feat(argo-workflows): Enable SSO through ArgoCD dex

k8s-peterg/argo-workflows/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 
 resources:
   - namespace.yaml
+  - secrets.yaml
 
 helmCharts:
   - name: argo-workflows

k8s-peterg/argo-workflows/secrets.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-server-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-server-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-id
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-secret

k8s-peterg/argo-workflows/values.yaml

@@ -629,7 +629,8 @@ server:
 
   # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
   ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
-  authModes: []
+  authModes:
+    - sso
 
   # -- Extra arguments to provide to the Argo server binary.
   ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
@@ -802,54 +803,19 @@ server:
     # -- Give the server permissions to edit ClusterWorkflowTemplates.
     enableEditing: true
 
-  # SSO configuration when SSO is specified as a server auth mode.
+    # SSO configuration when SSO is specified as a server auth mode.
-  sso:
+    sso:
-    # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`.
-    enabled: false
-    # -- The root URL of the OIDC identity provider
-    issuer: https://accounts.google.com
-    clientId:
-      # -- Name of secret to retrieve the app OIDC client ID
-      name: argo-server-sso
-      # -- Key of secret to retrieve the app OIDC client ID
-      key: client-id
-    clientSecret:
-      # -- Name of a secret to retrieve the app OIDC client secret
-      name: argo-server-sso
-      # -- Key of a secret to retrieve the app OIDC client secret
-      key: client-secret
-    # -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
-    redirectUrl: ""
-    rbac:
-      # -- Adds ServiceAccount Policy to server (Cluster)Role.
       enabled: true
-      # -- Whitelist to allow server to fetch Secrets
+      issuer: https://argocd.peterg.nl/api/dex
-      ## When present, restricts secrets the server can read to a given list.
+      # sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
-      ## You can use it to restrict the server to only be able to access the
+      sessionExpiry: 240h
-      ## service account token secrets that are associated with service accounts
+      clientId:
-      ## used for authorization.
+        name: argo-workflows-sso
-      secretWhitelist: []
+        key: client-id
-    # -- Scopes requested from the SSO ID provider
+      clientSecret:
-    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
+        name: argo-workflows-sso
-    scopes: []
+        key: client-secret
-      # - groups
+      redirectUrl: https://argo-workflows.peterg.nl/oauth2/callback
-    # -- Define how long your login is valid for (in hours)
-    ## If omitted, defaults to 10h.
-    sessionExpiry: ""
-    # -- Alternate root URLs that can be included for some OIDC providers
-    issuerAlias: ""
-    # -- Override claim name for OIDC groups
-    customGroupClaimName: ""
-    # -- Specify the user info endpoint that contains the groups claim
-    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
-    userInfoPath: ""
-    # -- Skip TLS verification for the HTTP client
-    insecureSkipVerify: false
-    # -- Filter the groups returned by the OIDC provider
-    ## A logical "OR" is used between each regex in the list
-    filterGroupsRegex: []
-      # - ".*argo-wf.*"
-      # - ".*argo-workflow.*"
 
   # -- Extra containers to be added to the server deployment
   extraContainers: []

k8s-peterg/argocd/kustomization.yaml

@@ -26,3 +26,4 @@ configMapGenerator:
 
 patches:
   - path: patches/configmap.yaml
+  - path: patches/deployments.yaml

k8s-peterg/argocd/oidc.yaml

@@ -27,3 +27,28 @@ spec:
       remoteRef:
         key: secrets/managed/argocd/authentik-oidc-credentials
         property: clientSecret
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-server-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-server-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-id
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-secret

k8s-peterg/argocd/patches/configmap.yaml

@@ -23,6 +23,12 @@ data:
           - profile
           - email
           - groups
+    staticClients:
+    - name: Argo Workflows
+      id: argo-workflows-sso
+      redirectURIs:
+        - https://workflows.peterg.nl/oauth2/callback
+      secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
 ---
 apiVersion: v1
 kind: ConfigMap

k8s-peterg/argocd/patches/deployments.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-dex-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: dex
+          env:
+            - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: argo-workflows-sso
+                  key: client-secret