|
| 1 | +// Copyright 2024 The argocd-agent Authors |
| 2 | +// |
| 3 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +// you may not use this file except in compliance with the License. |
| 5 | +// You may obtain a copy of the License at |
| 6 | +// |
| 7 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +// |
| 9 | +// Unless required by applicable law or agreed to in writing, software |
| 10 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +// See the License for the specific language governing permissions and |
| 13 | +// limitations under the License. |
| 14 | + |
| 15 | +// argocd-agent-creds is a Kubernetes client-go exec credential plugin |
| 16 | +// (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). |
| 17 | +// |
| 18 | +// It is invoked by Argo CD (argocd-server, argocd-repo-server, etc., running |
| 19 | +// on the argocd-agent principal cluster) whenever it builds a REST client |
| 20 | +// for a cluster whose Argo CD Secret was generated by |
| 21 | +// clusterprofile-integration-for-argocd from a ClusterProfile with an |
| 22 | +// "argocd-agent" AccessProvider. |
| 23 | +// |
| 24 | +// It does not mint or store any secret itself: it only reads the |
| 25 | +// non-expiring resource-proxy bearer token that clusterprofile-agent-driver |
| 26 | +// already wrote into a companion Secret next to the ClusterProfile, and |
| 27 | +// returns it to the caller as an ExecCredential. |
| 28 | +// |
| 29 | +// The binary must be present in the PATH of whichever Argo CD component |
| 30 | +// invokes it. See docs/clusterprofile-integration/README.md for how it is |
| 31 | +// injected into the argocd-server Pod via an init container. |
| 32 | +package main |
| 33 | + |
| 34 | +import ( |
| 35 | + "context" |
| 36 | + "encoding/json" |
| 37 | + "fmt" |
| 38 | + "os" |
| 39 | + |
| 40 | + corev1 "k8s.io/api/core/v1" |
| 41 | + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 42 | + "k8s.io/client-go/kubernetes" |
| 43 | + clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" |
| 44 | + "k8s.io/client-go/rest" |
| 45 | + |
| 46 | + "github.com/argoproj-labs/argocd-agent/internal/clusterprofiledriver" |
| 47 | +) |
| 48 | + |
| 49 | +const execInfoEnvVar = "KUBERNETES_EXEC_INFO" |
| 50 | + |
| 51 | +func main() { |
| 52 | + if err := run(); err != nil { |
| 53 | + fmt.Fprintf(os.Stderr, "argocd-agent-creds: %v\n", err) |
| 54 | + os.Exit(1) |
| 55 | + } |
| 56 | +} |
| 57 | + |
| 58 | +func run() error { |
| 59 | + raw := os.Getenv(execInfoEnvVar) |
| 60 | + if raw == "" { |
| 61 | + return fmt.Errorf("%s is not set; this binary must be invoked as a client-go exec credential plugin", execInfoEnvVar) |
| 62 | + } |
| 63 | + |
| 64 | + var execCred clientauthv1beta1.ExecCredential |
| 65 | + if err := json.Unmarshal([]byte(raw), &execCred); err != nil { |
| 66 | + return fmt.Errorf("failed to parse %s: %w", execInfoEnvVar, err) |
| 67 | + } |
| 68 | + |
| 69 | + // Primary channel: env vars advertised by clusterprofile-agent-driver via |
| 70 | + // the KEP-5339 additional-envs cluster extension (see |
| 71 | + // clusterprofiledriver.additionalEnvVarsExtensionKey). These are applied |
| 72 | + // to this process's environment unconditionally by client-go's exec |
| 73 | + // authenticator, regardless of whether Cluster/ProvideClusterInfo made it |
| 74 | + // through for this particular request - which empirically (Argo CD |
| 75 | + // v3.4.4) it does not for at least the API-discovery-client path used by |
| 76 | + // GetResource/live-manifest/pod-logs. |
| 77 | + agentName := os.Getenv(clusterprofiledriver.EnvAgentName) |
| 78 | + tokenSecretName := os.Getenv(clusterprofiledriver.EnvTokenSecretName) |
| 79 | + tokenSecretNamespace := os.Getenv(clusterprofiledriver.EnvTokenSecretNamespace) |
| 80 | + key := os.Getenv(clusterprofiledriver.EnvTokenSecretKey) |
| 81 | + mtlsSecretName := os.Getenv(clusterprofiledriver.EnvMTLSSecretName) |
| 82 | + mtlsSecretNamespace := os.Getenv(clusterprofiledriver.EnvMTLSSecretNamespace) |
| 83 | + |
| 84 | + // Fallback channel: ExecCredential.Spec.Cluster.Config, populated from |
| 85 | + // the "client.authentication.k8s.io/exec" cluster extension when Argo CD |
| 86 | + // does pass Cluster through (e.g. other call sites/future Argo CD |
| 87 | + // versions may behave differently). |
| 88 | + if tokenSecretName == "" || tokenSecretNamespace == "" { |
| 89 | + if execCred.Spec.Cluster == nil || len(execCred.Spec.Cluster.Config.Raw) == 0 { |
| 90 | + if os.Getenv("ARGOCD_AGENT_CREDS_DEBUG") != "" { |
| 91 | + fmt.Fprintf(os.Stderr, "argocd-agent-creds: DEBUG raw KUBERNETES_EXEC_INFO=%s\n", raw) |
| 92 | + } |
| 93 | + return fmt.Errorf("no token secret reference available: neither %s/%s env vars nor a cluster config extension were provided", clusterprofiledriver.EnvTokenSecretName, clusterprofiledriver.EnvTokenSecretNamespace) |
| 94 | + } |
| 95 | + var ext clusterprofiledriver.ExecExtension |
| 96 | + if err := json.Unmarshal(execCred.Spec.Cluster.Config.Raw, &ext); err != nil { |
| 97 | + return fmt.Errorf("failed to parse cluster config extension: %w", err) |
| 98 | + } |
| 99 | + agentName = ext.AgentName |
| 100 | + tokenSecretName = ext.TokenSecretName |
| 101 | + tokenSecretNamespace = ext.TokenSecretNamespace |
| 102 | + key = ext.TokenSecretKey |
| 103 | + } |
| 104 | + if key == "" { |
| 105 | + key = clusterprofiledriver.TokenSecretKey |
| 106 | + } |
| 107 | + // Fall back to the well-known shared mTLS secret name/namespace if the |
| 108 | + // driver didn't advertise one (e.g. an older driver version, or the |
| 109 | + // Cluster.Config-only fallback path above). |
| 110 | + if mtlsSecretName == "" { |
| 111 | + mtlsSecretName = clusterprofiledriver.SharedClientCertSecretName |
| 112 | + } |
| 113 | + if mtlsSecretNamespace == "" { |
| 114 | + mtlsSecretNamespace = tokenSecretNamespace |
| 115 | + } |
| 116 | + |
| 117 | + cfg, err := rest.InClusterConfig() |
| 118 | + if err != nil { |
| 119 | + return fmt.Errorf("failed to load in-cluster config: %w", err) |
| 120 | + } |
| 121 | + clientset, err := kubernetes.NewForConfig(cfg) |
| 122 | + if err != nil { |
| 123 | + return fmt.Errorf("failed to build kubernetes client: %w", err) |
| 124 | + } |
| 125 | + ctx := context.Background() |
| 126 | + |
| 127 | + token, err := fetchSecretKey(ctx, clientset, tokenSecretNamespace, tokenSecretName, key) |
| 128 | + if err != nil { |
| 129 | + return fmt.Errorf("failed to fetch resource-proxy token for agent %q: %w", agentName, err) |
| 130 | + } |
| 131 | + |
| 132 | + // The resource proxy's TLS listener is hardcoded to |
| 133 | + // tls.RequireAndVerifyClientCert (argocd-agent's existing, unmodified |
| 134 | + // cmd/argocd-agent/principal.go). A bearer token alone cannot satisfy |
| 135 | + // the TLS handshake, so we also present a CA-signed client certificate; |
| 136 | + // see the comment on clusterprofiledriver.SharedClientCertSecretName for |
| 137 | + // why one shared cert works for every agent. |
| 138 | + certPEM, err := fetchSecretKey(ctx, clientset, mtlsSecretNamespace, mtlsSecretName, corev1.TLSCertKey) |
| 139 | + if err != nil { |
| 140 | + return fmt.Errorf("failed to fetch shared mTLS client certificate %s/%s: %w", mtlsSecretNamespace, mtlsSecretName, err) |
| 141 | + } |
| 142 | + keyPEM, err := fetchSecretKey(ctx, clientset, mtlsSecretNamespace, mtlsSecretName, corev1.TLSPrivateKeyKey) |
| 143 | + if err != nil { |
| 144 | + return fmt.Errorf("failed to fetch shared mTLS client key %s/%s: %w", mtlsSecretNamespace, mtlsSecretName, err) |
| 145 | + } |
| 146 | + |
| 147 | + resp := clientauthv1beta1.ExecCredential{ |
| 148 | + TypeMeta: metav1.TypeMeta{ |
| 149 | + APIVersion: clientauthv1beta1.SchemeGroupVersion.String(), |
| 150 | + Kind: "ExecCredential", |
| 151 | + }, |
| 152 | + Status: &clientauthv1beta1.ExecCredentialStatus{ |
| 153 | + // Resource-proxy tokens minted by clusterprofile-agent-driver do |
| 154 | + // not expire, so no ExpirationTimestamp is set. |
| 155 | + Token: token, |
| 156 | + ClientCertificateData: certPEM, |
| 157 | + ClientKeyData: keyPEM, |
| 158 | + }, |
| 159 | + } |
| 160 | + |
| 161 | + out, err := json.Marshal(resp) |
| 162 | + if err != nil { |
| 163 | + return fmt.Errorf("failed to marshal ExecCredential response: %w", err) |
| 164 | + } |
| 165 | + fmt.Println(string(out)) |
| 166 | + return nil |
| 167 | +} |
| 168 | + |
| 169 | +// fetchSecretKey reads a single data key from a Secret using this process's |
| 170 | +// in-cluster ServiceAccount. The calling Argo CD component's ServiceAccount |
| 171 | +// must have RBAC "get" permission on Secrets in the given namespace |
| 172 | +// (typically the argocd namespace itself, if ClusterProfiles are co-located |
| 173 | +// with the Argo CD control plane). |
| 174 | +func fetchSecretKey(ctx context.Context, clientset *kubernetes.Clientset, namespace, name, key string) (string, error) { |
| 175 | + secret, err := clientset.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{}) |
| 176 | + if err != nil { |
| 177 | + return "", fmt.Errorf("failed to get secret %s/%s: %w", namespace, name, err) |
| 178 | + } |
| 179 | + |
| 180 | + data, ok := secret.Data[key] |
| 181 | + if !ok || len(data) == 0 { |
| 182 | + return "", fmt.Errorf("secret %s/%s has no data at key %q", namespace, name, key) |
| 183 | + } |
| 184 | + return string(data), nil |
| 185 | +} |
0 commit comments