From fd0f2c92e18742e59f85cd51e7c5972a2448a063 Mon Sep 17 00:00:00 2001
From: Aikawa <yu.croco@gmail.com>
Date: Sat, 24 Sep 2022 09:03:36 +0900
Subject: [PATCH] fix(argo-workflows): Set only used values on SSO
 configuration (#1483)

Signed-off-by: yu-croco <yu.croco@gmail.com>
---
 charts/argo-workflows/Chart.yaml              |  4 +--
 .../workflow-controller-config-map.yaml       | 33 ++++++++++++++++++-
 charts/argo-workflows/values.yaml             |  5 +++
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml
index 019d2129..36a595f6 100644
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: v3.4.0
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.19.1
+version: 0.19.2
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -13,4 +13,4 @@ maintainers:
     url: https://argoproj.github.io/
 annotations:
   artifacthub.io/changes: |
-    - "[Fixed]: Remove unsupported values from SSO configuration"
+    - "[Fixed]: Set only used values on SSO configuration"
diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
index f0744cf0..06cc3d34 100644
--- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
@@ -119,7 +119,38 @@ data:
     workflowDefaults:
 {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
     {{- with .Values.server.sso }}
-    sso: {{- toYaml . | nindent 6 }}
+    sso:
+      issuer: {{ .issuer }}
+      clientId:
+        name: {{ .clientId.name }}
+        key: {{ .clientId.key }}
+      clientSecret:
+        name: {{ .clientSecret.name }}
+        key: {{ .clientSecret.key }}
+      redirectUrl: {{ .redirectUrl }}
+      {{- if and (.rbac) (.rbac.enabled) }}
+      rbac:
+        enabled: {{ .rbac.enabled }}
+      {{- end }}
+      {{- if .scopes }}
+      scopes: {{ toYaml .scopes | nindent 8 }}
+      {{- end }}
+      {{- if .issuerAlias }}
+      issuerAlias: {{ .issuerAlias }}
+      {{- end }}
+      {{- if and (.sessionExpiry) (.sessionExpiry.duration) }}
+      sessionExpiry:
+       duration: {{ .sessionExpiry.duration }}
+      {{- end }}
+      {{- if .customGroupClaimName }}
+      customGroupClaimName: {{ .customGroupClaimName }}
+      {{- end }}
+      {{- if .userInfoPath }}
+      userInfoPath: {{ .userInfoPath }}
+      {{- end }}
+      {{- if .insecureSkipVerify }}
+      insecureSkipVerify: {{ .insecureSkipVerify }}
+      {{- end }}
     {{- end }}
     {{- with .Values.controller.workflowRestrictions }}
     workflowRestrictions: {{- toYaml . | nindent 6 }}
diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml
index d4344a19..0d661b6c 100644
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@@ -482,6 +482,11 @@ server:
     # redirectUrl: https://argo/oauth2/callback
     # rbac:
     #   enabled: true
+    ## When present, restricts secrets the server can read to a given list.
+    ## You can use it to restrict the server to only be able to access the
+    ## service account token secrets that are associated with service accounts
+    ## used for authorization.
+    #   secretWhitelist: []
     ## Scopes requested from the SSO ID provider.  The 'groups' scope requests
     ## group membership information, which is usually used for authorization
     ## decisions.