Dashboard - Authentication

[sanzenwin]

Sign in dashboard with token.

Refer to: https://github.com/argoproj/argo-workflows/issues/1813

[oleksandr-shkovyra]

There should be the same SSO and RBAC possibilities as you already implemented at other products. @alexec - probably you can help.

[alexec]

Interesting. SSO+RBAC was very time consuming to implement in Argo Workflows. I would not approach it the same way again. I would use Gin if I started again from scratch:

https://developer.okta.com/blog/2021/02/17/building-and-securing-a-go-and-gin-web-application

[oleksandr-shkovyra]

hi, @alexec thank you for the replay! ArgoCD becomes quite popular in our time because it brings new possibilities and solves many old-known problems. I believe that with the possibilities for secure login you can improve the customer journey for argo-rollouts! It is a super useful tool and taking into account that you guys already implemented this functionality for another product I believe, that this time it would be less painful and time-consuming. Hope you would have a chance to implement this request.

[csantanapr]

Not having dashboard authentication when installed on the cluster is major blocker for customers using rollouts in production clusters Really looking forward on this enhancement

[rarecrumb]

@alexec any update here? Seems like it should be easy to put dex or something similar in front of this?

[AnhQKatalon]

@alexec Do you have any update or roadmap for this? Really like the Rollouts dashboard, but I cannot public it to the outside because of lacking authentication

Currently, I am using the promote function of ArgoCD as a workaround

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity.

[kaiquerass]

@alexec Do you have any update or roadmap for this? Really like the Rollouts dashboard, but I cannot public it to the outside because of lacking authentication

Currently, I am using the promote function of ArgoCD as a workaround

same thing here

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity.

[RickFoland]

I'm also very interested in this. It is possible to use http auth through an ingress controller as a way to put some kind of authentication in front of the dashboard, but having auth built into the dashboard would be way better.

[qxmips]

+

[guna-zluri]

Not having dashboard authentication when installed on the cluster is major blocker for customers using rollouts in production clusters Really looking forward on this enhancement

same thing here

[cyr1z]

I'm also very interested in this.

[NixAlexB]

I would like to get this feature as well

[david6983]

I would be very interested in this feature as well, why argo workflows UI has it ? cannot we just copy the code from argo workflows into the rollouts to have the same SSO mechanism ?

If I need to contribute I would be glad to help but copying the code from argo workflows, not sure if it's a good PR.

[viv-ng]

I'm also very interested in this. Found various threads about this feature request.

@alexmt suggested to use argo-rollout-extension to embed rollout dashboard into Argo CD and re-use Argo CD's sso + multi tenancy feature. [source] Sounds like someone ran into issue about missing 'rollback' button from the dashboard with that approach (as of 4/26/23).

However, my team is not using Argo CD and wonder if there would be an Argo Rollout only solution without having to bring in Argo CD.

@david6983: Did you end up creating a MR for re-using the Workflows sso code in Rollouts?

@alexec: You mentioned that it was very time consuming to implement sso+rbac in Argo Workflows. But do you see any problem of reusing that code in Rollouts?

[ggolub]

Add me as an interested party. We're about to start using rollouts for canary deployments but can't expose the dashboard until there is some way to limit to authorized users.

[NITHIN-JOHN-GEORGE]

Any updates on this?

[kostis-codefresh]

For all the people that have upvoted this, could you please explain what exactly is the end goal here?

Would you like to see

• Authentication for securing the dashboard?
• RBAC so that you can define teams/groups and say that this team has only access to that rollout and so on?
• Both?
• Something else?

If it is just authentication for a production environment, the dashboard is just a standard Kubernetes application. You can secure it like any other Kubernetes application using an ingress, service mesh, gateway or auth mechanism. Or the issue is that we are missing documentation on how to do that?

[ggolub]

For my part, I'd want RBAC so we can control who has access to the dashboard. We only want approved people able to restart/rollback rollouts.

[NITHIN-JOHN-GEORGE]

Both . Only approved people for rollback and centralised access to rollout dashboard like we can expose argocd via ingress / direct integration in argocd itself without a need of extension.

[NITHIN-JOHN-GEORGE]

currently we authenticate argocd via google sso , need same setup for rollout dasboard also so can provide granular permission.

[cilindrox]

RBAC is the key piece missing here. As mentioned, it's straightforward to put the GUI behind something like oauth-proxy etc. Issue then becomes anyone that's authenticated "has sudo" over deployments. So our use case requires RBAC to assign team and individual permissions so the dash becomes read-only, can only start rollouts but not stop/delete them etc.

[psibi]

Same here: RBAC to give different access control to different groups.

[david6983]

Hello, Argo community,

I have been looking at the comments on this issue for some days and decided to try working on it.

First of all, before implementing anything, I made a quick study to check what we could do to implement the RBAC system.

You will find below my notes. I am looking forward to some reviews first.

What are the resources in Argo Rollout to protect?

• A rollout
  • get —> Which rollout do we allow a role to see
  • update container image —> action/argoproj.io/v1alpha1/Rollout/updatecontainer
  • delete (No ability in the UI because if we want to delete it, it is in the cluster)
• Rollout actions
  • restart —> action/argoproj.io/v1alpha1/Rollout/restart
  • retry —> action/argoproj.io/v1alpha1/Rollout/retry
  • abort —> action/argoproj.io/v1alpha1/Rollout/abort
  • promote —> action/argoproj.io/v1alpha1/Rollout/promote
  • promotefull —> action/argoproj.io/v1alpha1/Rollout/promotefull

ADR: How to authenticate the users?

• Option 1: Only SSO using DEX
  • Good, because it follows the other argo products (Argo CD and Argo Workflow)
  • Good, because it is easier to implement
  • Good, because it is more secure
  • Bad, because if the IDP is down, we cannot use the UI
• Option 2: SSO using DEX + Username / Password form
  • Good, because it follows the other argo products (Argo CD and Argo Workflow)
  • Good, because if the IDP is down, we can use the UI as an admin
  • Bad, because it adds complexity to the UI to implement username/password login form

Login page for Argo Rollout

• We can take the one from Argo CD and change the title to “Let’s rollout some stuff”
• The Login button will use the name of the provider from the DEX configuration
• If No SSO provider is set up —> Do we allow users to log in using a username/password form?

How to define roles in Argo Rollout

We could implement the same roles based on Argo CD with 2 built-in policies

• role:readonly - read-only access to all resources
• role:admin - unrestricted access to all resources

Ability to create custom roles using policies based on the same mechanism of Argo CD (Configmap)

policy.tester-overlay.csv: |
    p, role:tester, rollouts, action/argoproj.io/v1alpha1/Rollout/promote, my-app-namespace/*, allow
    p, role:tester, rollouts, get, my-app-namespace/*, allow
    g, my-org:team-qa, role:tester

On the UI, if no access —> we disable the buttons or the input boxes

[bojanraic]

@kostis-codefresh +1 for both.

[david6983]

I think we could split this issue into 2 issues / PRs:

• The implementation of the Authentication based on the ADR
• The implementation of the RBACs

[bojanraic]

I haven't looked at Argo workflows in a long time, but I seem to recall it supports authentication via ArgoCD's dex. It would be ideal to not have to reinvent the wheel with rollouts. It'd be super if all 3 major Argo (CD, rollouts, workflows) tools worked the same way when it comes to authentication and RBAC.

[david6983]

I agree @bojanraic, That's why I suggested implementing the same type of authentication as Argo CD. However, we should be able to log in using SSO without installing Argo CD.

[NITHIN-JOHN-GEORGE]

Hi @david6983 when can we expect this to be released? Much waiting feature.

[david6983]

Hello @NITHIN-JOHN-GEORGE , will try my best to do it within next 2 months

[Sn0rt]

@david6983 hi man, are you still working on this ? I need this feature too. I want help you to do this . Can we copy similar logic from argocd first and then iterate it, so that we can use it quickly?

[david6983]

Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow.

So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI.

I will open a draft PR soon.

I will update later this week 💪

[rbrendler]

Nice to see some movement on this finally! Thanks for picking it up.

Love Argo Rollouts, but lack of RBAC is blocking us releasing the dashboard internally. We also really need finer-grained control over actions-- it would be helpful to be able to promote/abort/retry and see to analysis results without allowing changing the container image.

[NiniiGit]

can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion

[NITHIN-JOHN-GEORGE]

+1 , most awaiting one.

On Sun, 7 Jul 2024, 1:38 pm Ninad, @.***> wrote:

can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion

— Reply to this email directly, view it on GitHub https://github.com/argoproj/argo-rollouts/issues/1323#issuecomment-2212363745, or unsubscribe https://github.com/notifications/unsubscribe-auth/AW47KSPJA6OBTEYMYQPHQIDZLDZQ3AVCNFSM47X2JS5KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMRRGIZTMMZXGQ2Q . You are receiving this because you were mentioned.Message ID: @.***>

[david6983]

@NiniiGit will take this in consideration to see if it fits in the rbac model.

Please allow me some time guys 💪

[AFMiziara]

can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion

Same here at our company. Auditing users and controlling promotion via RBAC would be really interesting.

[FerFabbiano]

Hi everyone! Any updates on this? Is there anything i can do to help? Thanks in advance...

Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow.

So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI.

I will open a draft PR soon.

I will update later this week 💪

[talits]

Hi everyone! Any updates on this? Is there anything i can do to help? Thanks in advance...

Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow. So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI. I will open a draft PR soon. I will update later this week 💪

+1

[david6983]

Hello I started to draft a PR: https://github.com/argoproj/argo-rollouts/pull/3867

I am currently stuck with Webpack, I put the link to the discussion on Slack in the PR description.

I started to add the SSO authentication in the server, then when I was trying to build the UI without modification, I got stuck on compilation. It's been a few weeks I am trying to solve the issue!

I will try to detail more the issue with the UI.