The purpose of this application is to facilitate identity based (without use of any permanents credentials) authentication of EKS clusters in ArgoCD running on Google Kubernetes Engine (GKE) clusters with workload identity.
- Introduction
- Features
- Prerequisites
- Getting Started
- ArgoCD Configuration
- Contributing
- License
- Credits
- Additional resources
A scenario this application covers is an ArgoCD instance running on GKE and using workload identity and Google Cloud -> AWS IAM role federation to authenticate EKS clusters without need of providing any kind of long term credentials. The program uses GKE/GCE provided OAuth token to assume AWS role and generate pre-signed URL for EKS authentication.
- A Google Cloud environment configured with IAM identity. This could be a VM instance using a service account identity or a GKE pod configured with GKE workload identity. In the case of ArgoCD this means having
argocd-server
andargocd-application-controller
deployments using workload identity. Workload identity can be easily configured using the official workload identity terraform module. - An AWS role that is configured to trust the GCP service account used in the environment running the program. In the case of ArgoCD these are the service accounts used by the
argocd-server
andargocd-application-controller
deployments/pods. This involves setting up AWS IAM role trust policy forsts:AssumeRoleWithWebIdentity
action specifyingaccounts.google.com
federated principal (more documentation here). - The IAM role from step 3. having appropriate permissions (policies attached) for EKS cluster(s) management.
Download precompiled binary for your platform from the repository' releases page. In the case of ArgoCD the binary has to be available in the argocd-server
and argocd-application-controller
deployments/pods.
The binary can be shipped via custom ArgoCD images, or added via volume mounts and placed in the argocd-server
and argocd-application-controller
deployments/pods.
Example for ArgoCD official Helm Chart:
controller and server:
...
initContainers:
- name: download-tools
image: alpine:3
command: [sh, -c]
args:
- wget -qO k8s-auth-gke-wli-eks https://github.com/zepellin/argocd-k8s-auth-gke-wli-eks/releases/download/v0.1.0/k8s-auth-gke-wli-eks-v0.1.0-linux-amd64 && chmod +x k8s-auth-gke-wli-eks && mv k8s-auth-gke-wli-eks /argo-k8s-auth-gke-wli-eks/
volumeMounts:
- mountPath: /argo-k8s-auth-gke-wli-eks
name: argo-k8s-auth-gke-wli-eks
volumeMounts:
- mountPath: /usr/local/bin/k8s-auth-gke-wli-eks
name: argo-k8s-auth-gke-wli-eks
subPath: k8s-auth-gke-wli-eks
volumes:
- name: argo-k8s-auth-gke-wli-eks
emptyDir: {}
The program takes following arguments:
- -rolearn: The AWS IAM role ARN to assume (required).
- -cluster: The name of the AWS EKS cluster for which you need credentials (required).
- -stsregion: AWS STS region to which requests are made (optional, default: us-east-1).
Example:
$ k8s-auth-gke-wli-eks -rolearn "arn:aws:iam::123456789012:role/argocdrole" -cluster "my-eks-cluster-name" -stsregion "us-east-1"
Create a secret defining secret in your ArgoCD namespace where data.config
is base64 encoded section as in following example.
apiVersion: v1
kind: Secret
metadata:
name: my-eks-cluster-name-secret
labels:
argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
name: my-eks-cluster-name
server: https://213456423213456789456123ABCDEF.grx.us-east-1.eks.amazonaws.com
config: |
{
"execProviderConfig": {
"command": "k8s-auth-gke-wli-eks",
"args": [
"-rolearn",
"arn:aws:iam::123456789012:role/argocdrole",
"-cluster",
"my-eks-cluster-name",
"-stsregion",
"us-east-2"
],
"apiVersion": "client.authentication.k8s.io/v1beta1",
"installHint": "k8s-auth-gke-wli-eks missing"
},
"tlsClientConfig": {
"insecure": false,
"caData": "base64_encoded_ca_data"
}
}
The output of the program is an ExecCredential object of the client.authentication.k8s.io/v1beta1 Kubernetes API that is consumed by ArgoCD when authenticating EKS cluster.
If you'd like to contribute to this project, please follow the standard open-source contribution guidelines. Please report issues, submit feature requests, or create pull requests to improve the application.
- Terraform GKE Worload identity module: terraform-google-workload-identity
- Available keys for AWS web identity federation, for example of role trust with accounts.google.com. AWS docs link
- How to use trust policies with IAM roles, for ways to futher secure AWS trust policies. AWS Blog
- Use of aws-sdk-go-v2 to get working EKS token: Github aws-sdk-go-v2
This project is licensed under the MIT License - see the LICENSE file for details.