |
| 15 | +Role that holds the required permissions, and a RoleBinding to bind the |
| 16 | +Role to the ServiceAccount. |
| 17 | + |
| 18 | +In the default installation scenario, i.e. Argo CD Image Updater installed |
| 19 | +to the `argocd` namespace, no further configuration has to done in order |
| 20 | +for Argo CD Image Updater to access the Kubernetes API. If your Argo CD |
| 21 | +installation is in a different namespace than `argocd`, you would have |
| 22 | +to adapt the RoleBinding to bind to the ServiceAccount in the correct |
| 23 | +namespace. |
| 24 | + |
| 25 | +## <a name="auth-argocd"></a>Authentication to Argo CD |
| 26 | + |
| 27 | +If you are using Argo CD Image Updater to connect to Argo CD via its API, |
| 28 | +you will need to create credentials in Argo CD and provide them to the |
| 29 | +Image Updater. |
| 30 | + |
| 31 | +This usually involves the following steps: |
| 32 | + |
| 33 | +1. Create a local user with `apiKey` capabilities in Argo CD |
| 34 | +1. Generate an authentication token for that user |
| 35 | +1. Create appropriate RBAC permissions for that user in Argo CD |
| 36 | +1. Configure Argo CD Image Updater to connect to the Argo CD API endpoint |
| 37 | + instead of the Kubernetes API |
| 38 | +1. Configure Argo CD Image Updater to use the credentials created in steps 1 |
| 39 | + and 2 for authenticating at the Argo CD API |
| 40 | + |
| 41 | +A complete walk-through can be found in the installation guide. |
| 42 | + |
| 43 | +## <a name="auth-registries"></a>Authentication to container registries |
| 44 | + |
| 45 | +If you are using private registries, or private repositories on public |
| 46 | +registries, chances are that you will need to have Argo CD Image Updater use |
| 47 | +credentials to access the registry. |
| 48 | + |
| 49 | +Credentials can be configured either on a per registry basis or on a per image |
| 50 | +basis. You can also use a mixed setup where credentials are configured in both |
| 51 | +ways. |
| 52 | + |
| 53 | +If credentials are configured on a per registry basis, all requests to that |
| 54 | +registry will use these credentials, without requiring any further |
| 55 | +configuration. Also, credentials configured for a registry will be cached |
| 56 | +for a configurable time and don't have to be re-read for every authentication |
| 57 | +requests. This can be useful especially for situations where you use tokens |
| 58 | +with a limited life time that are generated externally, and don't want to |
| 59 | +regenerate the token for each request. |
| 60 | + |
| 61 | +However, you can override the credentials used for authentication to the same |
| 62 | +registry on a per image basis, e.g. if you use repositories on the registry |
| 63 | +that require a different set of credentials. |
| 64 | + |
| 65 | +You can read more about |
| 66 | +[configuration credentials at the registry level]() |
| 67 | +and |
| 68 | +[configuration credentials at the image level]() |
| 69 | +for more details on how to configure either mechanisms. |
| 70 | + |
| 71 | +### <a name="auth-registries-creds-sources"></a>Types of supported credential sources |
| 72 | + |
| 73 | +Argo CD Image Updater can source credentials for accessing registries using the |
| 74 | +following mechanisms: |
| 75 | + |
| 76 | +* Secrets stored in Kubernetes. Argo CD Image Updater can either use a typical |
| 77 | + Docker pull secret, or a custom secret with credentials in a certain format. |
| 78 | + |
| 79 | +* An environment variable available to Argo CD Image Updater (for example, |
| 80 | + an environment variable mounted to the pod from a secret) |
| 81 | + |
| 82 | +* A script that, when executed, outputs the credentials to stdout. |
| 83 | + |
| 84 | +The following sections describe the configuration format to be used for the |
| 85 | +different types of credential sources. |
| 86 | + |
| 87 | +### <a name="auth-registries-pull-secret"></a>Using a pull secret |
| 88 | + |
| 89 | +A pull secret is a secret with a well-defined format, that can also be used |
| 90 | +by Kubernetes' container engine to pull container images from registries. |
| 91 | + |
| 92 | +These secrets typically have a field `.dockerconfigjson` in the `.data` |
| 93 | +section, which holds a JSON string with the appropriate credentials. |
| 94 | + |
| 95 | +In its default configuration, Argo CD Image Updater can only read secrets |
| 96 | +from the same namespace where it is installed to. |
| 97 | + |
| 98 | +Pull secrets can be referenced as follows in credentials configuration: |
| 99 | + |
| 100 | +``` |
| 101 | +pullsecret:<namespace>/<secret_name> |
| 102 | +``` |
| 103 | + |
| 104 | +Where `<namespace>` is the namespace the secret resides in, and `<secret_name>` |
| 105 | +is the name of the Secret resource. |
| 106 | + |
| 107 | +You can create a pull secret by using `kubectl`. The following command would |
| 108 | +create a pull secret for Docker Hub named `dockerhub-secret` in the namespace |
| 109 | +`argocd`: |
| 110 | + |
| 111 | +```shell |
| 112 | +kubectl create -n argocd secret docker-registry dockerhub-secret \ |
| 113 | + --docker-username someuser \ |
| 114 | + --docker-password s0m3p4ssw0rd \ |
| 115 | + --docker-registry "https://registry-1.docker.io" |
| 116 | +``` |
| 117 | + |
| 118 | +This secret could then be referred to as |
| 119 | + |
| 120 | +``` |
| 121 | +pullsecret:argocd/dockerhub-secret |
| 122 | +``` |
| 123 | + |
| 124 | +### <a name="auth-registries-generic-secret"></a>Using a generic secret |
| 125 | + |
| 126 | +Argo CD Image Updater can also retrieve credentials from a field in a generic |
| 127 | +Secret. This may be useful if you have similar credentials for a different set |
| 128 | +of registries, and don't want to maintain a unique pull-secret for each |
| 129 | +registry. |
| 130 | + |
| 131 | +The credentials can be stored in any field of the Secret's `.data` section, |
| 132 | +but credentials must be stored in the format `<username>:<password>`. |
| 133 | + |
| 134 | +To retrieve the credentials from a generic secret, you must specify the field |
| 135 | +name along with the namespace and name of the secret like follows: |
| 136 | + |
| 137 | +``` |
| 138 | +secret:<namespace>/<secret_name>#<field_name> |
| 139 | +``` |
| 140 | + |
| 141 | +E.g. if you have stored your credentials in the field `creds` in the secret |
| 142 | +`some-secret` in the namespace `argocd`, you would refer to it as |
| 143 | + |
| 144 | +``` |
| 145 | +secret:argocd/some-secret#creds |
| 146 | +``` |
| 147 | + |
| 148 | +### <a name="auth-registries-env"></a>Using an environment variable |
| 149 | + |
| 150 | +Argo CD Image Updater can read credentials from an environment variable. This |
| 151 | +can be useful for testing purposes (e.g. when using the command |
| 152 | +`argocd-image-updater test` to test access to a registry), or if you have the |
| 153 | +environment variable to use mounted from a secret to the `argocd-image-updater` |
| 154 | +pod. |
| 155 | + |
| 156 | +To retrieve credentials from an environment variable, you must specify the name |
| 157 | +of the environment variable as follows: |
| 158 | + |
| 159 | +``` |
| 160 | +env:<name_of_environment_variable> |
| 161 | +``` |
| 162 | + |
| 163 | +The credentials passed via environment variables must be specified in the format |
| 164 | +`<username>:<password>`, e.g. to store credentials in an environment variable |
| 165 | +named `DOCKER_HUB_CREDS`: |
| 166 | + |
| 167 | +``` |
| 168 | +DOCKER_HUB_CREDS=someuser:s0m3p4ssw0rd |
| 169 | +``` |
| 170 | + |
| 171 | +And then, to use this environment variable, reference it as |
| 172 | + |
| 173 | +``` |
| 174 | +env:DOCKER_HUB_CREDS |
| 175 | +``` |
| 176 | + |
| 177 | +### <a name="auth-registries-script"></a>Using a script to generate credentials |
| 178 | + |
| 179 | +Argo CD Image Updater supports using credentials that are generated by an |
| 180 | +external script. In order to retrieve the credentials, Argo CD Image Updater |
| 181 | +will execute a user configured script or executable, and parse its output. |
| 182 | + |
| 183 | +Having a script generate the credentials can be useful if your registry does |
| 184 | +require a short-lived token for authentication which is issued by a third |
| 185 | +party system, possibly with this third party system requiring a different set |
| 186 | +of credentials. A prominent example would be ECR on aws. |
| 187 | + |
| 188 | +Referencing a script used to output the credentials is done as follows: |
| 189 | + |
| 190 | +``` |
| 191 | +ext:<full_path_to_script> |
| 192 | +``` |
| 193 | + |
| 194 | +When executing the script, Argo CD Image Updater does not pass any arguments |
| 195 | +to it. |
| 196 | + |
| 197 | +The executed script is expected to output exactly one line to stdout, which |
| 198 | +holds the credentials used for accessing the registry in the format |
| 199 | +`<username>:<password>`. Please note that the output should contain a newline |
| 200 | +character. For example, the most simple form of such a script would be: |
| 201 | + |
| 202 | +```bash |
| 203 | +#!/bin/sh |
| 204 | + |
| 205 | +echo "someuser:s0mep4ssw0rd" |
| 206 | +``` |
| 207 | + |
| 208 | +When executing on Kubernetes, the script to be executed must exist in the |
| 209 | +Image Updater container's file system. You can either mount the script from |
| 210 | +a config map, or use an init container to copy it. Make sure that the script |
| 211 | +is executable. |
| 212 | + |
| 213 | +For example, if above script would exist at `/usr/local/bin/creds.sh`, it |
| 214 | +would be referenced as |
| 215 | + |
| 216 | +``` |
| 217 | +ext:/usr/local/bin/creds.sh |
| 218 | +``` |
| 219 | + |
| 220 | +Please keep in mind that executing scripts to retrieve credentials can become |
| 221 | +expensive. If possible, use this method only on a per-registry level with |
| 222 | +proper caching. Read more about this in the |
| 223 | +[Registry configuration]() |
| 224 | +section of the docs. |
| 225 | + |
| 226 | +* A typical pull secret, i.e. a secret containing a `.dockerconfigjson` field |
| 227 | + which holds a Docker client configuration with auth information in JSON |
| 228 | + format. This kind of secret is specified using the notation |
| 229 | + `pullsecret:<namespace>/<secret_name>` |
| 230 | + |
| 231 | +* A custom secret, which has the credentials stored in a configurable field in |
| 232 | + the format `<username>:<password>`. This kind of secret is specified using |
| 233 | + the notation `secret:<namespace>/<secret_name>#<field_in_secret>` |
| 234 | + |
| 235 | +* An environment variable which holds the credentials in the format |
| 236 | + `<username>:<password>`. This kind of secret is specified using the notation |
| 237 | + `env:<env_var_name>`. |
| 238 | + |
| 239 | +* A script that outputs credentials on a single line to stdout, in the format |
| 240 | + `<username:password>`. This can be used to support external authentication |
| 241 | + mechanisms. You can specify this kind of secret in the notation |
| 242 | + `ext:/path/to/script`. Please note that the script must be referenced as |
| 243 | + absolute path, and must be executable (i.e. have the `+x` bit set). You |
| 244 | + can add scripts to `argocd-image-updater` by using an init container. |
| 245 | + |
0 commit comments