From 5fb6688bcbeef2b7b1e1ed8a96d4eb7d172e5c1d Mon Sep 17 00:00:00 2001 From: Aikawa Date: Sat, 3 Jun 2023 23:40:50 +0900 Subject: [PATCH] chore(argo-workflows): Declare SSO configuration explicitly on values.yaml (#2089) Signed-off-by: yu-croco Co-authored-by: Jason Meridth --- charts/argo-workflows/Chart.yaml | 4 +- charts/argo-workflows/README.md | 16 ++++- .../workflow-controller-config-map.yaml | 44 ++++++------- .../server/server-cluster-roles.yaml | 10 ++- charts/argo-workflows/values.yaml | 65 ++++++++++++------- 5 files changed, 82 insertions(+), 57 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 6ac0cf5c..8f899e6c 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.4.8 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.28.2 +version: 0.29.0 icon: https://argoproj.github.io/argo-workflows/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -17,4 +17,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: changed - description: Upgrade to Argo Workflows v3.4.8 + description: Declare SSO configuration explicitly on values.yaml diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index b5612a16..f46d10e0 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -302,7 +302,21 @@ Fields to note: | server.servicePort | int | `2746` | Service port for server | | server.servicePortName | string | `""` | Service port name | | server.serviceType | string | `"ClusterIP"` | Service type for server pods | -| server.sso | object | `{}` | SSO configuration when SSO is specified as a server auth mode. | +| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID | +| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID | +| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret | +| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret | +| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups | +| server.sso.enabled | bool | `false` | Create SSO configuration | +| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client | +| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider | +| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers | +| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. | +| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets | +| server.sso.redirectUrl | string | `"https://argo/oauth2/callback"` | | +| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider | +| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) | +| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim | | server.tolerations | list | `[]` | [Tolerations] for use with node taints | | server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server | | server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. | diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml index d30db859..ef39ddc7 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -126,37 +126,35 @@ data: {{- if .Values.controller.workflowDefaults }} workflowDefaults: {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }} - {{- with .Values.server.sso }} + {{- if .Values.server.sso.enabled }} sso: - issuer: {{ .issuer }} + issuer: {{ .Values.server.sso.issuer }} clientId: - name: {{ .clientId.name }} - key: {{ .clientId.key }} + name: {{ .Values.server.sso.clientId.name }} + key: {{ .Values.server.sso.clientId.key }} clientSecret: - name: {{ .clientSecret.name }} - key: {{ .clientSecret.key }} - redirectUrl: {{ .redirectUrl }} - {{- with .rbac }} + name: {{ .Values.server.sso.clientSecret.name }} + key: {{ .Values.server.sso.clientSecret.key }} + redirectUrl: {{ .Values.server.sso.redirectUrl }} rbac: - enabled: {{ .enabled }} + enabled: {{ .Values.server.sso.rbac.enabled }} + {{- with .Values.server.sso.scopes }} + scopes: {{ toYaml . | nindent 8 }} {{- end }} - {{- if .scopes }} - scopes: {{ toYaml .scopes | nindent 8 }} + {{- with .Values.server.sso.issuerAlias }} + issuerAlias: {{ toYaml . }} {{- end }} - {{- if .issuerAlias }} - issuerAlias: {{ .issuerAlias }} + {{- with .Values.server.sso.sessionExpiry }} + sessionExpiry: {{ toYaml . }} {{- end }} - {{- if .sessionExpiry }} - sessionExpiry: {{ .sessionExpiry }} + {{- with .Values.server.sso.customGroupClaimName }} + customGroupClaimName: {{ toYaml . }} {{- end }} - {{- if .customGroupClaimName }} - customGroupClaimName: {{ .customGroupClaimName }} + {{- with .Values.server.sso.userInfoPath }} + userInfoPath: {{ toYaml . }} {{- end }} - {{- if .userInfoPath }} - userInfoPath: {{ .userInfoPath }} - {{- end }} - {{- if .insecureSkipVerify }} - insecureSkipVerify: {{ .insecureSkipVerify }} + {{- with .Values.server.sso.insecureSkipVerify }} + insecureSkipVerify: {{ toYaml . }} {{- end }} {{- end }} {{- with .Values.controller.workflowRestrictions }} @@ -184,4 +182,4 @@ data: {{- end }} {{- with .Values.controller.podGCDeleteDelayDuration }} podGCDeleteDelayDuration: {{ . }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/charts/argo-workflows/templates/server/server-cluster-roles.yaml index 96f12bfa..2a52d956 100644 --- a/charts/argo-workflows/templates/server/server-cluster-roles.yaml +++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml @@ -38,7 +38,7 @@ rules: verbs: - get - list -{{- if .Values.server.sso }} +{{- if .Values.server.sso.enabled }} - apiGroups: - "" resources: @@ -54,7 +54,7 @@ rules: - secrets verbs: - create - {{- if .Values.server.sso.rbac }} + {{- if .Values.server.sso.rbac.enabled }} - apiGroups: - "" resources: @@ -73,11 +73,9 @@ rules: - get - list - watch -{{- if .Values.server.sso }} - {{- if .Values.server.sso.rbac }} - {{- with .Values.server.sso.rbac.secretWhitelist }} +{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }} + {{- with .Values.server.sso.rbac.secretWhitelist }} resourceNames: {{- toYaml . | nindent 4 }} - {{- end }} {{- end }} {{- end }} - apiGroups: diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index b65fd4f8..64a81d92 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -618,35 +618,50 @@ server: # -- Give the server permissions to edit ClusterWorkflowTemplates. enableEditing: true - # -- SSO configuration when SSO is specified as a server auth mode. - sso: {} - ## All the values are required. SSO is activated by adding --auth-mode=sso - ## to the server command line. - # - ## The root URL of the OIDC identity provider. - # issuer: https://accounts.google.com - ## Name of a secret and a key in it to retrieve the app OIDC client ID from. - # clientId: - # name: argo-server-sso - # key: client-id - ## Name of a secret and a key in it to retrieve the app OIDC client secret from. - # clientSecret: - # name: argo-server-sso - # key: client-secret - ## The OIDC redirect URL. Should be in the form /oauth2/callback. - # redirectUrl: https://argo/oauth2/callback - # rbac: - # enabled: true + # SSO configuration when SSO is specified as a server auth mode. + sso: + # -- Create SSO configuration + ## SSO is activated by adding --auth-mode=sso to the server command line. + enabled: false + # -- The root URL of the OIDC identity provider + issuer: https://accounts.google.com + clientId: + # -- Name of secret to retrieve the app OIDC client ID + name: argo-server-sso + # -- Key of secret to retrieve the app OIDC client ID + key: client-id + clientSecret: + # -- Name of a secret to retrieve the app OIDC client secret + name: argo-server-sso + # -- Key of a secret to retrieve the app OIDC client secret + key: client-secret + # - The OIDC redirect URL. Should be in the form /oauth2/callback. + redirectUrl: https://argo/oauth2/callback + rbac: + # -- Adds ServiceAccount Policy to server (Cluster)Role. + enabled: true + # -- Whitelist to allow server to fetch Secrets ## When present, restricts secrets the server can read to a given list. ## You can use it to restrict the server to only be able to access the ## service account token secrets that are associated with service accounts ## used for authorization. - # secretWhitelist: [] - ## Scopes requested from the SSO ID provider. The 'groups' scope requests - ## group membership information, which is usually used for authorization - ## decisions. - # scopes: - # - groups + secretWhitelist: [] + # -- Scopes requested from the SSO ID provider + ## The 'groups' scope requests group membership information, which is usually used for authorization decisions. + scopes: [] + # - groups + # -- Define how long your login is valid for (in hours) + ## If omitted, defaults to 10h. + sessionExpiry: "" + # -- Alternate root URLs that can be included for some OIDC providers + issuerAlias: "" + # -- Override claim name for OIDC groups + customGroupClaimName: "" + # -- Specify the user info endpoint that contains the groups claim + ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta) + userInfoPath: "" + # -- Skip TLS verification for the HTTP client + insecureSkipVerify: false # -- Extra containers to be added to the server deployment extraContainers: []