argoproj · terrytangyuan · Sep 19, 2022 · Sep 19, 2022 · Sep 19, 2022 · Sep 19, 2022
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -131,7 +131,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Install and start K3S
         run: |
-          curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.21.2+k3s1 INSTALL_K3S_CHANNEL=stable INSTALL_K3S_EXEC=--docker K3S_KUBECONFIG_MODE=644 sh -
+          curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=stable INSTALL_K3S_EXEC=--docker K3S_KUBECONFIG_MODE=644 sh -
           until kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml cluster-info ; do sleep 10s ; done
           cp /etc/rancher/k3s/k3s.yaml /home/runner/.kubeconfig
           echo "- name: fake_token_user" >> $KUBECONFIG
@@ -155,14 +155,19 @@ jobs:
       - run: make cli STATIC_FILES=false
         if: ${{matrix.test == 'test-api' || matrix.test == 'test-cli' || matrix.test == 'test-java-sdk' || matrix.test == 'test-python-sdk'}}
       - run: make start PROFILE=${{matrix.profile}} AUTH_MODE=client STATIC_FILES=false LOG_LEVEL=info API=${{matrix.test == 'test-api' || matrix.test == 'test-cli' || matrix.test == 'test-java-sdk' || matrix.test == 'test-python-sdk'}} UI=false AZURE=true > /tmp/argo.log 2>&1 &
-      - run: make wait
-        timeout-minutes: 4
+      - name: make wait
+        # https://github.com/marketplace/actions/retry-step
+        uses: nick-fields/[email protected]
+        with:
+          timeout_minutes: 4
+          max_attempts: 4
+          command: make wait
       - name: make ${{matrix.test}}
         # https://github.com/marketplace/actions/retry-step
         uses: nick-fields/[email protected]
         with:
           timeout_minutes: 20
-          max_attempts: 2
+          max_attempts: 4
           command: make ${{matrix.test}} E2E_SUITE_TIMEOUT=20m STATIC_FILES=false AZURE=true
       - if: ${{ failure() }}
         run: |

diff --git a/.spelling b/.spelling
@@ -182,6 +182,7 @@ v1.0
 v1.1
 v1.2
 v1.3
+v1.24
 v2
 v2.10
 v2.11

diff --git a/Makefile b/Makefile
@@ -520,6 +520,7 @@ mysql-cli:
 test-cli: ./dist/argo
 
 test-%:
+	kubectl apply -f examples/secrets
 	go test -failfast -v -timeout $(E2E_SUITE_TIMEOUT) -count 1 --tags $* -parallel $(E2E_PARALLEL) ./test/e2e
 
 .PHONY: test-examples

diff --git a/docs/access-token.md b/docs/access-token.md
@@ -36,8 +36,16 @@ kubectl create rolebinding jenkins --role=jenkins --serviceaccount=argo:jenkins
 You now need to get a token:
 
 ```bash
-SECRET=$(kubectl get sa jenkins -o=jsonpath='{.secrets[0].name}')
-ARGO_TOKEN="Bearer $(kubectl get secret $SECRET -o=jsonpath='{.data.token}' | base64 --decode)"
+kubectl apply -f - <<EOF
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: jenkins.service-account-token
+      annotations:
+        kubernetes.io/service-account.name: jenkins
+    type: kubernetes.io/service-account-token
+EOF
+ARGO_TOKEN="Bearer $(kubectl get secret jenkins.service-account-token -o=jsonpath='{.data.token}' | base64 --decode)"
 echo $ARGO_TOKEN
 Bearer ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltS...
 ```

diff --git a/docs/manually-create-secrets.md b/docs/manually-create-secrets.md
@@ -0,0 +1,5 @@
+# Kubernetes Secrets
+
+As of Kubernetes v1.24, secrets are not automatically created for service accounts by default. [Find out how to create these yourself manually](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token).
+
+Argo discovers your token by name, not annotation. They must be named `${serviceAccountName}.service-account-token`.
diff --git a/examples/secrets/default.service-account-token-secret.yaml b/examples/secrets/default.service-account-token-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default.service-account-token
+  annotations:
+    kubernetes.io/service-account.name: default
+type: kubernetes.io/service-account-token
diff --git a/examples/secrets/template-executor-executor-plugin.service-account-token-secret.yaml b/examples/secrets/template-executor-executor-plugin.service-account-token-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: template-executor-executor-plugin.service-account-token
+  annotations:
+    kubernetes.io/service-account.name: template-executor-executor-plugin
+type: kubernetes.io/service-account-token
diff --git a/hack/access-token.sh b/hack/access-token.sh
@@ -9,10 +9,18 @@ case $1 in
     kubectl create sa jenkins
     kubectl delete rolebinding jenkins --ignore-not-found
     kubectl create rolebinding jenkins --role=jenkins --serviceaccount=argo:jenkins
+    kubectl apply -f - <<EOF
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: jenkins.service-account-token
+      annotations:
+        kubernetes.io/service-account.name: jenkins
+    type: kubernetes.io/service-account-token
+EOF
     ;;
   get)
-    SECRET=$(kubectl get sa jenkins -o=jsonpath='{.secrets[0].name}')
-    ARGO_TOKEN="Bearer $(kubectl get secret $SECRET -o=jsonpath='{.data.token}' | base64 --decode)"
+    ARGO_TOKEN="Bearer $(kubectl get secret jenkins.service-account-token -o=jsonpath='{.data.token}' | base64 --decode)"
 
     curl -s http://localhost:2746/api/v1/workflows/argo -H "Authorization: $ARGO_TOKEN" > /dev/null
 

diff --git a/hack/test-examples.sh b/hack/test-examples.sh
@@ -3,6 +3,7 @@ set -eu -o pipefail
 
 # Load the configmaps that contains the parameter values used for certain examples.
 kubectl apply -f examples/configmaps/simple-parameters-configmap.yaml
+kubectl apply -f examples/secrets/default.service-account-token-secret.yaml
 
 echo "Checking for banned images..."
 grep -lR 'workflows.argoproj.io/test' examples/*  | while read f ; do

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -215,6 +215,7 @@ nav:
           - workflow-executors.md
           - workflow-restrictions.md
           - sidecar-injection.md
+          - manually-create-secrets.md
       - Argo Server:
           - argo-server.md
           - argo-server-auth-mode.md

diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -8,6 +8,8 @@ import (
 	"sort"
 	"strconv"
 
+	"github.com/argoproj/argo-workflows/v3/util/secrets"
+
 	eventsource "github.com/argoproj/argo-events/pkg/client/eventsource/clientset/versioned"
 	sensor "github.com/argoproj/argo-events/pkg/client/sensor/clientset/versioned"
 	log "github.com/sirupsen/logrus"
@@ -316,10 +318,8 @@ func (s *gatekeeper) rbacAuthorization(ctx context.Context, claims *types.Claims
 }
 
 func (s *gatekeeper) authorizationForServiceAccount(ctx context.Context, serviceAccount *corev1.ServiceAccount) (string, error) {
-	if len(serviceAccount.Secrets) == 0 {
-		return "", fmt.Errorf("expected at least one secret for SSO RBAC service account: %s", serviceAccount.GetName())
-	}
-	secret, err := s.cache.GetSecret(ctx, serviceAccount.GetNamespace(), serviceAccount.Secrets[0].Name)
+	secretName := secrets.SecretName(serviceAccount)
+	secret, err := s.cache.GetSecret(ctx, serviceAccount.GetNamespace(), secretName)
 	if err != nil {
 		return "", fmt.Errorf("failed to get service account secret: %w", err)
 	}

diff --git a/server/auth/webhook/interceptor.go b/server/auth/webhook/interceptor.go
@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/argoproj/argo-workflows/v3/util/secrets"
+
 	log "github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -84,10 +86,7 @@ func addWebhookAuthorization(r *http.Request, kube kubernetes.Interface) error {
 			if err != nil {
 				return fmt.Errorf("failed to get service account \"%s\": %w", serviceAccountName, err)
 			}
-			if len(serviceAccount.Secrets) == 0 {
-				return fmt.Errorf("failed to get secret for service account \"%s\": no secrets", serviceAccountName)
-			}
-			tokenSecret, err := secretsInterface.Get(ctx, serviceAccount.Secrets[0].Name, metav1.GetOptions{})
+			tokenSecret, err := secretsInterface.Get(ctx, secrets.SecretName(serviceAccount), metav1.GetOptions{})
 			if err != nil {
 				return fmt.Errorf("failed to get token secret \"%s\": %w", tokenSecret, err)
 			}

diff --git a/test/e2e/argo_server_test.go b/test/e2e/argo_server_test.go
@@ -14,6 +14,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/argoproj/argo-workflows/v3/util/secrets"
+
 	"github.com/gavv/httpexpect/v2"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -445,7 +447,7 @@ func (s *ArgoServerSuite) TestPermission() {
 	s.Run("GetGoodSAToken", func() {
 		sAccount, err := s.KubeClient.CoreV1().ServiceAccounts(nsName).Get(ctx, goodSaName, metav1.GetOptions{})
 		if assert.NoError(s.T(), err) {
-			secretName := sAccount.Secrets[0].Name
+			secretName := secrets.SecretName(sAccount)
 			secret, err := s.KubeClient.CoreV1().Secrets(nsName).Get(ctx, secretName, metav1.GetOptions{})
 			assert.NoError(s.T(), err)
 			goodToken = string(secret.Data["token"])
@@ -457,7 +459,7 @@ func (s *ArgoServerSuite) TestPermission() {
 	s.Run("GetBadSAToken", func() {
 		sAccount, err := s.KubeClient.CoreV1().ServiceAccounts(nsName).Get(ctx, badSaName, metav1.GetOptions{})
 		assert.NoError(s.T(), err)
-		secretName := sAccount.Secrets[0].Name
+		secretName := secrets.SecretName(sAccount)
 		secret, err := s.KubeClient.CoreV1().Secrets(nsName).Get(ctx, secretName, metav1.GetOptions{})
 		assert.NoError(s.T(), err)
 		badToken = string(secret.Data["token"])

diff --git a/test/e2e/testdata/plugins/executor/template-executor-workflow.yaml b/test/e2e/testdata/plugins/executor/template-executor-workflow.yaml
@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Workflow
 metadata:
-  generateName: template-executor-
+  name: template-executor
 spec:
   entrypoint: main
   templates:

diff --git a/util/secrets/secret_name.go b/util/secrets/secret_name.go
@@ -0,0 +1,15 @@
+package secrets
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func SecretName(serviceAccount *corev1.ServiceAccount) string {
+	secretName := fmt.Sprintf("%s.service-account-token", serviceAccount.Name)
+	if len(serviceAccount.Secrets) > 0 {
+		secretName = serviceAccount.Secrets[0].Name
+	}
+	return secretName
+}
diff --git a/util/secrets/secret_name_test.go b/util/secrets/secret_name_test.go
@@ -0,0 +1,19 @@
+package secrets
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestSecretName(t *testing.T) {
+	sa := corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{Name: "sa-name"},
+	}
+	assert.Equal(t, "sa-name.service-account-token", SecretName(&sa))
+	sa.Secrets = []corev1.ObjectReference{{Name: "existing-secret"}}
+	assert.Equal(t, "existing-secret", SecretName(&sa))
+}
diff --git a/workflow/controller/operator.go b/workflow/controller/operator.go
@@ -15,6 +15,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/argoproj/argo-workflows/v3/util/secrets"
+
 	"github.com/antonmedv/expr"
 	"github.com/argoproj/pkg/humanize"
 	argokubeerr "github.com/argoproj/pkg/kube/errors"
@@ -3686,10 +3688,7 @@ func (woc *wfOperationCtx) getServiceAccountTokenName(ctx context.Context, name
 	if err != nil {
 		return "", err
 	}
-	if len(account.Secrets) == 0 {
-		return "", fmt.Errorf("service account %s/%s does not have any secrets", account.Namespace, account.Name)
-	}
-	return account.Secrets[0].Name, nil
+	return secrets.SecretName(account), nil
 }
 
 // setWfPodNamesAnnotation sets an annotation on a workflow with the pod naming