[go: up one dir, main page]

Skip to content

Simple app that generates access tokens

Notifications You must be signed in to change notification settings

homedepot/arcade-build

 
 

Repository files navigation

arcade

Arcade is meant to run as a sidecar to generate authorization tokens and make them retrievable through a simple authenticated API. If the token has a defined expiration time, Arcade is set to cache the token for 90% of its lifetime.

Providers

Arcade supports the following authorization token providers:

  1. Google
  2. Microsoft
  3. Rancher

Token provider configuration files containing the credentials are placed in the ARCADE_CONFIG_DIRECTORY directory (default location is /secret/arcade/providers)

Google

Using google's Workload Identity, Arcade retrieves the token of the active GCP account.

{
  "type": "", // Required, set to 'google'
  "name": ""  // Required, set to a unique name identifying this token provider
}

Microsoft

Use this JSON structure to configure a Microsoft token provider

{
  "type": "",          // Required, set to 'microsoft'
  "name": "",          // Required, set to a unique name identifying this token provider
  "loginEndpoint": "", // Reqoured, set to the 'login' endpoint, such as https://login.microsoftonline.com/someone.onmicrosoft.com/oauth2/token
  "clientId": "",      // Required, set to your Microsoft Client ID
  "clientSecret": "",  // Required, set to your Microsoft Client Secret
  "resource": ""       // Optional, set to the resource you are requesting, such as 'https://graph.microsoft.com'
}

Rancher

Use this JSON structure to configure a Rancher token provider

{
  "type": "",     // Required, set to 'rancher'
  "name": "",     // Required, set to a unique name identifying this token provider
  "url": "",      // Reqoured, set to the 'login' endpoint of your Rancher instance
  "username": "", // Required, set to your Rancher username
  "password": "", // Required, set to your Rancher upassword
  "rootCA": ""    // Optional, set to a certificate to add to the trusted root CAs
}

Rancher kubeconfig tokens have an expiration time and Arcade will cache the token until it has expired before calling Rancher for a new one.

Run Locally

Prerequisites:

Run the following commands to build and generate a token.

Build

./get-dependencies.sh
./build.sh

Run

export ARCADE_API_KEY=test
export ARCADE_CONFIG_DIRECTORY=/tmp/arcade

[[ ! -d ${ARCADE_CONFIG_DIRECTORY} ]] && mkdir ${ARCADE_CONFIG_DIRECTORY}

echo '{
  "type": "google",
  "name": "google"
}' > ${ARCADE_CONFIG_DIRECTORY}/google.json

echo '{
  "type": "rancher",
  "name": "rancher.example.com",
  "url": "https://rancher.example.com/v3/activeDirectoryProviders/activedirectory?action=login",
  "username": "<YOUR_USERNAME>",
  "password": "<YOUR_PASSWORD>"
}' > ${ARCADE_CONFIG_DIRECTORY}/rancher.json

echo '{
  "type": "microsoft",
  "name": "microsoftonline",
  "loginEndpoint": "https://login.microsoftonline.com/someone.onmicrosoft.com/oauth2/token",
  "clientId": "<YOUR_CLIENT_ID>",
  "clientSecret": "<YOUR_CLIENT_SECRET>",
  "resource": "https://graph.microsoft.com"
}' > ${ARCADE_CONFIG_DIRECTORY}/microsoft.json

./arcade

Test

Google

curl localhost:1982/tokens?provider=google -H "Api-Key: test"

The default token provider is google, so this is equivalent to the call above

curl localhost:1982/tokens -H "Api-Key: test"

Microsoft

curl localhost:1982/tokens?provider=microsoftonline -H "Api-Key: test"

Rancher

curl localhost:1982/tokens?provider=rancher.example.com -H "Api-Key: test"

About

Simple app that generates access tokens

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 97.1%
  • Shell 2.7%
  • Dockerfile 0.2%