search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
9.01k stars 9.22k forks source link

[bitnami/argo-workflows] chart with sso doesn't work #13547

Closed maufranchini closed 1 year ago

maufranchini commented 1 year ago

Name and Version

bitnami/argo-workflows 3.4.3

What steps will reproduce the bug?

Install the chart with sso, following the convention pointed in the documentation.

Are you using any custom parameters or values?

server:
  auth:
    mode: sso
    sso:
      enabled: true #This line causes an issue
      issuer: "https://accounts.google.com"
      clientId:
        name: argo-sso
        key: endpoint
      clientSecret:
        name: argo-sso
        key: secret
      redirectUrl: "https://argo-workflows.example.com/oauth2/callback"

What is the expected behavior?

argo-workflows should be installed with sso

What do you see instead?

time="2022-11-14T15:24:43.449Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=argo secure=false ssoNamespace=argo
time="2022-11-14T15:24:43.449Z" level=warning msg="You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo-workflows/tls/"
Error: error unmarshaling JSON: while decoding JSON: json: unknown field "enabled"
Usage:
  argo server [flags]

Additional information

Looks like server.auth.sso.enabled is not being parsed correctly. If I comment it out, it complains : Error: issuer empty (because no configmap is in place?)

rafariossaa commented 1 year ago

Hi, which chart version are you running ? I tried to reproduce it using chart version 4.0.1 by using:

$ cat user.yaml

auth:
    mode: sso
    sso:
      enabled: true
      issuer: "https://accounts.google.com"
      clientId:
        name: argo-sso
        key: endpoint
      clientSecret:
        name: argo-sso
        key: secret
      redirectUrl: "https://argo-workflows.example.com/oauth2/callback"

$ helm install myargo -f values.yaml -f p1.yaml .

And I am not getting that message in the pod logs. Maybe I am missing something.

maufranchini commented 1 year ago

Hi @rafariossaa ! Thanks for taking care. I've just tried again, with the same result:

Chart: argo-workflows-4.1.0

NAME            NAMESPACE   REVISION    UPDATED                                 STATUS          CHART                   APP VERSION
argo-workflows  argo        1           2022-11-17 09:46:30.674979 +0100 CET    pending-install argo-workflows-4.1.0    3.4.3

argo-workflows-server pod log:

time="2022-11-17T08:50:22.677Z" level=info msg="not enabling pprof debug endpoints"
time="2022-11-17T08:50:22.677Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=argo secure=false ssoNamespace=argo
time="2022-11-17T08:50:22.677Z" level=warning msg="You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo-workflows/tls/"
Error: error unmarshaling JSON: while decoding JSON: json: unknown field "enabled"
Usage:
  argo server [flags]

Examples:

See https://argoproj.github.io/argo-workflows/argo-server/

Flags:
      --access-control-allow-origin string   Set Access-Control-Allow-Origin header in HTTP responses.
      --allowed-link-protocol stringArray    Allowed link protocol in configMap. Used if the allowed configMap links protocol are different from http,https. Defaults to the environment variable ALLOWED_LINK_PROTOCOL (default [http,https])
      --api-rate-limit uint                  Set limit per IP for api ratelimiter (default 1000)
      --auth-mode stringArray                API server authentication mode. Any 1 or more length permutation of: client,server,sso (default [client])
      --basehref string                      Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. Defaults to the environment variable BASE_HREF. (default "/")
  -b, --browser                              enable automatic launching of the browser [local mode]
      --configmap string                     Name of K8s configmap to retrieve workflow controller configuration (default "workflow-controller-configmap")
      --event-async-dispatch                 dispatch event async
      --event-operation-queue-size int       how many events operations that can be queued at once (default 16)
      --event-worker-count int               how many event workers to run (default 4)
  -h, --help                                 help for server
      --hsts                                 Whether or not we should add a HTTP Secure Transport Security header. This only has effect if secure is enabled. (default true)
      --log-format string                    The formatter to use for logs. One of: text|json (default "text")
      --managed-namespace string             namespace that watches, default to the installation namespace
      --namespaced                           run as namespaced mode
  -p, --port int                             Port to listen on (default 2746)
      --x-frame-options string               Set X-Frame-Options header in HTTP responses. (default "DENY")

Global Flags:
      --argo-base-href string          An path to use with HTTP client (e.g. due to BASE_HREF). Defaults to the ARGO_BASE_HREF environment variable.
      --argo-http1                     If true, use the HTTP client. Defaults to the ARGO_HTTP1 environment variable.
  -s, --argo-server host:port          API server host:port. e.g. localhost:2746. Defaults to the ARGO_SERVER environment variable.
      --as string                      Username to impersonate for the operation
      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --as-uid string                  UID to impersonate for the operation
      --certificate-authority string   Path to a cert file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
error unmarshaling JSON: while decoding JSON: json: unknown field "enabled"
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
      --gloglevel int                  Set the glog logging level
  -H, --header strings                 Sets additional header to all requests made by Argo CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers) Used only when either ARGO_HTTP1 or --argo-http1 is set to true.
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
  -k, --insecure-skip-verify           If true, the Argo Server's certificate will not be checked for validity. This will make your HTTPS connections insecure. Defaults to the ARGO_INSECURE_SKIP_VERIFY environment variable.
      --instanceid string              submit with a specific controller's instance id label. Default to the ARGO_INSTANCEID environment variable.
      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
      --loglevel string                Set the logging level. One of: debug|info|warn|error (default "info")
  -n, --namespace string               If present, the namespace scope for this CLI request
      --password string                Password for basic authentication to the API server
      --proxy-url string               If provided, this URL will be used to connect via proxy
      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -e, --secure                         Whether or not the server is using TLS with the Argo Server. Defaults to the ARGO_SECURE environment variable. (default true)
      --server string                  The address and port of the Kubernetes API server
      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use
      --username string                Username for basic authentication to the API server
  -v, --verbose                        Enabled verbose logging, i.e. --loglevel debug

values.yaml

server:
  auth:
    mode: sso
    sso:
      enabled: true
      issuer: "https://accounts.google.com"
      clientId:
        name: argo-sso
        key: endpoint
      clientSecret:
        name: argo-sso
        key: endpoint
      redirectUrl: "https://argo-workflows.example.com/oauth2/callback"

Maybe I'm missing smth as well?

maufranchini commented 1 year ago

@rafariossaa Hi! Sorry, bad formatting was hiding the first line of the values.yaml (which is server:). I've just edited the post. Would you mind to try again with that config?

rafariossaa commented 1 year ago

Hi @maufranchini, Could you try the new version ?

maufranchini commented 1 year ago

@rafariossaa Thanks for the fast support here! It works like a charm now. 🚀