docs(proposal): workload identity

[blakepettersson]

A proposal for acquiring temporary repository credentials using the tokenrequest api (or via spiffe if applicable).

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[lieberlois]

I haven't read all of it yet, but this is exactly what I'm trying to fix in #26030

It's not enough to set the tenant id here, because Workload Identity can only get one Identity from Entra Id. To make this more broadly applicable, we need the feature to be able to overwrite the tenant id per repository - both for Helm/OCI (Azure Container Registry) and for Git (Azure DevOps).

[blakepettersson]

Hi @lieberlois,

In this proposal you should be able to set a custom tenant id by setting a custom token url in the repo cred.

something like

apiVersion: v1
kind: Secret
metadata:
  name: my-ecr-repo
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: oci
  url: oci://your-registry.azurecr.io/myrepository
  project: production
  workloadIdentityProvider: "azure"
  workloadIdentityTokenURL: "https://login.microsoftonline.com/your-custom-tenant-id/oauth2/v2.0/token"

[ninjadq]

But it seems AKS not expose the Token directly, the token exchanging is managed by AKS and AAD. User use label `azure.workload.identity/use=true' to let AKS to write the cred back to the pod.
ref: https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html

[rumstead]

I was wondering what @ninjadq is asking here too. I think what would happen is some argo process would:

1. Get a token for the service account/api/v1/namespaces/argocd/serviceaccounts/argocd-project-production/token
2. Exchange K8s JWT with Azure AD https://login.microsoftonline.com/{tenant}/oauth2/token
3. Get the ACR token (simile to here)

[jagpreetstamber]

Agreed, it should be added to service account and be read from there for overide.

[blakepettersson]

Here's how I've done this in my WIP:

1. The initial acquisition of the Azure token: https://github.com/blakepettersson/argo-cd/blob/feature/workload-identity-v2-wip/util/workloadidentity/v2/identity/azure.go

2. The token being exchanged for an ACR token: https://github.com/blakepettersson/argo-cd/blob/feature/workload-identity-v2-wip/util/workloadidentity/v2/repository/acr.go

3. The intermediary of this whole enchilada: https://github.com/blakepettersson/argo-cd/blob/feature/workload-identity-v2-wip/util/workloadidentity/v2/resolver.go

[ninjadq]

The proposal looks great! It’s more comprehensive and scalable than current implementation

[ninjadq]

Azure workload identity already used for some customer. It seems need some migration to the new proposal

[blakepettersson]

Good point, I'll amend

[ninjadq]

But it seems AKS not expose the Token directly, the token exchanging is managed by AKS and AAD. User use label `azure.workload.identity/use=true' to let AKS to write the cred back to the pod.
ref: https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html

[jagpreetstamber]

@blakepettersson As this service account is not used as kubenetes object we are only using it to read the configurations for workload identity, these configurations can be added in the secrets for repo conffigurations?

[blakepettersson]

@jagpreetstamber my concern is having to need to add a bunch of cloud-specific fields to the repository spec itself. IMO having e.g tenantId and clientId are Azure-specific options and should be kept somewhere where we have the options to have more flexibility (i.e annotations). TBF we could have this as annotations on the repository itself, but that would also mean needing to duplicate those settings for all repositories needing to make use of it.

[rumstead]

Should we document a migration path and how we would support any backwards compatibility?

[rumstead]

Same comment @ninjadq left below but I didn't see theirs before I left mine. Feel free to resolve.

[rumstead]

What component would be responsible for the token exchange?

[jagpreetstamber]

Pull request generator also needs to be added in the scope of workload identity

[blakepettersson]

Yes good point, will check to see if this would require any changes (I don't think so, or it shouldn't be too extensive)

[jagpreetstamber]

Single Sign On Also needs to be added in the scope

[blakepettersson]

Could you expand on why this would be needed?

[blakepettersson]

Here's the current WIP