Open sanzenwin opened 3 years ago
There should be the same SSO and RBAC possibilities as you already implemented at other products. @alexec - probably you can help.
Interesting. SSO+RBAC was very time consuming to implement in Argo Workflows. I would not approach it the same way again. I would use Gin if I started again from scratch:
https://developer.okta.com/blog/2021/02/17/building-and-securing-a-go-and-gin-web-application
hi, @alexec thank you for the replay! ArgoCD becomes quite popular in our time because it brings new possibilities and solves many old-known problems. I believe that with the possibilities for secure login you can improve the customer journey for argo-rollouts! It is a super useful tool and taking into account that you guys already implemented this functionality for another product I believe, that this time it would be less painful and time-consuming. Hope you would have a chance to implement this request.
Not having dashboard authentication when installed on the cluster is major blocker for customers using rollouts in production clusters Really looking forward on this enhancement
@alexec any update here? Seems like it should be easy to put dex or something similar in front of this?
@alexec Do you have any update or roadmap for this? Really like the Rollouts dashboard, but I cannot public it to the outside because of lacking authentication
Currently, I am using the promote function of ArgoCD as a workaround
This issue is stale because it has been open 60 days with no activity.
@alexec Do you have any update or roadmap for this? Really like the Rollouts dashboard, but I cannot public it to the outside because of lacking authentication
Currently, I am using the promote function of ArgoCD as a workaround
same thing here
This issue is stale because it has been open 60 days with no activity.
I'm also very interested in this. It is possible to use http auth through an ingress controller as a way to put some kind of authentication in front of the dashboard, but having auth built into the dashboard would be way better.
+
Not having dashboard authentication when installed on the cluster is major blocker for customers using rollouts in production clusters Really looking forward on this enhancement
same thing here
I'm also very interested in this.
I would like to get this feature as well
I would be very interested in this feature as well, why argo workflows UI has it ? cannot we just copy the code from argo workflows into the rollouts to have the same SSO mechanism ?
If I need to contribute I would be glad to help but copying the code from argo workflows, not sure if it's a good PR.
I'm also very interested in this. Found various threads about this feature request.
@alexmt suggested to use argo-rollout-extension to embed rollout dashboard into Argo CD and re-use Argo CD's sso + multi tenancy feature. [source] Sounds like someone ran into issue about missing 'rollback' button from the dashboard with that approach (as of 4/26/23).
However, my team is not using Argo CD and wonder if there would be an Argo Rollout only solution without having to bring in Argo CD.
@david6983: Did you end up creating a MR for re-using the Workflows sso code in Rollouts?
@alexec: You mentioned that it was very time consuming to implement sso+rbac in Argo Workflows. But do you see any problem of reusing that code in Rollouts?
Add me as an interested party. We're about to start using rollouts for canary deployments but can't expose the dashboard until there is some way to limit to authorized users.
Any updates on this?
For all the people that have upvoted this, could you please explain what exactly is the end goal here?
Would you like to see
If it is just authentication for a production environment, the dashboard is just a standard Kubernetes application. You can secure it like any other Kubernetes application using an ingress, service mesh, gateway or auth mechanism. Or the issue is that we are missing documentation on how to do that?
For my part, I'd want RBAC so we can control who has access to the dashboard. We only want approved people able to restart/rollback rollouts.
Both . Only approved people for rollback and centralised access to rollout dashboard like we can expose argocd via ingress / direct integration in argocd itself without a need of extension.
currently we authenticate argocd via google sso , need same setup for rollout dasboard also so can provide granular permission.
RBAC is the key piece missing here. As mentioned, it's straightforward to put the GUI behind something like oauth-proxy etc. Issue then becomes anyone that's authenticated "has sudo" over deployments. So our use case requires RBAC to assign team and individual permissions so the dash becomes read-only, can only start rollouts but not stop/delete them etc.
Same here: RBAC to give different access control to different groups.
Hello, Argo community,
I have been looking at the comments on this issue for some days and decided to try working on it.
First of all, before implementing anything, I made a quick study to check what we could do to implement the RBAC system.
You will find below my notes. I am looking forward to some reviews first.
rollout
action/argoproj.io/v1alpha1/Rollout/updatecontainer
actions
action/argoproj.io/v1alpha1/Rollout/restart
action/argoproj.io/v1alpha1/Rollout/retry
action/argoproj.io/v1alpha1/Rollout/abort
action/argoproj.io/v1alpha1/Rollout/promote
action/argoproj.io/v1alpha1/Rollout/promotefull
We could implement the same roles based on Argo CD with 2 built-in policies
role:readonly
- read-only access to all resourcesrole:admin
- unrestricted access to all resourcesAbility to create custom roles using policies based on the same mechanism of Argo CD (Configmap)
policy.tester-overlay.csv: |
p, role:tester, rollouts, action/argoproj.io/v1alpha1/Rollout/promote, my-app-namespace/*, allow
p, role:tester, rollouts, get, my-app-namespace/*, allow
g, my-org:team-qa, role:tester
On the UI, if no access —> we disable the buttons or the input boxes
@kostis-codefresh +1 for both.
I think we could split this issue into 2 issues / PRs:
I haven't looked at Argo workflows in a long time, but I seem to recall it supports authentication via ArgoCD's dex. It would be ideal to not have to reinvent the wheel with rollouts. It'd be super if all 3 major Argo (CD, rollouts, workflows) tools worked the same way when it comes to authentication and RBAC.
I agree @bojanraic, That's why I suggested implementing the same type of authentication as Argo CD. However, we should be able to log in using SSO without installing Argo CD.
Hi @david6983 when can we expect this to be released? Much waiting feature.
Hello @NITHIN-JOHN-GEORGE , will try my best to do it within next 2 months
@david6983 hi man, are you still working on this ? I need this feature too. I want help you to do this . Can we copy similar logic from argocd first and then iterate it, so that we can use it quickly?
Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow.
So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI.
I will open a draft PR soon.
I will update later this week 💪
Nice to see some movement on this finally! Thanks for picking it up.
Love Argo Rollouts, but lack of RBAC is blocking us releasing the dashboard internally. We also really need finer-grained control over actions-- it would be helpful to be able to promote/abort/retry and see to analysis results without allowing changing the container image.
can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion
+1 , most awaiting one.
On Sun, 7 Jul 2024, 1:38 pm Ninad, @.***> wrote:
can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion
— Reply to this email directly, view it on GitHub https://github.com/argoproj/argo-rollouts/issues/1323#issuecomment-2212363745, or unsubscribe https://github.com/notifications/unsubscribe-auth/AW47KSPJA6OBTEYMYQPHQIDZLDZQ3AVCNFSM47X2JS5KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMRRGIZTMMZXGQ2Q . You are receiving this because you were mentioned.Message ID: @.***>
@NiniiGit will take this in consideration to see if it fits in the rbac model.
Please allow me some time guys 💪
can't wait to have this feature soon! my use case: Our team want to control and audit who can "promote" the rollout promotion
Same here at our company. Auditing users and controlling promotion via RBAC would be really interesting.
Hi everyone! Any updates on this? Is there anything i can do to help? Thanks in advance...
Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow.
So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI.
I will open a draft PR soon.
I will update later this week 💪
Hi everyone! Any updates on this? Is there anything i can do to help? Thanks in advance...
Hello @Sn0rt, yes working on it since last week. I will follow the same logic like argo workflow. So far I almost finish to edit the server to add SSO. I am working on the RBAC server and then I will do UI. I will open a draft PR soon. I will update later this week 💪
+1
Hello I started to draft a PR: https://github.com/argoproj/argo-rollouts/pull/3867
I am currently stuck with Webpack, I put the link to the discussion on Slack in the PR description.
I started to add the SSO authentication in the server, then when I was trying to build the UI without modification, I got stuck on compilation. It's been a few weeks I am trying to solve the issue!
I will try to detail more the issue with the UI.
Sign in dashboard with token.
Refer to: https://github.com/argoproj/argo-workflows/issues/1813