baton-argo-cd

baton-argo-cd is a connector for built using the Baton SDK.

Check out Baton to learn more the project in general.

Prerequisites

RBAC Role Requirements

To grant roles to users, role definitions must exist in the argocd-rbac-cm ConfigMap before assignment.

Built-in roles (always available):

• admin - Full administrative access
• readonly - Read-only access to all resources

Custom roles must be defined before granting:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    # Define custom roles FIRST (policy definitions)
    p, role:developers, applications, get, default/*, allow
    p, role:operators, applications, *, */*, allow

    # Then grants can be added (manually or via baton)
    g, alice, role:developers

Policy line format: p, role:<name>, resource, action, object, effect

See ArgoCD RBAC documentation for details.

TLS Configuration

When connecting to ArgoCD instances with self-signed certificates, you have two options:

For development/testing (insecure):

baton-argo-cd --insecure-skip-verify true --api-url https://argocd.local ...

For production (secure with custom CA):

baton-argo-cd --ca-cert-path /path/to/ca.crt --api-url https://argocd.local ...

Getting Started

brew

brew install conductorone/baton/baton conductorone/baton/baton-argo-cd
baton-argo-cd
baton resources

docker

docker run --rm -v $(pwd):/out -e BATON_DOMAIN_URL=domain_url -e BATON_API_KEY=apiKey -e BATON_USERNAME=username ghcr.io/conductorone/baton-argo-cd:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources

source

go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-argo-cd/cmd/baton-argo-cd@main

baton-argo-cd

baton resources

Data Model

baton-argo-cd will pull down information about the following resources from ArgoCD:

• Users
• Roles

This connector supports account provisioning for users and entitlement provisioning for roles.

Contributing, Support and Issues

We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small—our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a GitHub Issue!

See CONTRIBUTING.md for more details.

baton-argo-cd Command Line Usage

baton-argo-cd

Usage:
  baton-argo-cd [flags]
  baton-argo-cd [command]

Available Commands:
  capabilities       Get connector capabilities
  completion         Generate the autocompletion script for the specified shell
  help               Help about any command

Flags:
      --username  string             The username used to authenticate with Argo CD
      --password  string             The password used to authenticate with Argo CD
      --api-url   string             The API URL
      --client-id string             The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
      --client-secret string         The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
  -f, --file string                  The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
  -h, --help                         help for baton-argo-cd
      --log-format string            The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
      --log-level string             The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
  -p, --provisioning                 If this connector supports provisioning, this must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
      --ticketing                    This must be set to enable ticketing support ($BATON_TICKETING)
  -v, --version                      version for baton-argo-cd

Use "baton-argo-cd [command] --help" for more information about a command.