From a9e31c82fd63f42c8e56fe9bb8f19d583be83e69 Mon Sep 17 00:00:00 2001 From: Neile Havens Date: Fri, 8 Dec 2023 16:44:59 -0600 Subject: [PATCH] feat(argo-workflows): Add support for sso filterGroupsRegex (#2379) According to https://argoproj.github.io/argo-workflows/argo-server-sso/#filtering-groups Resolves #2378 Signed-off-by: Neile Havens --- charts/argo-workflows/Chart.yaml | 6 +++--- charts/argo-workflows/README.md | 1 + .../controller/workflow-controller-config-map.yaml | 3 +++ charts/argo-workflows/values.yaml | 5 +++++ 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index f5e725d3..49cebfbc 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.5.2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.39.7 +version: 0.39.8 icon: https://argoproj.github.io/argo-workflows/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -16,5 +16,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: fixed - description: Fixes OAuth redirect URL autoconfig. + - kind: changed + description: Add support for sso filterGroupsRegex according to https://argoproj.github.io/argo-workflows/argo-server-sso/#filtering-groups diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index c8e5f5f8..2b24e2be 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -326,6 +326,7 @@ Fields to note: | server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret | | server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups | | server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. | +| server.sso.filterGroupsRegex | list | `[]` | Filter the groups returned by the OIDC provider | | server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client | | server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider | | server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers | diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml index bff3e121..d311441c 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -162,6 +162,9 @@ data: {{- with .Values.server.sso.insecureSkipVerify }} insecureSkipVerify: {{ toYaml . }} {{- end }} + {{- with .Values.server.sso.filterGroupsRegex }} + filterGroupsRegex: {{ toYaml . | nindent 8 }} + {{- end }} {{- end }} {{- with .Values.controller.workflowRestrictions }} workflowRestrictions: {{- toYaml . | nindent 6 }} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 9a5fa859..1624cc4e 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -701,6 +701,11 @@ server: userInfoPath: "" # -- Skip TLS verification for the HTTP client insecureSkipVerify: false + # -- Filter the groups returned by the OIDC provider + ## A logical "OR" is used between each regex in the list + filterGroupsRegex: [] + # - ".*argo-wf.*" + # - ".*argo-workflow.*" # -- Extra containers to be added to the server deployment extraContainers: []