feat: Argo workflows SSO auth

components/11-argo-workflows/kustomization.yaml

@@ -22,3 +22,9 @@ patches:
     kind: Deployment
     name: workflow-controller
   path: patch-workflow-deployment.yaml
+
+configMapGenerator:
+  - name: workflow-controller-configmap
+    behavior: merge
+    files:
+      - sso

components/11-argo-workflows/patch-server-deployment.yaml

@@ -3,8 +3,7 @@
   path: /spec/template/spec/containers/0/args
   value:
     - server
-    - --auth-mode=server
-    # - --auth-mode=client
+    - --auth-mode=sso
     - --namespaced
     - --managed-namespace
     - argo-events

components/11-argo-workflows/sso

@@ -0,0 +1,29 @@
+# This is the root URL of the OIDC provider (required).
+issuer: https://dexidp.local
+# This defines how long your login is valid for (in hours). (optional)
+# If omitted, defaults to 10h. Example below is 10 days.
+sessionExpiry: 240h
+# This is name of the secret and the key in it that contain OIDC client
+# ID issued to the application by the provider (required).
+clientId:
+  name: argo-sso
+  key: client-id
+# This is name of the secret and the key in it that contain OIDC client
+# secret issued to the application by the provider (required).
+clientSecret:
+  name: argo-sso
+  key: client-secret
+# This is the redirect URL supplied to the provider (optional). It must
+# be in the form <argo-server-root-url>/oauth2/callback. It must be
+# browser-accessible. If omitted, will be automatically generated.
+redirectUrl: https://workflows.local/oauth2/callback
+# Additional scopes to request. Typically needed for SSO RBAC. >= v2.12
+scopes:
+  - groups
+  - email
+  - profile
+# RBAC Config. >= v2.12
+rbac:
+  enabled: false
+# Skip TLS verify, not recommended in production environments. Useful for testing purposes. >= v3.2.4
+insecureSkipVerify: true

components/12-argo-events/kustomization.yaml

@@ -20,3 +20,9 @@ resources:
   - sensor-workflow-role.yaml
   - webhook-sensor.yaml
   - workflow-role.yaml
+
+configMapGenerator:
+  - name: workflow-controller-configmap
+    behavior: merge
+    files:
+      - sso

components/13-dexidp/values.yaml

@@ -59,6 +59,11 @@ config:
       redirectURIs:
         - "http://localhost:8000/complete/oidc/"
         - "https://nautobot.local/complete/oidc/"
+    - id: argo
+      secretEnv: ARGO_SSO_CLIENT_SECRET
+      name: "Undercloud Argo"
+      redirectURIs:
+        - "https://workflows.local/oauth2/callback"
 
 envVars:
   - name: NAUTOBOT_SSO_CLIENT_SECRET
@@ -81,6 +86,11 @@ envVars:
       secretKeyRef:
         name: azure-sso
         key: issuer
+  - name: ARGO_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: argo-sso
+        key: client-secret
 ingress:
   enabled: true
   annotations:

scripts/easy-secrets-gen.sh

@@ -41,6 +41,20 @@ for ns in nautobot dex; do
 done
 unset NAUTOBOT_SSO_SECRET
 
+ARGO_SSO_SECRET=$(./scripts/pwgen.sh)
+for ns in argo argo-events argocd dex; do
+  kubectl --namespace $ns \
+    create secret generic argo-sso \
+    --dry-run=client \
+    -o yaml \
+    --type Opaque \
+    --from-literal=client-secret="$ARGO_SSO_SECRET" \
+    --from-literal=client-id=argo \
+    > secret-argo-sso-$ns.yaml
+done
+unset ARGO_SSO_SECRET
+
+
 kubectl --namespace openstack \
     create secret generic keystone-rabbitmq-password \
     --type Opaque \
@@ -126,6 +140,15 @@ for ns in nautobot dex; do
     -w components/01-secrets/encrypted-nautobot-sso-$ns.yaml
 done
 
+for ns in argo argo-events argocd dex; do
+  kubeseal \
+    --scope cluster-wide \
+    --allow-empty-data \
+    -o yaml \
+    -f secret-argo-sso-$ns.yaml \
+    -w components/01-secrets/encrypted-argo-sso-$ns.yaml
+done
+
 cd components/01-secrets/
 rm -f kustomization.yaml
 kustomize create --autodetect