chore(argo-workflows): Configure declarative server auth mode

Signed-off-by: yu-croco <yu.croco@gmail.com>
argoproj · Oct 9, 2023 · f4c7c7d · f4c7c7d
1 parent 37069f9
commit f4c7c7d
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 14 deletions.
diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: v3.4.11
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.33.3
+version: 0.34.0
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -16,5 +16,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: fixed
-      description: Add HA docs and example
+    - kind: changed
+      description: Configure declarative server auth mode.
diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md
@@ -256,6 +256,7 @@ Fields to note:
 | server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate |
 | server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
 | server.affinity | object | `{}` | Assign custom [affinity] rules |
+| server.authMode | string | `""` | Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well. |
 | server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer |
 | server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server |
 | server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo Server [HPA] |
@@ -267,7 +268,7 @@ Fields to note:
 | server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. |
 | server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment |
 | server.enabled | bool | `true` | Deploy the Argo Server |
-| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary, such as for disabling authentication. |
+| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. |
 | server.extraContainers | list | `[]` | Extra containers to be added to the server deployment |
 | server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container |
 | server.extraInitContainers | list | `[]` | Enables init containers to be added to the server deployment |
@@ -315,7 +316,7 @@ Fields to note:
 | server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret |
 | server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
 | server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
-| server.sso.enabled | bool | `false` | Create SSO configuration |
+| server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. |
 | server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
 | server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
 | server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |

diff --git a/charts/argo-workflows/templates/server/server-deployment.yaml b/charts/argo-workflows/templates/server/server-deployment.yaml
@@ -52,6 +52,9 @@ spec:
           {{- with .Values.server.extraArgs }}
             {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if .Values.server.authMode }}
+          - "--auth-mode={{ .Values.server.authMode }}"
+          {{- end }}
           - "--secure={{ .Values.server.secure }}"
           {{- if .Values.singleNamespace }}
           - "--namespaced"

diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml
@@ -522,14 +522,13 @@ server:
     # - name: FOO
     #   value: "bar"
 
-  # -- Extra arguments to provide to the Argo server binary, such as for disabling authentication.
+  # -- Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well.
+  ## Ref: https://argoproj.github.io/argo-workflows/argo-server-auth-mode/
+  authMode: ""
+
+  # -- Extra arguments to provide to the Argo server binary.
+  ## Ref: https://argoproj.github.io/argo-workflows/argo-server/#options
   extraArgs: []
-  # If you want to disable authentication for purposes such as:
-  #   - local dev-mode without authentication
-  #   - gateway authentication through some other service such as KeyCloak
-  # uncomment the lines below and comment out the default empty list `extraArgs: []` above:
-  # extraArgs:
-  # - --auth-mode=server
 
   logging:
     # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
@@ -631,8 +630,7 @@ server:
 
   # SSO configuration when SSO is specified as a server auth mode.
   sso:
-    # -- Create SSO configuration
-    ## SSO is activated by adding --auth-mode=sso to the server command line.
+    # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`.
     enabled: false
     # -- The root URL of the OIDC identity provider
     issuer: https://accounts.google.com