search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.4k stars 5.29k forks source link

Persist and reuse client certificates if they were using in `argocd login` call. #17863

Open dmitry-mightydevops opened 5 months ago

dmitry-mightydevops commented 5 months ago

Summary

Persist and reuse client certificates if they were using in argocd login call.

Motivation

Argocd runs behind teleport.

I am able to login via argocd cli passing two args above, but then any other CLI commands result in grpc error: code = Unknown desc = unexpected EOF error if certs are not passed:

tsh login --proxy=teleport.project.com:443 --auth=github

tsh app login argo-cd                                               
Logged into app argo-cd. Example curl command:

curl \
  --cert /home/dmitry/.tsh/keys/teleport.project.com/user-app/teleport.project.com/argo-cd-x509.pem \
  --key /home/dmitry/.tsh/keys/teleport.project.com/user \
  https://argo-cd.teleport.project.com

argocd login argo-cd.teleport.project.com --username admin --client-crt /home/dmitry/.tsh/keys/teleport.project.com/user-app/teleport.project.com/argo-cd-x509.pem --client-crt-key /home/dmitry/.tsh/keys/teleport.project.com/user --grpc-web
Password: 
'admin:login' logged in successfully
Context 'argo-cd.teleport.project.com' updated

and errors:

argocd version --grpc-web
argocd: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:24:09Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.4
  Compiler: gc
  Platform: linux/amd64
FATA[0000] rpc error: code = Unknown desc = unexpected EOF 

argocd app list                                                 
FATA[0000] rpc error: code = Unknown desc = unexpected EOF

argocd app list --grpc-web                                      
FATA[0000] rpc error: code = Unknown desc = unexpected EOF

but when all certs are passed, all is good:

argocd version --client-crt /home/dmitry/.tsh/keys/teleport.project.com/user-app/teleport.project.com/argo-cd-x509.pem --client-crt-key /home/dmitry/.tsh/keys/teleport.project.com/user --grpc-web 
argocd: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:24:09Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.4
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:05:50Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.13.2+g2a2fb3b
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

Proposal

Is it possible to persist the certs arguments when argocd login is executed, so that future commands do not require certs to be passed.

jannfis commented 4 months ago

I think it's a good idea to persist at least references to the cert/key combination.

Meanwhile, you should be able to set the ARGOCD_OPTS environment variable with the required parameters before calling argocd CLI, like so:

$ export ARGOCD_OPTS="--client-crt /home/dmitry/.tsh/keys/teleport.project.com/user-app/teleport.project.com/argo-cd-x509.pem --client-crt-key /home/dmitry/.tsh/keys/teleport.project.com/user"
dmitry-mightydevops commented 4 months ago

@jannfis I'm aware about ARGOCD_OPTS, however when working in multi-project environment and opening multi-shells it requires to copy past this command in each shell as I switch between clusters.