Skip to content

Commit

Permalink
docs: manifests for SSO using ArgoCD Dex, to be used with Kustomize (#…
Browse files Browse the repository at this point in the history 
…5647)

Signed-off-by: bgdnlp <github.com@neant.ro>
  • Loading branch information
@bgdnlp
bgdnlp authored Apr 13, 2021
1 parent 46ec302 commit 9c942d5
Show file tree
Hide file tree
Showing 4 changed files with 148 additions and 54 deletions.
144 changes: 144 additions & 0 deletions docs/argo-server-sso-argocd.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Use ArgoCD Dex for authentication

It is possible to have the Argo Workflows Server use the Argo CD Dex instance for authentication, for instance if you use Okta with SAML which cannot integrate with Argo Workflows directly. In order to make this happen, you will need the following:

- You must be using at least Dex [v2.23.0](https://github.com/dexidp/dex/releases/tag/v2.23.0), because that's when `staticClients[].secretEnv` was added. That means ArgoCD 1.7.12 and above.
- A secret containing two keys, `client-id` and `client-secret` to be used by both Dex and Argo Workflows Server. `client-id` is `argo-workflows-sso` in this example, `client-secret` can be any random string. If ArgoCD and ArgoWorkflows are installed in different namespaces the secret must be present in both of them. Example:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
data:
# client-id is 'argo-workflows-sso'
client-id: YXJnby13b3JrZmxvd3Mtc3Nv
# client-secret is 'MY-SECRET-STRING-CAN-BE-UUID'
client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
```
- `--auth-mode=sso` server argument added
- A Dex `staticClients` configured for `argo-workflows-sso`
- The `sso` configuration filled out in Argo Workflows Server to match

## Example manifests for authenticating against ArgoCD's Dex (Kustomize)

In ArgoCD, add an environment variable to Dex deployment and configuration:
```yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-dex-server
spec:
template:
spec:
containers:
- name: dex
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
# Kustomize sees the value of dex.config as a single string instead of yaml. It will not merge
# Dex settings, but instead it will replace the entire configuration with the settings below,
# so add these to the existing config instead of setting them in a separate file
dex.config: |
# Setting staticClients allows ArgoWorkflows to use ArgoCD's Dex installation for authentication
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- https://argo-workflows.mydomain.com/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
```

In Argo Workflows add `--auth-mode=sso` argument to argo-server deployment.
```yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: argo-server
spec:
template:
spec:
containers:
- name: argo-server
args:
- server
- --auth-mode=sso
---
apiVersion: v1
kind: ConfigMap
metadata:
name: workflow-controller-configmap
data:
# SSO Configuration for the Argo server.
# You must also start argo server with `--auth-mode sso`.
# https://argoproj.github.io/argo/argo-server-auth-mode/
sso: |
# This is the root URL of the OIDC provider (required).
issuer: https://argo-cd.mydomain.com/api/dex
# This is name of the secret and the key in it that contain OIDC client
# ID issued to the application by the provider (required).
clientId:
name: argo-workflows-sso
key: client-id
# This is name of the secret and the key in it that contain OIDC client
# secret issued to the application by the provider (required).
clientSecret:
name: argo-workflows-sso
key: client-secret
# This is the redirect URL supplied to the provider (required). It must
# be in the form <argo-server-root-url>/oauth2/callback. It must be
# browser-accessible.
redirectUrl: https://argo-workflows.mydomain.com/oauth2/callback
```
## Example Helm chart configuration for authenticating against ArgoCD's Dex
`argo-cd/values.yaml`:
```yaml
dex:
image:
tag: v2.23.0
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret
server:
config:
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- https://argo-workflows.mydomain.com/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
```

`argo/values.yaml`:
```yaml
server:
extraArgs:
- --auth-mode=sso
sso:
issuer: https://argo-cd.mydomain.com/api/dex
# sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
sessionExpiry: 240h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: https://argo-workflows.mydomain.com/oauth2/callback
```
54 changes: 2 additions & 52 deletions docs/argo-server-sso.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

> v2.9 and after
It is possible to use [Dex](https://github.com/dexidp/dex) for authentication. [This document](argo-server-sso-argocd.md) describes how to set up ArgoWorkflows and ArgoCD so that ArgoWorkflows uses ArgoCD's Dex server for authentication.

## To start Argo Server with SSO.

Firstly, configure the settings [workflow-controller-configmap.yaml](workflow-controller-configmap.yaml) with the correct OAuth 2 values.
Expand Down Expand Up @@ -119,55 +121,3 @@ By default, your SSO session will expire after 10 hours. You can change this by
# Expiry defines how long your login is valid for in hours. (optional)
sessionExpiry: 240h
```
## Sharing the Argo CD Dex Instance using Oauth2
It is possible to have the Argo Workflows Server use the Argo CD Dex instance for SSO, for instance if you use Okta with SAML which cannot integrate with Argo Workflows directly. In order to make this happen, you will need the following:
- You must be using at least Dex [v2.23.0](https://github.com/dexidp/dex/releases/tag/v2.23.0), because that's when `staticClients[].secretEnv` was added.
- A secret created above with a `client-id` and `client-secret` to be used by both Dex and Argo Workflows Server. It is called `argo-workflows-sso` in this example.
- `--auth-mode=sso` server argument added
- A Dex `staticClients` configured for `argo-workflows-sso`
- The `sso` configuration filled out in Argo Workflows Server to match

What this might look like in your chart configuration:

`argo-cd/values.yaml`:
```yaml
dex:
image:
tag: v2.23.0
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret
server:
config:
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- https://argo-workflows.mydomain.com/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
```

`argo/values.yaml`:
```yaml
server:
extraArgs:
- --auth-mode=sso
sso:
issuer: https://argo-cd.mydomain.com/api/dex
# sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
sessionExpiry: 240h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: https://argo-workflows.mydomain.com/oauth2/callback
```
3 changes: 1 addition & 2 deletions docs/argo-server.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,7 @@ See [TLS](tls.md).

### SSO

See [SSO](argo-server-sso.md).

See [SSO](argo-server-sso.md). See [here](argo-server-sso-argocd.md) about sharing ArgoCD's Dex with ArgoWorkflows.

## Access the Argo Workflows UI

Expand Down
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ nav:
- argo-server-auth-mode.md
- tls.md
- argo-server-sso.md
- argo-server-sso-argocd.md
- high-availability.md
- disaster-recovery.md
- scaling.md
Expand Down

0 comments on commit 9c942d5

Please sign in to comment.