argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Dedicated dex for argo-workflows in argocd-style

Open ghost opened this issue 3 years ago • 7 comments

Summary

Make argo-workflows sso independent from argocd dex

What change needs making? Parhaps argo-workflows should have it's own deployment of dex since one may want to run both argocd and workflows on different clusters.

Use Cases

Running smaller infra you will likely don't have dedicated cluster for your tools. Argocd on production cluster and argo-workflows on development cluster can be considered as a common pattern in such case.

##Details

Argocd own implementation of sso (f.e. Github) seems much more straightforward than using dex from another application. As far as i understand argocd dex it is embedded into argocd or at least provides some redirect. I am running AWS ALB in the front of Argocd (with grpc working) but i can't specify healthcheck per ingress path like that:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/load-balancer-name: argo-workflows
    alb.ingress.kubernetes.io/inbound-cidrs:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/ip-address-type: ipv4
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/conditions.argo-server-grpc: |
      [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
    alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-FS-1-2-Res-2020-10"
    alb.ingress.kubernetes.io/certificate-arn: 
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
    # applies to any path within the ingress, breaks grpc!
    # alb.ingress.kubernetes.io/healthcheck-path: "/healthz"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '10'
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '8'
    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
    alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
  labels:
    app.kubernetes.io/component: ingress
    app.kubernetes.io/name: argo-server
    app.kubernetes.io/part-of: argo
  name: argo-server
spec:
  rules:
  - host: argo-workflows.example.com
    http:
      paths:
      - backend:
          service:
            name: argo-server-grpc
            port:
              number: 2746
        pathType: ImplementationSpecific
      - backend:
          service:
            name: argo-server
            port:
              number: 2746
        pathType: ImplementationSpecific
      - backend:
          service:
            name: argo-workflows-dex-server
            port:
              number: 5556
        path: /api/dex
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - argo-workflows.example.com

Don't know the magic behing argocd dex and github integration yet it seem much more straightforward to me. Mitigates problem of healthcheck path on alb very well. I believe you may be willing to call it an 'edge case' yet architecture of Argo stack is modular while having argo-workflows dependant on argocd-dex seem to be going in quite opposite way.

PS. Thank you for amazing software!

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

ghost avatar Jan 24 '22 17:01 ghost

The lack of Dex is intentional. There is no coupling between workflows and Dex (unlike Argo CD). You don't need Dex for many OAuth2 providers. If you do, you need to configured Dex for it.

alexec avatar Jan 28 '22 23:01 alexec

What is the right way of configuring Github integration then?

ghost avatar Jan 30 '22 08:01 ghost

For Github, use Dex.

https://github.com/argoproj/argoproj-deployments/tree/master/dex

alexec avatar Jan 31 '22 15:01 alexec

@alexec Is there any documentation to use dex without argocd. Just for argo workflow for your github. Most important part is config.yaml which is missing in above repo. Could you please help us with the example ?

@barektui Have you solved the same?

tiwarisanjay avatar May 12 '22 19:05 tiwarisanjay

No. You can look at this:

https://github.com/argoproj/argoproj-deployments

alexec avatar May 12 '22 19:05 alexec

@alexec Just to update Microsoft connector for OIDC does not work directly with argo workflow. I believe only keycloak and okta work for the same. Any future plan for the support ?

tiwarisanjay avatar May 12 '22 21:05 tiwarisanjay

@alexec I have solved this one by using standalone dex without argocd dex. :

https://youtu.be/4HTFGlAEqJg https://medium.com/@tiwarisan/argo-workflow-dex-integration-without-argocd-dex-844a017ad558

tiwarisanjay avatar Jul 23 '22 23:07 tiwarisanjay

No. You can look at this:

https://github.com/argoproj/argoproj-deployments

@alexec Does it mean that now we can provide a configmap in the same format as what we did for argocd? Do we have to provide the configmap somewhere to the server deployment, or is argo-workflow pre-configured to use a configmap with that name?

JunaidChaudry avatar Jan 19 '23 20:01 JunaidChaudry