argo-helm
argo-helm copied to clipboard
[argo-workflow] Enabling sso causes failed deployment
Describe the bug
when adding :
server: extraArgs: - --auth-mode=sso
in the values.yaml, argo-workflow-server pod fails to start with the following logs:
W0505 11:39:26.251274 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-workflows-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope 39 E0505 11:39:26.251325 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-workflows-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope 38 E0505 11:39:26.274728 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Secret: unknown (get secrets)
Related helm chart
argo-workflows
To Reproduce
add the following lines to values.yaml
server: extraArgs: - --auth-mode=sso
Install via helm
Expected behavior
argo-workflow-server is sso enabled and starts .
Screenshots
No response
Additional context
Chart version: 0.14.1 This is working with chart 0.13.1
I think you need to add these as well to values, aside from adding the flag
sso: {}
## All the values are required. SSO is activated by adding --auth-mode=sso
## to the server command line.
#
## The root URL of the OIDC identity provider.
# issuer: https://accounts.google.com
## Name of a secret and a key in it to retrieve the app OIDC client ID from.
# clientId:
# name: argo-server-sso
# key: client-id
## Name of a secret and a key in it to retrieve the app OIDC client secret from.
# clientSecret:
# name: argo-server-sso
# key: client-secret
## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
# redirectUrl: https://argo/oauth2/callback
# rbac:
# enabled: true
## When present, restricts secrets the server can read to a given list.
## You can use it to restrict the server to only be able to access the
## service account token secrets that are associated with service accounts
## used for authorization.
# secretWhitelist: []
## Scopes requested from the SSO ID provider. The 'groups' scope requests
## group membership information, which is usually used for authorization
## decisions.
# scopes:
# - groups
see here: https://github.com/argoproj/argo-helm/blob/master/charts/argo-workflows/templates/server/server-cluster-roles.yaml#L49
I'm experiencing the same thing, it doesnt seem like there's a rule which enables to watch serviceaccounts: https://github.com/argoproj/argo-helm/blob/master/charts/argo-workflows/templates/server/server-cluster-roles.yaml#L53 there's only get and list
Adding the rbac: enabled: true
shown above solved this for me
@tculp Adding rbac: enabled: true is throwing another error :
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argo:demo-argo-workflows-server" cannot list resource "secrets" in API group "" at the cluster scope
@tiwarisanjay I assume you are also using the secretWhitelist
parameter because this is when I encountered this issue.
Enabling RBAC broke the Argo Workflows UI for some reason. The way I solved it is I disabled RBAC explicitly:
sso:
rbac:
enabled: false
The chart version I used was 0.16.8
.
@BonySmoke Right, I fixed the same way just forgot to comment back :)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.