feat(argo-workflows): Enable SSO through ArgoCD dex

2026-04-01 21:35:16 +02:00 · 2026-04-01 21:35:16 +02:00 · ff4d1f2168
commit ff4d1f2168
parent f684123734
7 changed files with 88 additions and 48 deletions
--- a/k8s-peterg/argo-workflows/kustomization.yaml
+++ b/k8s-peterg/argo-workflows/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization

 resources:
  - namespace.yaml
+  - secrets.yaml

 helmCharts:
  - name: argo-workflows
--- a/k8s-peterg/argo-workflows/secrets.yaml
+++ b/k8s-peterg/argo-workflows/secrets.yaml
@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-server-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-server-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-id
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-secret
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@ -629,7 +629,8 @@ server:

  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
-  authModes: []
+  authModes:
+    - sso

  # -- Extra arguments to provide to the Argo server binary.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
@ -802,54 +803,19 @@ server:
    # -- Give the server permissions to edit ClusterWorkflowTemplates.
    enableEditing: true

-  # SSO configuration when SSO is specified as a server auth mode.
-  sso:
-    # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`.
-    enabled: false
-    # -- The root URL of the OIDC identity provider
-    issuer: https://accounts.google.com
-    clientId:
-      # -- Name of secret to retrieve the app OIDC client ID
-      name: argo-server-sso
-      # -- Key of secret to retrieve the app OIDC client ID
-      key: client-id
-    clientSecret:
-      # -- Name of a secret to retrieve the app OIDC client secret
-      name: argo-server-sso
-      # -- Key of a secret to retrieve the app OIDC client secret
-      key: client-secret
-    # -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
-    redirectUrl: ""
-    rbac:
-      # -- Adds ServiceAccount Policy to server (Cluster)Role.
+    # SSO configuration when SSO is specified as a server auth mode.
+    sso:
      enabled: true
-      # -- Whitelist to allow server to fetch Secrets
-      ## When present, restricts secrets the server can read to a given list.
-      ## You can use it to restrict the server to only be able to access the
-      ## service account token secrets that are associated with service accounts
-      ## used for authorization.
-      secretWhitelist: []
-    # -- Scopes requested from the SSO ID provider
-    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
-    scopes: []
-      # - groups
-    # -- Define how long your login is valid for (in hours)
-    ## If omitted, defaults to 10h.
-    sessionExpiry: ""
-    # -- Alternate root URLs that can be included for some OIDC providers
-    issuerAlias: ""
-    # -- Override claim name for OIDC groups
-    customGroupClaimName: ""
-    # -- Specify the user info endpoint that contains the groups claim
-    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
-    userInfoPath: ""
-    # -- Skip TLS verification for the HTTP client
-    insecureSkipVerify: false
-    # -- Filter the groups returned by the OIDC provider
-    ## A logical "OR" is used between each regex in the list
-    filterGroupsRegex: []
-      # - ".*argo-wf.*"
-      # - ".*argo-workflow.*"
+      issuer: https://argocd.peterg.nl/api/dex
+      # sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
+      sessionExpiry: 240h
+      clientId:
+        name: argo-workflows-sso
+        key: client-id
+      clientSecret:
+        name: argo-workflows-sso
+        key: client-secret
+      redirectUrl: https://argo-workflows.peterg.nl/oauth2/callback

  # -- Extra containers to be added to the server deployment
  extraContainers: []