Support persistent configuration of argo-server auth-mode via configmap

[yonirab]

Summary

It should be possible to configure the auth-mode for argo-server once, and not have to worry about it every time we change Argo version.

Motivation

Currently the auth-mode for argo-server is determined by command line arguments set in the argo-server deployment manifest. If the deployment manifest is patched to support a different auth-mode, and then Argo version is upgraded / modified using one of the standard install manifests, the patch to the deployment manifest is lost, and needs to be re-applied. This is especially problematic for anyone who has exposed the argo-server, since the default auth-mode provides no security.

Proposal

Support configuration of auth-mode via configmap parameters, which (if present) should override auth-mode set via command line arguments to argo-server (which can be preserved for backwards compatibility).

---

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.

[alexec]

We use kustomize to patch the manifests and set the auth-mode appropriately.

[ChristianCiach]

Patching with Kustomize is not a really nice solution, either. You cannot use a strategic-merge patch to add container args; you can only replace the whole args array from the base. If the base adds new default-args, overlays won't see them.

You can use JSON6902 patches to add elements to the 'args' array, but these patches come with their own pitfalls.

I agree that the auth-mode should be configurable by using a ConfigMap or just by setting an environment variable.

[agilgur5]

or just by setting an environment variable.

All CLI flags have equivalent env vars already

[ChristianCiach]

All CLI flags have equivalent env vars already

That doesn't seem to be true. I even searched the source code for an env var for --auth-mode and couldn't find one. Setting the auth-mode was by far the most challenging part of deploying Argo-Workflows via Kustomize.

[agilgur5]

I even searched the source code for an env var for --auth-mode and couldn't find one.

CLI flags to env vars is done automatically, so you're not going to find an explicit env var.

That doesn't seem to be true

It's also used in multiple places in the dev env

[ChristianCiach]

CLI flags to env vars is done automatically, so you're not going to find an explicit env var.

Thank you, I didn't see that! If this works (which I assume it will), then this is probably also good enough for @yonirab, because you can easily use ConfigMaps to populate environment variables.