From d1389a90b9906c5ad419b53ced3250ed4208f7ca Mon Sep 17 00:00:00 2001 From: Aikawa Date: Sat, 6 Jan 2024 13:17:33 +0900 Subject: [PATCH 1/2] chore(argo-workflows): Update doc for Argo Workflows server authentication (#2411) --- charts/argo-workflows/Chart.yaml | 6 +++--- charts/argo-workflows/README.md | 15 +++++++-------- charts/argo-workflows/README.md.gotmpl | 16 ++++++++-------- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 15950d66..2bfb706d 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.5.2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.40.3 +version: 0.40.4 icon: https://argoproj.github.io/argo-workflows/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -16,5 +16,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: added - description: Add instruction for SSO + - kind: changed + description: Update doc for Argo Workflows server authentication diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index 81e65359..3a2a91d7 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -56,11 +56,6 @@ spec: args: [ "hello world" ] ``` -### Argo Workflows Server SSO -In order to enable SSO, please configure `.Values.server.sso` and `.Values.server.authMode`. - -In order to manage access levels, you can optionally add RBAC to SSO. Please refer [SSO RBAC] for more details. - ## Installing the Chart To install the chart with the release name `my-release`: @@ -89,9 +84,12 @@ Please see the upstream [Operator Manual's High Availability page](https://argop This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. -### Workflow server authentication +### Argo Workflows server authentication -By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting. +Argo Workflows server provides some choices for authentication mechanism and you can configure `.Values.server.authModes`. By default, authentication mode is `[server]`, for local development purposes or cases where your gateway authentication is covered by some other means. +Please refer to [Argo Server Auth Mode] for more details. + +Argo Workflows server also supports SSO and you can enable it to configure `.Values.server.sso` and `.Values.server.authModes`. In order to manage access levels, you can optionally add RBAC to SSO. Please refer to [SSO RBAC] for more details. ## Values @@ -392,4 +390,5 @@ Fields to note: [TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ [values.yaml]: values.yaml [changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog -[SSO RBAC]: https://argoproj.github.io/argo-workflows/argo-server-sso/#sso-rbac +[SSO RBAC]: https://argo-workflows.readthedocs.io/en/latest/argo-server-sso/ +[Argo Server Auth Mode]: https://argo-workflows.readthedocs.io/en/latest/argo-server-auth-mode/ diff --git a/charts/argo-workflows/README.md.gotmpl b/charts/argo-workflows/README.md.gotmpl index aa296179..4d1ec4d5 100644 --- a/charts/argo-workflows/README.md.gotmpl +++ b/charts/argo-workflows/README.md.gotmpl @@ -56,11 +56,6 @@ spec: args: [ "hello world" ] ``` -### Argo Workflows Server SSO -In order to enable SSO, please configure `.Values.server.sso` and `.Values.server.authMode`. - -In order to manage access levels, you can optionally add RBAC to SSO. Please refer [SSO RBAC] for more details. - ## Installing the Chart To install the chart with the release name `my-release`: @@ -89,9 +84,13 @@ Please see the upstream [Operator Manual's High Availability page](https://argop This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. -### Workflow server authentication +### Argo Workflows server authentication + +Argo Workflows server provides some choices for authentication mechanism and you can configure `.Values.server.authModes`. By default, authentication mode is `[server]`, for local development purposes or cases where your gateway authentication is covered by some other means. +Please refer to [Argo Server Auth Mode] for more details. + +Argo Workflows server also supports SSO and you can enable it to configure `.Values.server.sso` and `.Values.server.authModes`. In order to manage access levels, you can optionally add RBAC to SSO. Please refer to [SSO RBAC] for more details. -By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting. ## Values @@ -209,4 +208,5 @@ Fields to note: [TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ [values.yaml]: values.yaml [changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog -[SSO RBAC]: https://argoproj.github.io/argo-workflows/argo-server-sso/#sso-rbac +[SSO RBAC]: https://argo-workflows.readthedocs.io/en/latest/argo-server-sso/ +[Argo Server Auth Mode]: https://argo-workflows.readthedocs.io/en/latest/argo-server-auth-mode/ From 9892e505f17a24fd13e1aef8248222e141887201 Mon Sep 17 00:00:00 2001 From: Brian Gottfried Date: Sat, 6 Jan 2024 22:30:45 -0600 Subject: [PATCH 2/2] feat(argo-rollouts): Add rollout plugin gloo platform rbac (#2404) * feat(argo-rollouts): Add rollout plugin gloo platform rbac Signed-off-by: Brian Gottfried * feat(argo-rollouts): Add rollout plugin gloo platform rbac information to README Signed-off-by: Brian Gottfried --------- Signed-off-by: Brian Gottfried Co-authored-by: Aikawa --- charts/argo-rollouts/Chart.yaml | 6 +++--- charts/argo-rollouts/README.md | 1 + .../argo-rollouts/templates/controller/clusterrole.yaml | 9 +++++++++ charts/argo-rollouts/templates/controller/role.yaml | 9 +++++++++ charts/argo-rollouts/values.yaml | 2 ++ 5 files changed, 24 insertions(+), 3 deletions(-) diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index a879e08c..caf26b58 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.6.4 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.34.0 +version: 2.34.1 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-rollouts/assets/logo.png keywords: @@ -18,5 +18,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: changed - description: Allow setting log config for rollouts dashboard + - kind: added + description: Added Gloo Platform provider RBAC rules diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md index 23f25df7..3627de83 100644 --- a/charts/argo-rollouts/README.md +++ b/charts/argo-rollouts/README.md @@ -66,6 +66,7 @@ For full list of changes please check ArtifactHub [changelog]. | providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider | | providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider | | providerRBAC.providers.contour | bool | `true` | Adds RBAC rules for the Contour provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-contour/blob/main/README.md` | +| providerRBAC.providers.glooPlatform | bool | `true` | Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md` | | providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider | | providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider | | providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider | diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml index 56afb5cb..35fd8215 100644 --- a/charts/argo-rollouts/templates/controller/clusterrole.yaml +++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml @@ -267,5 +267,14 @@ rules: - watch - update {{- end }} +{{- if .Values.providerRBAC.providers.glooPlatform }} + # Access needed when using the Gloo Platform provider +- apiGroups: + - networking.gloo.solo.io + resources: + - routetables + verbs: + - '*' +{{- end }} {{- end }} {{- end }} diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml index eb69db62..dc656cde 100644 --- a/charts/argo-rollouts/templates/controller/role.yaml +++ b/charts/argo-rollouts/templates/controller/role.yaml @@ -256,5 +256,14 @@ rules: - get - update {{- end }} +{{- if .Values.providerRBAC.providers.glooPlatform }} + # Access needed when using the Gloo Platform provider +- apiGroups: + - networking.gloo.solo.io + resources: + - routetables + verbs: + - '*' +{{- end }} {{- end }} {{- end }} diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml index e7a5f133..19ab340e 100644 --- a/charts/argo-rollouts/values.yaml +++ b/charts/argo-rollouts/values.yaml @@ -271,6 +271,8 @@ providerRBAC: apisix: true # -- Adds RBAC rules for the Contour provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-contour/blob/main/README.md` contour: true + # -- Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md` + glooPlatform: true dashboard: # -- Deploy dashboard server