argo-helm
argo-helm copied to clipboard
argoproj
[argo-workflow] Enabling sso causes failed deployment
Describe the bug
when adding :
server: extraArgs: - --auth-mode=sso
in the values.yaml, argo-workflow-server pod fails to start with the following logs:
W0505 11:39:26.251274 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-workflows-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope 39 E0505 11:39:26.251325 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-workflows-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope 38 E0505 11:39:26.274728 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Secret: unknown (get secrets)
Related helm chart
argo-workflows
To Reproduce
add the following lines to values.yaml
server: extraArgs: - --auth-mode=sso
Install via helm
Expected behavior
argo-workflow-server is sso enabled and starts .
Screenshots
No response
Additional context
Chart version: 0.14.1 This is working with chart 0.13.1
I think you need to add these as well to values, aside from adding the flag
sso: {}
## All the values are required. SSO is activated by adding --auth-mode=sso
## to the server command line.
#
## The root URL of the OIDC identity provider.
# issuer: https://accounts.google.com
## Name of a secret and a key in it to retrieve the app OIDC client ID from.
# clientId:
# name: argo-server-sso
# key: client-id
## Name of a secret and a key in it to retrieve the app OIDC client secret from.
# clientSecret:
# name: argo-server-sso
# key: client-secret
## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
# redirectUrl: https://argo/oauth2/callback
# rbac:
# enabled: true
## When present, restricts secrets the server can read to a given list.
## You can use it to restrict the server to only be able to access the
## service account token secrets that are associated with service accounts
## used for authorization.
# secretWhitelist: []
## Scopes requested from the SSO ID provider. The 'groups' scope requests
## group membership information, which is usually used for authorization
## decisions.
# scopes:
# - groups
see here: https://github.com/argoproj/argo-helm/blob/master/charts/argo-workflows/templates/server/server-cluster-roles.yaml#L49
I'm experiencing the same thing, it doesnt seem like there's a rule which enables to watch serviceaccounts: https://github.com/argoproj/argo-helm/blob/master/charts/argo-workflows/templates/server/server-cluster-roles.yaml#L53 there's only get and list
@tculp Adding rbac: enabled: true is throwing another error :
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argo:demo-argo-workflows-server" cannot list resource "secrets" in API group "" at the cluster scope
@tiwarisanjay I assume you are also using the secretWhitelist parameter because this is when I encountered this issue.
Enabling RBAC broke the Argo Workflows UI for some reason. The way I solved it is I disabled RBAC explicitly:
sso:
rbac:
enabled: false
The chart version I used was 0.16.8.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}