argo-workflows/argo-server-sso-argocd/ #8578
Replies: 23 comments 56 replies
-
Can you change following example as it confuses us to use secret name as a OIDC ID, which is actually a OIDC ClientID not a secret name. There are number of people in slack chat and github discussion facing invalid client id issue because of this: staticClients:
- id: argo-workflows-sso [This is actually a OIDC ClientID not a secret or name ]
name: Argo Workflow
redirectURIs:
- https://argo-workflows.mydomain.com/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET |
Beta Was this translation helpful? Give feedback.
-
With Terraform and Helm, I get |
Beta Was this translation helpful? Give feedback.
-
How do we add multiple groups to rbac. Is the below example valid?
|
Beta Was this translation helpful? Give feedback.
-
I am getting below error when setting auth mode sso. error is
|
Beta Was this translation helpful? Give feedback.
-
Maybe you have example how i can put issuer url for config because now i use https://sts.windows.net/{tenant-id}/ |
Beta Was this translation helpful? Give feedback.
-
Does Argo supports CAS (Central Authentication Service) auth method ? |
Beta Was this translation helpful? Give feedback.
-
How i can specify rule only for specific group about azure active directory sso? |
Beta Was this translation helpful? Give feedback.
-
Does argo-workflows support SSO with SAML 2.0 assertion as opposed to just OIDC? |
Beta Was this translation helpful? Give feedback.
-
Could sso support SubjectAccessReview instead of the need to create additional claims in OIDC. This can add a lot of work to the team that owns argo-server creating and managing claims. We feel it would be easier if SAR was integrated to this validation per namespace since it is a k8s concept. We use SAR for other services in a similar manner to this. |
Beta Was this translation helpful? Give feedback.
-
Does anyone know how to skip the sign on screen when using SSO? When I click a link while signed out, I expect to be automatically redirected to my SSO provider, not Argo which requires an additional Sign In click. Does anyone know if it's possible to automatically redirect to the SSO? |
Beta Was this translation helpful? Give feedback.
-
My server deployment fails to become "ready". The logs indicate there's an RBAC problem.
Anyone else run into this? |
Beta Was this translation helpful? Give feedback.
-
We are trying to implement SSO (using AzureAD) with argocd , i want to understand if we can skip creating users in AzureAD and create the group internally within the configmap , as in . we just want the user to login but the group get assigned when they login . and so the permissions . we want to avoid creating the AzureAD groups in portal (or using terraform to manage this). |
Beta Was this translation helpful? Give feedback.
-
I've successfully implemented SSO using Argo-cd dex and GitHub as the provider. I can log in to argo-workflows, but I'm presented with the following error message in the UI and logs: The user is bound to the server-admin user so should be able to do anything. What is the cause of this issue? |
Beta Was this translation helpful? Give feedback.
-
I'm using SAML with Okta and Dex. Okta doesn't provide any client-id for this setup. How am I suppose to configure argo-workflows to use argo-cd's dex server? |
Beta Was this translation helpful? Give feedback.
-
I am using Azure AD as identity provider.
The sso Argo server settings: sso:
issuer: https://login.microsoftonline.com/86xxxx7c-xxxx-xxxx-xxxx-35b1xxxxb98/v2.0
clientId:
name: argo-server-sso
key: client-id
clientSecret:
name: argo-server-sso
key: client-secret
redirectUrl: https://argo-lab.my-company.com/oauth2/callback
rbac:
enabled: true
scopes:
- groups What is the cause of this issue? |
Beta Was this translation helpful? Give feedback.
-
How would I get this to work with FreeIPA? |
Beta Was this translation helpful? Give feedback.
-
About a year ago, my SSO configuration worked fine with groups. The other day I decided to deploy it in another cluster and I get these messages:
I used this annotation to check rules without conditions workflows.argoproj.io/rbac-rule: "true"
workflows.argoproj.io/rbac-rule-precedence: "0" I tried to use the service default account as well, but the message also just cannot find the secret for the default account |
Beta Was this translation helpful? Give feedback.
-
I used the token generated by sa argo-server-admin, and called argo server with this token like this:
why still use sa argo-server-readonly which is defined in argoproj server |
Beta Was this translation helpful? Give feedback.
-
I see only 1 namespace in the Argo Workflow UI, I can see the correct user info but need the ability to switch the namespace from UI. I mentioned all the required namespaces in the |
Beta Was this translation helpful? Give feedback.
-
Hi, I already have a Pomerium setup running in the cluster, already used by all the other services. Is there any way to use it instead of Dex? |
Beta Was this translation helpful? Give feedback.
-
Instructions are a bit unclear. Under SSO RBAC it says the service account must exist in the same namespace as the argo server, yet under SSO RBAC namespace delegation it states you can place the service account in the target namespace. I can only make the former work via testing, it doesn't seem to pick up any annotated service accounts in any other namespaces. For my test I'm using 3 SA accounts: argo-workflow:
other-namespace:
My login will NEVER match with the user-login sa unless I create it in the argo-workflow namespace. I'd prefer to keep service accounts in their respective namespaces, but documentation is a bit contradictory. |
Beta Was this translation helpful? Give feedback.
-
Hello,
using this deploy config from argocd site: apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
name: argocd-dex-server
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
template:
metadata:
labels:
app.kubernetes.io/name: argocd-dex-server
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/part-of: argocd
topologyKey: kubernetes.io/hostname
weight: 5
containers:
- command:
- /shared/argocd-dex
- rundex
env:
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: dexserver.disable.tls
name: argocd-cmd-params-cm
optional: true
image: ghcr.io/dexidp/dex:v2.37.0
imagePullPolicy: Always
name: dex
ports:
- containerPort: 5556
- containerPort: 5557
- containerPort: 5558
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
#runAsNonRoot: true
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
- mountPath: /tls
name: argocd-dex-server-tls
initContainers:
- command:
- cp
- -n
- /usr/local/bin/argocd
- /shared/argocd-dex
image: quay.io/argoproj/argocd:v2.9.2
imagePullPolicy: Always
name: copyutil
securityContext:
#allowPrivilegeEscalation: false
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
#runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
serviceAccountName: argocd-dex-server
volumes:
- emptyDir: {}
name: static-files
- emptyDir: {}
name: dexconfig
- name: argocd-dex-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-dex-server-tls |
Beta Was this translation helpful? Give feedback.
-
Filtering groups (filterGroupsRegex) not working without enabling RBAC Hi - We've configured SSO and trying to restrict access using Filtering groups (filterGroupsRegex) https://argo-workflows.readthedocs.io/en/latest/argo-server-sso/#filtering-groups. However it's not working as expected, is it we need to always enable RBAC to use Filtering groups (filterGroupsRegex) or we are missing some configuration. |
Beta Was this translation helpful? Give feedback.
-
argo-workflows/argo-server-sso-argocd/
https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/
Beta Was this translation helpful? Give feedback.
All reactions