feat(argo-workflows): Add support for sso filterGroupsRegex (#2379)

According to https://argoproj.github.io/argo-workflows/argo-server-sso/#filtering-groups Resolves #2378 Signed-off-by: Neile Havens <neilehavens@gmail.com>
2023-12-08 16:44:59 -06:00 · 2023-12-08 16:44:59 -06:00 · a9e31c82fd
commit a9e31c82fd
parent 4a0f512f70
4 changed files with 12 additions and 3 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.5.2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.39.7
+version: 0.39.8
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -16,5 +16,5 @@ annotations:
    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
-    - kind: fixed
-      description: Fixes OAuth redirect URL autoconfig.
+    - kind: changed
+      description: Add support for sso filterGroupsRegex according to https://argoproj.github.io/argo-workflows/argo-server-sso/#filtering-groups
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -326,6 +326,7 @@ Fields to note:
 | server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
 | server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
 | server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. |
+| server.sso.filterGroupsRegex | list | `[]` | Filter the groups returned by the OIDC provider |
 | server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
 | server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
 | server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |
--- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
@ -162,6 +162,9 @@ data:
      {{- with .Values.server.sso.insecureSkipVerify }}
      insecureSkipVerify: {{ toYaml . }}
      {{- end }}
+      {{- with .Values.server.sso.filterGroupsRegex }}
+      filterGroupsRegex: {{ toYaml . | nindent 8 }}
+      {{- end }}
    {{- end }}
    {{- with .Values.controller.workflowRestrictions }}
    workflowRestrictions: {{- toYaml . | nindent 6 }}
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -701,6 +701,11 @@ server:
    userInfoPath: ""
    # -- Skip TLS verification for the HTTP client
    insecureSkipVerify: false
+    # -- Filter the groups returned by the OIDC provider
+    ## A logical "OR" is used between each regex in the list
+    filterGroupsRegex: []
+      # - ".*argo-wf.*"
+      # - ".*argo-workflow.*"

  # -- Extra containers to be added to the server deployment
  extraContainers: []