Description
Hello ArgoCD team, I have been recently using ArgoCD and I think it's awesome, now I am deploying the operator in PoC clusters and soon I hope in prod ones.
I wanted to raise the idea of adding support for GCP's Workload Identity to the ArgoCDExporter component, since I believe it simplifies the authentication process of applications running in GKE. I noticed that ArgoCDExporter already supports authentication through a service account key provided as a secret, which is awesome, and I think, a great fit to also enable Workload Identity.
TL;DR; for Workload Identity: It allows to access GCP APIs by linking a K8s Service Account (SA) with a GCP one, in that way, K8s now knows how o authenticate with GCP APIs, keys are automatically rotated and no more secrets need to be provided to the workloads with SA Keys.
I am willing to add the support myself, but I am quite new to Operators. I can give it a try though.
On a side note, I also noticed that the contributing guidelines linked in the issue are pointing to the wrong URL, it should be:
And it points to:
As for my use case, I can use the current secret implementation, but it'd be awesome to be able to use a serviceAccount in addition to the secretName available (since there may be use cases where Workload Identity does not satisfy the requirements due to limitations).
As for the GCP IAM configuration section, I already have a working Terraform template that sets up a bucket, as well as a service account and permissions. Not sure if that could be useful on defining that section of the docs.
Please let me know if you need further information, and how we could move forward with this.
Thank you!