Merge branch 'main' into upgrade-supported-k8s

argoproj · Jun 4, 2023 · 5611240 · 5611240
2 parents 199c777 + 3a7e4b1
commit 5611240
Show file tree

Hide file tree

Showing 11 changed files with 97 additions and 61 deletions.
diff --git a/.github/workflows/pr-sizing.yml b/.github/workflows/pr-sizing.yml
@@ -25,6 +25,6 @@ jobs:
   size-label:
     runs-on: ubuntu-latest
     steps:
-      - uses: pascalgn/size-label-action@1619680c5ac1ef360b944bb56a57587ba4aa2af8 # v0.4.3
+      - uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -68,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
         with:
           sarif_file: results.sarif
diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.5.0
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.30.1
+version: 2.31.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@@ -19,4 +19,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: added
-      description: Missing get access for configmaps in argo rollouts dashboard service account role
+      description: Support Traffic Router Plugins
diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md
@@ -111,6 +111,7 @@ For full list of changes please check ArtifactHub [changelog].
 | controller.resources | object | `{}` | Resource limits and requests for the controller pods. |
 | controller.tolerations | list | `[]` | [Tolerations] for use with node taints |
 | controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the controller |
+| controller.trafficRouterPlugins | object | `{}` | Configures 3rd party traffic router plugins for controller |
 | controller.volumeMounts | list | `[]` | Additional volumeMounts to add to the controller container |
 | controller.volumes | list | `[]` | Additional volumes to add to the controller pod |
 | podAnnotations | object | `{}` | Annotations for the all deployed pods |

diff --git a/charts/argo-rollouts/templates/controller/configmap.yaml b/charts/argo-rollouts/templates/controller/configmap.yaml
@@ -10,3 +10,6 @@ data:
   {{- with .Values.controller.metricProviderPlugins }}
     {{- toYaml . | nindent 2 }}
   {{- end }}
+  {{- with .Values.controller.trafficRouterPlugins }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml
@@ -194,6 +194,13 @@ controller:
     #   - name: "argoproj-labs/sample-prometheus" # name of the plugin, it must match the name required by the plugin so that it can find its configuration
     #     location: "file://./my-custom-plugin" # supports http(s):// urls and file://
 
+  # -- Configures 3rd party traffic router plugins for controller
+  ## Ref: https://argo-rollouts.readthedocs.io/en/stable/features/traffic-management/plugins/
+  trafficRouterPlugins: {}
+    # trafficRouterPlugins: |-
+    #   - name: "argoproj-labs/sample-nginx" # name of the plugin, it must match the name required by the plugin so it can find it's configuration
+    #     location: "file://./my-custom-plugin" # supports http(s):// urls and file://
+
 serviceAccount:
   # -- Specifies whether a service account should be created
   create: true

diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: v3.4.8
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.28.2
+version: 0.29.0
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -17,4 +17,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: changed
-      description: Upgrade to Argo Workflows v3.4.8
+      description: Declare SSO configuration explicitly on values.yaml
diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md
@@ -302,7 +302,21 @@ Fields to note:
 | server.servicePort | int | `2746` | Service port for server |
 | server.servicePortName | string | `""` | Service port name |
 | server.serviceType | string | `"ClusterIP"` | Service type for server pods |
-| server.sso | object | `{}` | SSO configuration when SSO is specified as a server auth mode. |
+| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID |
+| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID |
+| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret |
+| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
+| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
+| server.sso.enabled | bool | `false` | Create SSO configuration |
+| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
+| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
+| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |
+| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. |
+| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets |
+| server.sso.redirectUrl | string | `"https://argo/oauth2/callback"` |  |
+| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider |
+| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) |
+| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim |
 | server.tolerations | list | `[]` | [Tolerations] for use with node taints |
 | server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server |
 | server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. |

diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
@@ -126,37 +126,35 @@ data:
     {{- if .Values.controller.workflowDefaults }}
     workflowDefaults:
 {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
-    {{- with .Values.server.sso }}
+    {{- if .Values.server.sso.enabled }}
     sso:
-      issuer: {{ .issuer }}
+      issuer: {{ .Values.server.sso.issuer }}
       clientId:
-        name: {{ .clientId.name }}
-        key: {{ .clientId.key }}
+        name: {{ .Values.server.sso.clientId.name }}
+        key: {{ .Values.server.sso.clientId.key }}
       clientSecret:
-        name: {{ .clientSecret.name }}
-        key: {{ .clientSecret.key }}
-      redirectUrl: {{ .redirectUrl }}
-      {{- with .rbac }}
+        name: {{ .Values.server.sso.clientSecret.name }}
+        key: {{ .Values.server.sso.clientSecret.key }}
+      redirectUrl: {{ .Values.server.sso.redirectUrl }}
       rbac:
-        enabled: {{ .enabled }}
+        enabled: {{ .Values.server.sso.rbac.enabled }}
+      {{- with .Values.server.sso.scopes }}
+      scopes: {{ toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .scopes }}
-      scopes: {{ toYaml .scopes | nindent 8 }}
+      {{- with .Values.server.sso.issuerAlias }}
+      issuerAlias: {{ toYaml . }}
       {{- end }}
-      {{- if .issuerAlias }}
-      issuerAlias: {{ .issuerAlias }}
+      {{- with .Values.server.sso.sessionExpiry }}
+      sessionExpiry: {{ toYaml . }}
       {{- end }}
-      {{- if .sessionExpiry }}
-      sessionExpiry: {{ .sessionExpiry }}
+      {{- with .Values.server.sso.customGroupClaimName }}
+      customGroupClaimName: {{ toYaml . }}
       {{- end }}
-      {{- if .customGroupClaimName }}
-      customGroupClaimName: {{ .customGroupClaimName }}
+      {{- with .Values.server.sso.userInfoPath }}
+      userInfoPath: {{ toYaml . }}
       {{- end }}
-      {{- if .userInfoPath }}
-      userInfoPath: {{ .userInfoPath }}
-      {{- end }}
-      {{- if .insecureSkipVerify }}
-      insecureSkipVerify: {{ .insecureSkipVerify }}
+      {{- with .Values.server.sso.insecureSkipVerify }}
+      insecureSkipVerify: {{ toYaml . }}
       {{- end }}
     {{- end }}
     {{- with .Values.controller.workflowRestrictions }}
@@ -184,4 +182,4 @@ data:
     {{- end }}
     {{- with .Values.controller.podGCDeleteDelayDuration }}
     podGCDeleteDelayDuration: {{ . }}
-    {{- end }}
+    {{- end }}
diff --git a/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/charts/argo-workflows/templates/server/server-cluster-roles.yaml
@@ -38,7 +38,7 @@ rules:
   verbs:
   - get
   - list
-{{- if .Values.server.sso }}
+{{- if .Values.server.sso.enabled }}
 - apiGroups:
   - ""
   resources:
@@ -54,7 +54,7 @@ rules:
   - secrets
   verbs:
   - create
-  {{- if .Values.server.sso.rbac }}
+  {{- if .Values.server.sso.rbac.enabled }}
 - apiGroups:
   - ""
   resources:
@@ -73,11 +73,9 @@ rules:
   - get
   - list
   - watch
-{{- if .Values.server.sso }}
-  {{- if .Values.server.sso.rbac }}
-    {{- with .Values.server.sso.rbac.secretWhitelist }}
+{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }}
+  {{- with .Values.server.sso.rbac.secretWhitelist }}
   resourceNames: {{- toYaml . | nindent 4 }}
-    {{- end }}
   {{- end }}
 {{- end }}
 - apiGroups:

diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml
@@ -618,35 +618,50 @@ server:
     # -- Give the server permissions to edit ClusterWorkflowTemplates.
     enableEditing: true
 
-  # -- SSO configuration when SSO is specified as a server auth mode.
-  sso: {}
-    ## All the values are required. SSO is activated by adding --auth-mode=sso
-    ## to the server command line.
-    #
-    ## The root URL of the OIDC identity provider.
-    # issuer: https://accounts.google.com
-    ## Name of a secret and a key in it to retrieve the app OIDC client ID from.
-    # clientId:
-    #   name: argo-server-sso
-    #   key: client-id
-    ## Name of a secret and a key in it to retrieve the app OIDC client secret from.
-    # clientSecret:
-    #   name: argo-server-sso
-    #   key: client-secret
-    ## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
-    # redirectUrl: https://argo/oauth2/callback
-    # rbac:
-    #   enabled: true
+  # SSO configuration when SSO is specified as a server auth mode.
+  sso:
+    # -- Create SSO configuration
+    ## SSO is activated by adding --auth-mode=sso to the server command line.
+    enabled: false
+    # -- The root URL of the OIDC identity provider
+    issuer: https://accounts.google.com
+    clientId:
+      # -- Name of secret to retrieve the app OIDC client ID
+      name: argo-server-sso
+      # -- Key of secret to retrieve the app OIDC client ID
+      key: client-id
+    clientSecret:
+      # -- Name of a secret to retrieve the app OIDC client secret
+      name: argo-server-sso
+      # -- Key of a secret to retrieve the app OIDC client secret
+      key: client-secret
+    # - The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
+    redirectUrl: https://argo/oauth2/callback
+    rbac:
+      # -- Adds ServiceAccount Policy to server (Cluster)Role.
+      enabled: true
+    # -- Whitelist to allow server to fetch Secrets
     ## When present, restricts secrets the server can read to a given list.
     ## You can use it to restrict the server to only be able to access the
     ## service account token secrets that are associated with service accounts
     ## used for authorization.
-    #   secretWhitelist: []
-    ## Scopes requested from the SSO ID provider.  The 'groups' scope requests
-    ## group membership information, which is usually used for authorization
-    ## decisions.
-    # scopes:
-    # - groups
+      secretWhitelist: []
+    # -- Scopes requested from the SSO ID provider
+    ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
+    scopes: []
+      # - groups
+    # -- Define how long your login is valid for (in hours)
+    ## If omitted, defaults to 10h.
+    sessionExpiry: ""
+    # -- Alternate root URLs that can be included for some OIDC providers
+    issuerAlias: ""
+    # -- Override claim name for OIDC groups
+    customGroupClaimName: ""
+    # -- Specify the user info endpoint that contains the groups claim
+    ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
+    userInfoPath: ""
+    # -- Skip TLS verification for the HTTP client
+    insecureSkipVerify: false
 
   # -- Extra containers to be added to the server deployment
   extraContainers: []