feat: Adds SSO control via individual namespaces. Fixes #6916

[basanthjenuhb]

Approach

• SSO login generates a bearer token which contains all scopes required
• These claims are used to map to a rule for a serviceAccount in argo namespace based on rules and precedence
• Then we will do SSO auth with respect to a serviceAccount in the namespace for which request is originated
• Figure out the namespace from which the resource is requested
• Then, we again look at serviceaccounts in requested namespace to find a match based on rules and precedence
• Use the new service account to fulfil the operation

This is more of an impersonation approach from argo service account to user namespace service account

Notes

• Have verified all workflows with SSO login. (Workflow creation, listing, logs, artifacts, workflowtemplates etc)
• SSO delegation won't happen for ListCLusterWorkflowTemplate request as its not a namespaced request
• Need guidance on authorization mechanism for /metrics and how (and if we need) to delegate there
• This feature will be used if env variable SSO_DELEGATE_RBAC_TO_NAMESPACE is set to true and we install argo argo in cluster mode
• For namespaced install, this feature is not required

[codecov]

Codecov Report

Merging #6990 (dcc1992) into master (eec8b88) will increase coverage by 0.06%.
The diff coverage is 67.50%.

❗ Current head dcc1992 differs from pull request most recent head 74b95ef. Consider uploading reports for the commit 74b95ef to get more accurate results

@@            Coverage Diff             @@
##           master    #6990      +/-   ##
==========================================
+ Coverage   48.52%   48.59%   +0.06%     
==========================================
  Files         265      267       +2     
  Lines       19382    19365      -17     
==========================================
+ Hits         9406     9410       +4     
+ Misses       8922     8897      -25     
- Partials     1054     1058       +4     

Impacted Files	Coverage Δ
pkg/apiclient/argo-kube-client.go	0.00% <0.00%> (ø)
server/auth/authorizing_server_stream.go	0.00% <0.00%> (ø)
server/artifacts/artifact_server.go	65.18% <72.41%> (+0.52%)	⬆️
server/auth/gatekeeper.go	58.06% <80.95%> (+8.06%)	⬆️
server/utils/k8s_utils/cache.go	100.00% <100.00%> (ø)
cmd/argo/commands/server.go	32.16% <0.00%> (-1.91%)	⬇️
cmd/argoexec/commands/emissary.go	50.35% <0.00%> (-1.44%)	⬇️
workflow/util/pod_name.go	46.66% <0.00%> (-1.34%)	⬇️
workflow/validate/validate.go	76.70% <0.00%> (-0.62%)	⬇️
cmd/argo/commands/get.go	58.30% <0.00%> (-0.59%)	⬇️
... and 13 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eec8b88...74b95ef. Read the comment docs.

[alexec]

some minor changes, but I think we are otherwise there

[basanthjenuhb]

@alexec Made suggested changes
Also, added another check.
This feature will not be invoked if we use argo in namespace mode.

[alexec]

I think you always want to use opts.managedNamespace?

[basanthjenuhb]

I thought about it.
Case 1

• Installed argo in cluster mode
• In this case, we need to look at service accounts of multiple namespaces
• So use NamespaceAll for this

Case 2

• Installed argo in namespace mode
• In this case, we need to see service accounts of installed namespace (typically argo)
• So use opt.Namespace for this

Case 3

• Installed argo in managed namespace mode
• So, in this case say, we use argo namespace for installation, and user-namespace for usage
• So, for login, I would still need to use service accounts of argo namespace
• Still use opt.Namespace for this

Since for case 2 and 3, we only need service accounts of a single namespace,
we will just use the installation namespace which is the namespace opt, and not managedNamespace opt

[alexec]

Case 1:

cacheNamespace == managedNamespace == "" == NamespaceAll
namespace == "argo"

Case 2:

cacheNamespace == managedNamespace == namespace == "argo"

Case 3:

managedNamespace == userNamespace
namespace == "argo"
cacheNamespace == ???

So it is case 3 that is odd. It should be whatever it is today, which I think is "argo", which seems wrong to me. I would actually think you'd want the user namespace. But history is history.

Lets make this overridable with config, so if we are wrong, then we can change out mind.

Maybe call it ssoNamespace?

[basanthjenuhb]

ok, we can use ssoNamespace
so for case 1 we will set ssoNamespace = NamespaceAll
For Case 2 and 3 we will set ssoNamespace = namespace (typically argo)
Will make these changes

[basanthjenuhb]

@alexec Can you please tag this PR with hacktoberfest label

[basanthjenuhb]

@alexec
Added sso-namespace config to be passed from command line

• Default sso-namespace to installation-namespace it cluster install
• Default sso-namespace to installation-namespace if not specified in namespaced mode
• sso-namespace should equal to installation-namespaceormanaged-namespace`

[alexec]

Try syncing with master to fix builds.