chore(argo-workflows): Declare SSO configuration explicitly on values.yaml (#2089)

Signed-off-by: yu-croco <yu.croco@gmail.com>
Co-authored-by: Jason Meridth <jmeridth@gmail.com>

charts/argo-workflows/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v3.4.8
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.28.2
+version: 0.29.0
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -17,4 +17,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: changed
-      description: Upgrade to Argo Workflows v3.4.8
+      description: Declare SSO configuration explicitly on values.yaml

charts/argo-workflows/README.md

@@ -302,7 +302,21 @@ Fields to note:
 | server.servicePort | int | `2746` | Service port for server |
 | server.servicePortName | string | `""` | Service port name |
 | server.serviceType | string | `"ClusterIP"` | Service type for server pods |
-| server.sso | object | `{}` | SSO configuration when SSO is specified as a server auth mode. |
+| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID |
+| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID |
+| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret |
+| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
+| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
+| server.sso.enabled | bool | `false` | Create SSO configuration |
+| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
+| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
+| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |
+| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. |
+| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets |
+| server.sso.redirectUrl | string | `"https://argo/oauth2/callback"` |  |
+| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider |
+| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) |
+| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim |
 | server.tolerations | list | `[]` | [Tolerations] for use with node taints |
 | server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server |
 | server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. |

charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml

@@ -126,37 +126,35 @@ data:
     {{- if .Values.controller.workflowDefaults }}
     workflowDefaults:
 {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
-    {{- with .Values.server.sso }}
+    {{- if .Values.server.sso.enabled }}
     sso:
-      issuer: {{ .issuer }}
+      issuer: {{ .Values.server.sso.issuer }}
       clientId:
-        name: {{ .clientId.name }}
+        name: {{ .Values.server.sso.clientId.name }}
-        key: {{ .clientId.key }}
+        key: {{ .Values.server.sso.clientId.key }}
       clientSecret:
-        name: {{ .clientSecret.name }}
+        name: {{ .Values.server.sso.clientSecret.name }}
-        key: {{ .clientSecret.key }}
+        key: {{ .Values.server.sso.clientSecret.key }}
-      redirectUrl: {{ .redirectUrl }}
+      redirectUrl: {{ .Values.server.sso.redirectUrl }}
-      {{- with .rbac }}
       rbac:
-        enabled: {{ .enabled }}
+        enabled: {{ .Values.server.sso.rbac.enabled }}
+      {{- with .Values.server.sso.scopes }}
+      scopes: {{ toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .scopes }}
+      {{- with .Values.server.sso.issuerAlias }}
-      scopes: {{ toYaml .scopes | nindent 8 }}
+      issuerAlias: {{ toYaml . }}
       {{- end }}
-      {{- if .issuerAlias }}
+      {{- with .Values.server.sso.sessionExpiry }}
-      issuerAlias: {{ .issuerAlias }}
+      sessionExpiry: {{ toYaml . }}
       {{- end }}
-      {{- if .sessionExpiry }}
+      {{- with .Values.server.sso.customGroupClaimName }}
-      sessionExpiry: {{ .sessionExpiry }}
+      customGroupClaimName: {{ toYaml . }}
       {{- end }}
-      {{- if .customGroupClaimName }}
+      {{- with .Values.server.sso.userInfoPath }}
-      customGroupClaimName: {{ .customGroupClaimName }}
+      userInfoPath: {{ toYaml . }}
       {{- end }}
-      {{- if .userInfoPath }}
+      {{- with .Values.server.sso.insecureSkipVerify }}
-      userInfoPath: {{ .userInfoPath }}
+      insecureSkipVerify: {{ toYaml . }}
-      {{- end }}
-      {{- if .insecureSkipVerify }}
-      insecureSkipVerify: {{ .insecureSkipVerify }}
       {{- end }}
     {{- end }}
     {{- with .Values.controller.workflowRestrictions }}
@@ -184,4 +182,4 @@ data:
     {{- end }}
     {{- with .Values.controller.podGCDeleteDelayDuration }}
     podGCDeleteDelayDuration: {{ . }}
-    {{- end }}
+    {{- end }}

charts/argo-workflows/templates/server/server-cluster-roles.yaml

@@ -38,7 +38,7 @@ rules:
   verbs:
   - get
   - list
-{{- if .Values.server.sso }}
+{{- if .Values.server.sso.enabled }}
 - apiGroups:
   - ""
   resources:
@@ -54,7 +54,7 @@ rules:
   - secrets
   verbs:
   - create
-  {{- if .Values.server.sso.rbac }}
+  {{- if .Values.server.sso.rbac.enabled }}
 - apiGroups:
   - ""
   resources:
@@ -73,11 +73,9 @@ rules:
   - get
   - list
   - watch
-{{- if .Values.server.sso }}
+{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }}
-  {{- if .Values.server.sso.rbac }}
+  {{- with .Values.server.sso.rbac.secretWhitelist }}
-    {{- with .Values.server.sso.rbac.secretWhitelist }}
   resourceNames: {{- toYaml . | nindent 4 }}
-    {{- end }}
   {{- end }}
 {{- end }}
 - apiGroups:

charts/argo-workflows/values.yaml

@@ -618,35 +618,50 @@ server:
     # -- Give the server permissions to edit ClusterWorkflowTemplates.
     enableEditing: true
 
-  # -- SSO configuration when SSO is specified as a server auth mode.
+  # SSO configuration when SSO is specified as a server auth mode.
-  sso: {}
+  sso:
-    ## All the values are required. SSO is activated by adding --auth-mode=sso
+    # -- Create SSO configuration
-    ## to the server command line.
+    ## SSO is activated by adding --auth-mode=sso to the server command line.
-    #
+    enabled: false
-    ## The root URL of the OIDC identity provider.
+    # -- The root URL of the OIDC identity provider
-    # issuer: https://accounts.google.com
+    issuer: https://accounts.google.com
-    ## Name of a secret and a key in it to retrieve the app OIDC client ID from.
+    clientId:
-    # clientId:
+      # -- Name of secret to retrieve the app OIDC client ID
-    #   name: argo-server-sso
+      name: argo-server-sso
-    #   key: client-id
+      # -- Key of secret to retrieve the app OIDC client ID
-    ## Name of a secret and a key in it to retrieve the app OIDC client secret from.
+      key: client-id
-    # clientSecret:
+    clientSecret:
-    #   name: argo-server-sso
+      # -- Name of a secret to retrieve the app OIDC client secret
-    #   key: client-secret
+      name: argo-server-sso
-    ## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
+      # -- Key of a secret to retrieve the app OIDC client secret
-    # redirectUrl: https://argo/oauth2/callback
+      key: client-secret
-    # rbac:
+    # - The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
-    #   enabled: true
+    redirectUrl: https://argo/oauth2/callback
+    rbac:
+      # -- Adds ServiceAccount Policy to server (Cluster)Role.
+      enabled: true
+    # -- Whitelist to allow server to fetch Secrets
     ## When present, restricts secrets the server can read to a given list.
     ## You can use it to restrict the server to only be able to access the
     ## service account token secrets that are associated with service accounts
     ## used for authorization.
-    #   secretWhitelist: []
+      secretWhitelist: []
-    ## Scopes requested from the SSO ID provider.  The 'groups' scope requests
+    # -- Scopes requested from the SSO ID provider
-    ## group membership information, which is usually used for authorization
+    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
-    ## decisions.
+    scopes: []
-    # scopes:
+      # - groups
-    # - groups
+    # -- Define how long your login is valid for (in hours)
+    ## If omitted, defaults to 10h.
+    sessionExpiry: ""
+    # -- Alternate root URLs that can be included for some OIDC providers
+    issuerAlias: ""
+    # -- Override claim name for OIDC groups
+    customGroupClaimName: ""
+    # -- Specify the user info endpoint that contains the groups claim
+    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
+    userInfoPath: ""
+    # -- Skip TLS verification for the HTTP client
+    insecureSkipVerify: false
 
   # -- Extra containers to be added to the server deployment
   extraContainers: []