From ff4d1f216826bcb80e4a40cf5d518513c7114bb0 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 1 Apr 2026 21:35:16 +0200 Subject: [PATCH] feat(argo-workflows): Enable SSO through ArgoCD dex --- k8s-peterg/argo-workflows/kustomization.yaml | 1 + k8s-peterg/argo-workflows/secrets.yaml | 25 ++++++++ k8s-peterg/argo-workflows/values.yaml | 62 +++++--------------- k8s-peterg/argocd/kustomization.yaml | 1 + k8s-peterg/argocd/oidc.yaml | 25 ++++++++ k8s-peterg/argocd/patches/configmap.yaml | 6 ++ k8s-peterg/argocd/patches/deployments.yaml | 16 +++++ 7 files changed, 88 insertions(+), 48 deletions(-) create mode 100644 k8s-peterg/argo-workflows/secrets.yaml create mode 100644 k8s-peterg/argocd/patches/deployments.yaml diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml index 79b848a..385cf66 100644 --- a/k8s-peterg/argo-workflows/kustomization.yaml +++ b/k8s-peterg/argo-workflows/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization resources: - namespace.yaml + - secrets.yaml helmCharts: - name: argo-workflows diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml new file mode 100644 index 0000000..7f9bee3 --- /dev/null +++ b/k8s-peterg/argo-workflows/secrets.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: argo-server-sso + namespace: argo-workflows +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: argo-server-sso + template: + metadata: + labels: + app.kubernetes.io/part-of: argo-workflows + data: + - secretKey: client-id + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-id + - secretKey: client-secret + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-secret diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml index ff54f5e..13c7538 100644 --- a/k8s-peterg/argo-workflows/values.yaml +++ b/k8s-peterg/argo-workflows/values.yaml @@ -629,7 +629,8 @@ server: # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/ - authModes: [] + authModes: + - sso # -- Extra arguments to provide to the Argo server binary. ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options @@ -802,54 +803,19 @@ server: # -- Give the server permissions to edit ClusterWorkflowTemplates. enableEditing: true - # SSO configuration when SSO is specified as a server auth mode. - sso: - # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`. - enabled: false - # -- The root URL of the OIDC identity provider - issuer: https://accounts.google.com - clientId: - # -- Name of secret to retrieve the app OIDC client ID - name: argo-server-sso - # -- Key of secret to retrieve the app OIDC client ID - key: client-id - clientSecret: - # -- Name of a secret to retrieve the app OIDC client secret - name: argo-server-sso - # -- Key of a secret to retrieve the app OIDC client secret - key: client-secret - # -- The OIDC redirect URL. Should be in the form /oauth2/callback. - redirectUrl: "" - rbac: - # -- Adds ServiceAccount Policy to server (Cluster)Role. + # SSO configuration when SSO is specified as a server auth mode. + sso: enabled: true - # -- Whitelist to allow server to fetch Secrets - ## When present, restricts secrets the server can read to a given list. - ## You can use it to restrict the server to only be able to access the - ## service account token secrets that are associated with service accounts - ## used for authorization. - secretWhitelist: [] - # -- Scopes requested from the SSO ID provider - ## The 'groups' scope requests group membership information, which is usually used for authorization decisions. - scopes: [] - # - groups - # -- Define how long your login is valid for (in hours) - ## If omitted, defaults to 10h. - sessionExpiry: "" - # -- Alternate root URLs that can be included for some OIDC providers - issuerAlias: "" - # -- Override claim name for OIDC groups - customGroupClaimName: "" - # -- Specify the user info endpoint that contains the groups claim - ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta) - userInfoPath: "" - # -- Skip TLS verification for the HTTP client - insecureSkipVerify: false - # -- Filter the groups returned by the OIDC provider - ## A logical "OR" is used between each regex in the list - filterGroupsRegex: [] - # - ".*argo-wf.*" - # - ".*argo-workflow.*" + issuer: https://argocd.peterg.nl/api/dex + # sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h) + sessionExpiry: 240h + clientId: + name: argo-workflows-sso + key: client-id + clientSecret: + name: argo-workflows-sso + key: client-secret + redirectUrl: https://argo-workflows.peterg.nl/oauth2/callback # -- Extra containers to be added to the server deployment extraContainers: [] diff --git a/k8s-peterg/argocd/kustomization.yaml b/k8s-peterg/argocd/kustomization.yaml index 0c19f16..312eb8c 100644 --- a/k8s-peterg/argocd/kustomization.yaml +++ b/k8s-peterg/argocd/kustomization.yaml @@ -26,3 +26,4 @@ configMapGenerator: patches: - path: patches/configmap.yaml + - path: patches/deployments.yaml diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index b45056e..88d061d 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,3 +27,28 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: argo-server-sso + namespace: argo-workflows +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: argo-server-sso + template: + metadata: + labels: + app.kubernetes.io/part-of: argo-workflows + data: + - secretKey: client-id + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-id + - secretKey: client-secret + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-secret diff --git a/k8s-peterg/argocd/patches/configmap.yaml b/k8s-peterg/argocd/patches/configmap.yaml index 11e273b..f5d56d0 100644 --- a/k8s-peterg/argocd/patches/configmap.yaml +++ b/k8s-peterg/argocd/patches/configmap.yaml @@ -23,6 +23,12 @@ data: - profile - email - groups + staticClients: + - name: Argo Workflows + id: argo-workflows-sso + redirectURIs: + - https://workflows.peterg.nl/oauth2/callback + secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET --- apiVersion: v1 kind: ConfigMap diff --git a/k8s-peterg/argocd/patches/deployments.yaml b/k8s-peterg/argocd/patches/deployments.yaml new file mode 100644 index 0000000..88464e7 --- /dev/null +++ b/k8s-peterg/argocd/patches/deployments.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-dex-server +spec: + template: + spec: + containers: + - name: dex + env: + - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: argo-workflows-sso + key: client-secret