In my last post, we got Argo Workflow up and running but had issues with the SSO Config. In this post, we are going to cover getting that working.
First, what is different is I am going to put all the Argo Apps into the same namespace.
Second, I am creating a Secret with some SSO Creds; for our setup, we use Ansible and Ansible Vault to deploy our secrets, so for the sake of making this easy, I just put a manifest here as an example:
apiVersion: v1
kind: Secret
metadata:
name: argo-server-sso
namespace: argo-apps
data:
# client-id is 'argo-workflows-sso'
client-id: YXJnby13b3JrZmxvd3Mtc3Nv
# client-secret is 'MY-SECRET-STRING-CAN-BE-UUID'
client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
type: Opaque
The client ID is set to argo-workflows-sso and the secret is a random string.
Next, I need to update ArgoCD DEX server config. This is to include a staticClients config for workflow to use for the SSO. In my argo-cd/staging/values.yaml I already have argo-cd.configs.cm.dex.config with the connectors config, this is what Dex uses to connect to GitHub for Oauth, now we add the StaticClients config which refre:
configs:
cm:
url: https://<argocd-url>
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- https://<argo-workflow-url>/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
connectors:
- type: github
id: github
name: Github
config:
clientID: <Client ID>
clientSecret: $argo-dex-sso:dex.github.clientSecret
orgs:
- name: <Github Org Name>Now, we need to add configuration to the
controller:
server:
sso:
issuer: https://<argocd-url>/api/dex
sessionExpiry: 240h
clientId:
name: argo-server-sso
key: client-id
clientSecret:
name: argo-server-sso
key: client-secret
redirectUrl: https://<argo-workflow-url>/oauth2/callback
enabled: true
rbac:
enabled: falseNow you can use rbac and map a service account to map to a scope that is requested from the SSO ID provider. Otherwise workflow will just default to standard service account.
