search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.91k stars 5.46k forks source link

Automatic Authentication Rotation #16035

Open thriqon opened 1 year ago

thriqon commented 1 year ago

Summary

ArgoCD is able to renew its credentials automatically, if configured correctly. It should be possible to configure a schedule for automatic credential rotation.

Motivation

Credential rotation is a best practice in key management. Triggering it externally necessitates additional tooling and rights/identity management, posing the potential to fail/leak. By doing it internally, ArgoCD can be more secure with the flick of a switch.

Proposal

A scheduled task inside ArgoCD can trigger the RotateAuth method if enabled. It should be possible to configure the interval (in days?). This setting should be scoped to a cluster.

blakepettersson commented 1 year ago

@thriqon which credentials are you referring to? Couldn't ESO do what you want?

thriqon commented 1 year ago

I'm talking about the credentials used to connect to clusters. argocd cluster rotate-auth rotates these by creating new secrets with tokens in the target cluster.

I'll take a look at ESO as well., but I'm pretty sure it solves a different problem.

blakepettersson commented 1 year ago

I see, that is indeed different. In case you're using GKE or EKS OIDC federation could be an alternative, otherwise it seems like the merging of #13476 would be useful.