feat: Add SSO RBAC authorization

k8s-peterg/argo-workflows/values.yaml

@@ -815,6 +815,10 @@ server:
       name: argo-workflows-sso
       key: client-secret
     redirectUrl: https://workflows.peterg.nl/oauth2/callback
+    scopes:
+      - groups
+    rbac:
+      enabled: true
 
   # -- Extra containers to be added to the server deployment
   extraContainers: []
@@ -850,30 +854,36 @@ server:
     successThreshold: 1
 
 # -- Array of extra K8s manifests to deploy
-extraObjects: []
+extraObjects:
-  # - apiVersion: secrets-store.csi.x-k8s.io/v1
+  - apiVersion: v1
-  #   kind: SecretProviderClass
+    kind: ServiceAccount
-  #   metadata:
+    metadata:
-  #     name: argo-server-sso
+      name: admin-user
-  #   spec:
+      annotations:
-  #     provider: aws
+        # The rule is an expression used to determine if this service account
-  #     parameters:
+        # should be used.
-  #       objects: |
+        # * `groups` - an array of the OIDC groups
-  #         - objectName: "argo/server/sso"
+        # * `iss` - the issuer ("argo-server")
-  #           objectType: "secretsmanager"
+        # * `sub` - the subject (typically the username)
-  #           jmesPath:
+        # Must evaluate to a boolean.
-  #               - path: "client_id"
+        # If you want an account to be the default to use, this rule can be "true".
-  #                 objectAlias: "client_id"
+        # Details of the expression language are available in
-  #               - path: "client_secret"
+        # https://expr-lang.org/docs/language-definition.
-  #                 objectAlias: "client_secret"
+        workflows.argoproj.io/rbac-rule: "'admin' in groups"
-  #     secretObjects:
+        # The precedence is used to determine which service account to use when
-  #     - data:
+        # Precedence is an integer. It may be negative. If omitted, it defaults to "0".
-  #       - key: client_id
+        # Numerically higher values have higher precedence (not lower, which maybe
-  #         objectName: client_id
+        # counter-intuitive to you).
-  #       - key: client_secret
+        # If two rules match and have the same precedence, then which one used will
-  #         objectName: client_secret
+        # be arbitrary.
-  #       secretName: argo-server-sso-secrets-store
+        workflows.argoproj.io/rbac-rule-precedence: "1"
-  #       type: Opaque
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+    name: read-only
+    annotations:
+      workflows.argoproj.io/rbac-rule: "true"
+      workflows.argoproj.io/rbac-rule-precedence: "0"
 
 # -- Use static credentials for S3 (eg. when not using AWS IRSA)
 useStaticCredentials: true