Context

In addition to SSO login, Argo CD supports local users for purposes of automation using the apiKey capability. 

Setting up local users currently is a bit tedious. Users of the GitOps Operator will have to:

• patch the argocd-cm ConfigMap to add the user and give them appropriate capabilities
• either call the Argo CD API or use the CLI/UI to issue a token for that user

The Operator should provide an easy mechanism to encapsulate management of local users and their API tokens.

Why is this valuable?

Many users of the Operator need to trigger some Argo CD actions from their CI pipelines. For this to work, they have to create local users manually to use them with the CLI or the REST API. 

Set-up and management of these local users and their API keys is not a great experience right now.

Proposal

As a user of the Operator, I want an easy way to set up and use local Argo CD users for automation purposes.

The users should be manageable (e.g. created or deleted) through the ArgoCD Operand. Their tokens should be  automatically created and easily retrievable from a Secret (either existing secret or a new one).

As topic for discussion, should the Operator also manage the lifecycle of issued tokens? E.g. for tokens that expire after a certain time, re-issue a new one with same lifetime?

Upgrade considerations

Previously, users of the Operator may have managed their local users manually. In an upgrade scenario (e.g. upgrading from a version of the Operator that does not have user management to a version that does have user management), it must be ensured that neither existing configured local users nor their tokens get overwritten on upgrading the Operator.

Acceptance Criteria

• Local ArgoCD users can be created and deleted by the Operator using reconciliation into argocd-cm ConfigMap
• When a user is created, a token is issued automatically. When the user is deleted, its token is deleted, too.
• Token lifetime can be specified by user