add sso on Argo Workflows

GiganticMinecraft · Dec 21, 2023 · 3f0a0d0 · 3f0a0d0
1 parent 1cdabf4
commit 3f0a0d0
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 5 deletions.
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cloudflared-tunnel-exits/http-exits.yaml
@@ -97,8 +97,8 @@ spec:
 
           # Argo Eventsの管理画面。
           # 今は特に何も表示してないのとSSOを入れるので認証は噛まさない。
-          - name: argo-events
-            external-hostname: argo-events.onp-k8s.admin.seichi.click
+          - name: argo-workflows
+            external-hostname: argo-workflows.onp-k8s.admin.seichi.click
             internal-authority: "argo-workflows-server.argo:2746"
   template:
     metadata:

diff --git a/...k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/app-of-other-apps/argo-events.yaml b/...k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/app-of-other-apps/argo-events.yaml
@@ -12,7 +12,6 @@ spec:
     helm:
       releaseName: argo-events
       # values: |
-
   destination:
     server: https://kubernetes.default.svc
     namespace: argo-events

diff --git a/.../manifests/seichi-kubernetes/apps/cluster-wide-apps/app-of-other-apps/argo-workflows.yaml b/.../manifests/seichi-kubernetes/apps/cluster-wide-apps/app-of-other-apps/argo-workflows.yaml
@@ -16,6 +16,20 @@ spec:
           workflowNamespaces:
             - argo
             - argo-events
+        server:
+          extraArgs:
+            - --auth-mode=sso
+          sso:
+            issuer: https://argocd.onp-k8s.admin.seichi.click/api/dex
+            # sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
+            sessionExpiry: 240h
+            clientId:
+              name: argo-workflows-sso
+              key: client-id
+            clientSecret:
+              name: argo-workflows-sso
+              key: client-secret
+            redirectUrl: https://argo-workflows.onp-k8s.admin.seichi.click/oauth2/callback
   destination:
     server: https://kubernetes.default.svc
     namespace: argo
@@ -24,5 +38,4 @@ spec:
       prune: true
       selfHeal: true
     syncOptions:
-      - CreateNamespace=true
       - ServerSideApply=true
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/argocd-helm-chart-values.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/argocd-helm-chart-values.yaml
@@ -47,6 +47,12 @@ server:
             clientSecret: $argocd-github-oauth-app-secret:ARGOCD_GITHUB_OAUTH_APP_SECRET
             orgs:
             - name: GiganticMinecraft
+           staticClients:
+        - id: argo-workflows-sso
+          name: Argo Workflow
+          redirectURIs:
+            - https://argo-workflows.onp-k8s.admin.seichi.click/oauth2/callback
+          secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
     admin.enabled: "false"
 
   rbacConfig:
@@ -58,7 +64,6 @@ server:
     # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
     policy.csv: |
       g, GiganticMinecraft:admin-team, role:admin
-      g, GiganticMinecraft:infra-collaborator, role:admin
     # policy.default is the name of the default role which Argo CD will falls back to, when
     # authorizing API requests (optional). If omitted or empty, users may be still be able to login,
     # but will see no apps, projects, etc...

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -182,6 +182,12 @@ variable "onp_k8s_argocd_applicationset_controller_github_app_pem" {
   sensitive   = true
 }
 
+variable "onp_k8s_argo_workflows_sso_client_secret" {
+  description = "Client Secret of Argo Workflows SSO on ArgoCD dex"
+  type        = string
+  sensitive   = true
+}
+
 #endregion
 
 #region on-premise Grafana to GitHub integration

diff --git a/terraform/onp_cluster_namespaces.tf b/terraform/onp_cluster_namespaces.tf
@@ -28,6 +28,12 @@ resource "kubernetes_namespace" "onp_argocd" {
   }
 }
 
+resource "kubernetes_namespace" "onp_argo" {
+  metadata {
+    name = "argo"
+  }
+}
+
 resource "kubernetes_namespace" "onp_clustersecret" {
   metadata {
     name = "clustersecret"

diff --git a/terraform/onp_cluster_secrets.tf b/terraform/onp_cluster_secrets.tf
@@ -57,6 +57,21 @@ resource "kubernetes_secret" "onp_argocd_applicationset_controller_github_app_se
 
   type = "Opaque"
 }
+resource "kubernetes_secret" "onp_argo_workflows_sso" {
+  depends_on = [kubernetes_namespace.onp_argo]
+
+  metadata {
+    name      = "argo-workflows-sso"
+    namespace = "argo"
+  }
+
+  data = {
+    client-id = "argo-workflows-sso"
+    client-secret = var.onp_k8s_argo_workflows_sso_client_secret
+  }
+
+  type = "Opaque"
+}
 
 resource "kubernetes_secret" "onp_grafana_github_oauth_app_secret" {
   depends_on = [kubernetes_namespace.onp_monitoring]