Major Epic Goal
...
Currently, the Argo CD Agent project uses a user and password based authentication scheme for communication between the spoke and hub. However, in ACM, the spoke is authenticated to the hub using a client certificate. The goal is to implement an authentication mechanism within the Argo CD Agent project that aligns with ACM's existing client cert based authentication model. This will allow ACM deployment of Argo CD agents to leverage the same mechanism for spoke to hub communication, without the need for an additional user and password store.
Side note that doesn’t have to be in the Jira: This work is critical for finalizing the Argo CD Agent addon work. An example of why the Argo CD agent needs to authenticate is when cluster1 tells the hub “I am cluster1” and the hub needs to verify cluster1 is telling the truth. If a bad actor takes over cluster1 and tells the hub “I am cluster2” then the hub should have the ability to reject that request because it will check and fails the authentication.
More details in the discussion: https://youtu.be/-BF_1GfxRy0?si=AMFCgO60A8DtZ5b1&t=1808
Why is this important?
...
Scenarios
...
Acceptance Criteria
...
Dependencies (internal and external)
- ...
Previous Work (Optional):
- ...
Open questions:
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue> - DEV - Upstream documentation merged: <link to meaningful PR or GitHub
Issue> - DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Doc issue opened with a completed template. Separate doc issue
opened for any deprecation, removal, or any current known
issue/troubleshooting removal from the doc, if applicable.
