Arcade is meant to run as a sidecar to generate authorization tokens and make them retrievable through a simple authenticated API. If the token has a defined expiration time, Arcade is set to cache the token for 90% of its lifetime.
Arcade supports the following authorization token providers:
- Microsoft
- Rancher
Token provider configuration files containing the credentials are placed in the ARCADE_CONFIG_DIRECTORY
directory (default location is /secret/arcade/providers
)
Using google's Workload Identity, Arcade retrieves the token of the active GCP account.
{
type: "", // Required, set to 'google'
name: "", // Required, set to a unique name identifying this token provider
}
Use this JSON structure to configure a Microsoft token provider
{
type: "", // Required, set to 'microsoft'
name: "", // Required, set to a unique name identifying this token provider
loginEndpoint: "", // Reqoured, set to the 'login' endpoint, such as https://login.microsoftonline.com/someone.onmicrosoft.com/oauth2/token
clientId: "", // Required, set to your Microsoft Client ID
clientSecret: "", // Required, set to your Microsoft Client Secret
resource: "", // Optional, set to the resource you are requesting, such as 'https://graph.microsoft.com'
}
Use this JSON structure to configure a Rancher token provider
{
type: "", // Required, set to 'rancher'
name: "", // Required, set to a unique name identifying this token provider
url: "", // Reqoured, set to the 'login' endpoint of your Rancher instance
username: "", // Required, set to your Rancher username
password: "", // Required, set to your Rancher upassword
rootCA: "", // Optional, set to a certificate to add to the trusted root CAs
}
Rancher kubeconfig tokens have an expiration time and Arcade will cache the token until it has expired before calling Rancher for a new one.
Prerequisites:
- the gcloud CLI must be installed
- you'll need Application Default Credentials set up and run
gcloud auth application-default login
Run the following commands to build and generate a token.
make setup
make build
export ARCADE_API_KEY=test
export ARCADE_CONFIG_DIRECTORY=/tmp/arcade
[[ ! -d ${ARCADE_CONFIG_DIRECTORY} ]] && mkdir ${ARCADE_CONFIG_DIRECTORY}
echo '{
"type": "google",
"name": "google"
}' > ${ARCADE_CONFIG_DIRECTORY}/google.json
echo '{
"type": "rancher",
"name": "rancher.example.com",
"url": "https://rancher.example.com/v3/activeDirectoryProviders/activedirectory?action=login",
"username": "<YOUR_USERNAME>",
"password": "<YOUR_PASSWORD>"
}' > ${ARCADE_CONFIG_DIRECTORY}/rancher.json
echo '{
"type": "microsoft",
"name": "microsoftonline",
"loginEndpoint": "https://login.microsoftonline.com/someone.onmicrosoft.com/oauth2/token",
"clientId": "<YOUR_CLIENT_ID>",
"clientSecret": "<YOUR_CLIENT_SECRET>",
"resource": "https://graph.microsoft.com"
}' > ${ARCADE_CONFIG_DIRECTORY}/microsoft.json
./arcade
curl localhost:1982/tokens?provider=google -H "Api-Key: test"
The default token provider is google, so this is equivalent to the call above
curl localhost:1982/tokens -H "Api-Key: test"
Microsoft
curl localhost:1982/tokens?provider=microsoftonline -H "Api-Key: test"
Rancher
curl localhost:1982/tokens?provider=rancher.example.com -H "Api-Key: test"