From 16a3b26f0e541cf88eef9f8b670f3b9134b74ad4 Mon Sep 17 00:00:00 2001 From: Rein van 't Veer Date: Mon, 6 Dec 2021 11:01:50 +0100 Subject: [PATCH] feat(argo-workflows): Add dev/delegated auth (#1048) * add commented server auth disable option Signed-off-by: reinvantveer * add sectioned server authentication documentation Signed-off-by: reinvantveer * add change notes Signed-off-by: reinvantveer * fix helm-docs checksum error Signed-off-by: reinvantveer * revert dropped `volumeMounts` docs entry by removing whitespace above commented-out `extraArgs` Signed-off-by: reinvantveer * add extra comment on disabling auth Signed-off-by: reinvantveer --- charts/argo-workflows/Chart.yaml | 4 ++-- charts/argo-workflows/README.md | 8 +++++++- charts/argo-workflows/README.md.gotmpl | 6 ++++++ charts/argo-workflows/values.yaml | 8 +++++++- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 85fe989f..742e12d7 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.9.2 +version: 0.9.3 appVersion: v3.2.4 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm @@ -15,4 +15,4 @@ maintainers: - name: benjaminws annotations: artifacthub.io/changes: | - - "[Fixed]: Added missing WorkflowTaskSets RBAC to controller" + - "[Added]: Added documentation and (default disabled) settings for dev-mode or delegated server authentication" diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index f86d3d6c..7a3ab5f7 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -15,8 +15,14 @@ A few options are: ## Usage Notes +### Workflow controller + This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of it's configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. +### Workflow server authentication + +By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting. + ## Values The `values.yaml` contains items used to tweak a deployment of this chart. @@ -136,7 +142,7 @@ Fields to note: | server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. | | server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. | | server.enabled | bool | `true` | Deploy the Argo Server | -| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. | +| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary, such as for disabling authentication. | | server.extraContainers | list | `[]` | Extra containers to be added to the server deployment | | server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container | | server.image.registry | string | `"quay.io"` | Registry to use for the server | diff --git a/charts/argo-workflows/README.md.gotmpl b/charts/argo-workflows/README.md.gotmpl index 65d3368e..3f9a0121 100644 --- a/charts/argo-workflows/README.md.gotmpl +++ b/charts/argo-workflows/README.md.gotmpl @@ -15,8 +15,14 @@ A few options are: ## Usage Notes +### Workflow controller + This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of it's configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. +### Workflow server authentication + +By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting. + ## Values The `values.yaml` contains items used to tweak a deployment of this chart. diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index abc3f6d2..8b727b67 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -356,8 +356,14 @@ server: # - name: FOO # value: "bar" - # -- Extra arguments to provide to the Argo server binary. + # -- Extra arguments to provide to the Argo server binary, such as for disabling authentication. extraArgs: [] + # If you want to disable authentication for purposes such as: + # - local dev-mode without authentication + # - gateway authentication through some other service such as KeyCloak + # uncomment the lines below and comment out the default empty list `extraArgs: []` above: + # extraArgs: + # - --auth-mode=server # -- Additional volume mounts to the server main container. volumeMounts: []