Giters

akuity / kargo

Application lifecycle orchestration

Home Page:https://kargo.akuity.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support for OIDC google groups

mcatany opened this issue · comments

commented

Proposed Feature

Hi, we're trying to deploy Kargo with ArgoCD with the helm chart. We have succesfully enabled SSO but know we face the problem of giving credentials for users at Google group level. We will like to do the same that that we did with ArgoCD openid-connect-plus-google-groups-using-dex, we don't don't find a way to add the volums with the helm chart on the dex-server. Is this going to be available anyway soon?

We tried adding the volume manually in the dex-server deployment and it the SSO worked perfectly with group levels.

commented

Hi @mcatany!

I think this should already be achievable by setting these:

kargo/charts/kargo/values.yaml

Lines 191 to 197 in 9bd8d42

## @param api.oidc.dex.env Add additional environment variables to Dex pods. This is convenient for cases where api.oidc.dex.connectors needs to reference environment variables from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets.
env: []
# - name: CLIENT_SECRET
# valueFrom:
# secretKeyRef:
# name: github-dex
# key: dex.github.clientSecret

kargo/charts/kargo/values.yaml

Lines 209 to 228 in 9bd8d42

connectors: []
# - id: mock
# name: Example
# type: mockCallback
## Google Example
# - id: google
# name: Google
# type: google
# config:
# clientID: <your client ID>
# clientSecret: "$CLIENT_SECRET"
# redirectURI: <http(s)>://<api.host>/dex/callback
## GitHub Example
# - id: github
# name: GitHub
# type: github
# config:
# clientID: <your client ID>
# clientSecret: "$CLIENT_SECRET"
# redirectURI: <http(s)>://<api.host>/dex/callback

commented

Hi @krancour. Thanks for the quick response. I think from DEX documentation, it explicitly says that it cannot be used to achieve Groups claim.
image

commented

One comment... Kargo isn't Argo... so just keep that in mind when looking at docs. ymmv

It seems what you're running into here is a limitation of the Google connector where it can't take 100% of its configuration directly from its own config.yaml (including env vars referenced therein).

So I see what your problem is now...

I would reframe this not as a request to support Google groups. Rather, I would frame this as a more generic feature for mounting arbitrary volumes to the Dex server -- in much the same way as we already permit creating arbitrary env vars on the Dex server.

That sounds perfectly doable. I'll open a new issue for that later today to replace this one and will leave this one open in the meantime.

commented

Thanks,

Yes, it's absolutely about just having the freedom to add volumes like it's already done by envars.

Thanks for the attention.

BR

commented

Superseded by #1805