From cf6223d8f21e1cfb49492c6b5aeca40752ee2787 Mon Sep 17 00:00:00 2001 From: Mason Malone <651224+MasonM@users.noreply.github.com> Date: Mon, 14 Oct 2024 17:05:19 -0700 Subject: [PATCH] build: support TLS for UI and Server with `make start` (#13674) Signed-off-by: Mason Malone Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com> --- .devcontainer/devcontainer.json | 24 ++++++++++++++++++++ Makefile | 11 +++++++-- dev/nix/conf.nix | 6 ++++- docs/running-locally.md | 21 ++++++++++++++++++ hack/update-sso-redirect-url.sh | 8 +++++++ manifests/quick-start/sso/dex/dex-cm.yaml | 1 + ui/src/app/webpack.config.js | 27 ++++++++++++----------- 7 files changed, 82 insertions(+), 16 deletions(-) create mode 100755 hack/update-sso-redirect-url.sh diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index f073bfb4df1f..a36d736e8358 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -29,5 +29,29 @@ "remoteEnv": { "PATH": "${containerEnv:PATH}:/home/vscode/go/bin", "GOPATH": "/home/vscode/go" + }, + "customizations": { + "vscode": { + "settings": { + "launch": { + "configurations": [ + { + "name": "Attach to argo server", + "type": "go", + "request": "attach", + "mode": "local", + "processId": "argo" + }, + { + "name": "Attach to workflow controller", + "type": "go", + "request": "attach", + "mode": "local", + "processId": "workflow-controller" + } + ] + } + } + } } } diff --git a/Makefile b/Makefile index f3acdfd3c550..9abf36c6b114 100644 --- a/Makefile +++ b/Makefile @@ -50,12 +50,16 @@ endif PROFILE ?= minimal KUBE_NAMESPACE ?= argo # namespace where Kubernetes resources/RBAC will be installed PLUGINS ?= $(shell [ $PROFILE = plugins ] && echo false || echo true) -UI ?= false # start the UI +UI ?= false # start the UI with HTTP +UI_SECURE ?= false # start the UI with HTTPS API ?= $(UI) # start the Argo Server TASKS := controller ifeq ($(API),true) TASKS := controller server endif +ifeq ($(UI_SECURE),true) +TASKS := controller server ui +endif ifeq ($(UI),true) TASKS := controller server ui endif @@ -486,6 +490,9 @@ ifeq ($(RUN_MODE),kubernetes) kubectl -n $(KUBE_NAMESPACE) scale deploy/workflow-controller --replicas 1 kubectl -n $(KUBE_NAMESPACE) scale deploy/argo-server --replicas 1 endif +ifeq ($(UI_SECURE)$(PROFILE),truesso) + KUBE_NAMESPACE=$(KUBE_NAMESPACE) ./hack/update-sso-redirect-url.sh +endif .PHONY: argosay argosay: @@ -563,7 +570,7 @@ endif grep '127.0.0.1.*postgres' /etc/hosts grep '127.0.0.1.*mysql' /etc/hosts ifeq ($(RUN_MODE),local) - env DEFAULT_REQUEUE_TIME=$(DEFAULT_REQUEUE_TIME) ARGO_SECURE=$(SECURE) ALWAYS_OFFLOAD_NODE_STATUS=$(ALWAYS_OFFLOAD_NODE_STATUS) ARGO_LOGLEVEL=$(LOG_LEVEL) UPPERIO_DB_DEBUG=$(UPPERIO_DB_DEBUG) ARGO_AUTH_MODE=$(AUTH_MODE) ARGO_NAMESPACED=$(NAMESPACED) ARGO_NAMESPACE=$(KUBE_NAMESPACE) ARGO_MANAGED_NAMESPACE=$(MANAGED_NAMESPACE) ARGO_EXECUTOR_PLUGINS=$(PLUGINS) ARGO_POD_STATUS_CAPTURE_FINALIZER=$(POD_STATUS_CAPTURE_FINALIZER) PROFILE=$(PROFILE) kit $(TASKS) + env DEFAULT_REQUEUE_TIME=$(DEFAULT_REQUEUE_TIME) ARGO_SECURE=$(SECURE) ALWAYS_OFFLOAD_NODE_STATUS=$(ALWAYS_OFFLOAD_NODE_STATUS) ARGO_LOGLEVEL=$(LOG_LEVEL) UPPERIO_DB_DEBUG=$(UPPERIO_DB_DEBUG) ARGO_AUTH_MODE=$(AUTH_MODE) ARGO_NAMESPACED=$(NAMESPACED) ARGO_NAMESPACE=$(KUBE_NAMESPACE) ARGO_MANAGED_NAMESPACE=$(MANAGED_NAMESPACE) ARGO_EXECUTOR_PLUGINS=$(PLUGINS) ARGO_POD_STATUS_CAPTURE_FINALIZER=$(POD_STATUS_CAPTURE_FINALIZER) ARGO_UI_SECURE=$(UI_SECURE) PROFILE=$(PROFILE) kit $(TASKS) endif .PHONY: wait diff --git a/dev/nix/conf.nix b/dev/nix/conf.nix index 68ca78dff0aa..1850eb2d0f22 100644 --- a/dev/nix/conf.nix +++ b/dev/nix/conf.nix @@ -24,6 +24,7 @@ rec { LOGS = "true"; # same as CTRL - not acted upon UI = "true"; # same as CTRL API = "true"; # same as CTRL + UI_SECURE = "false"; PLUGINS = "false"; }; controller = { @@ -50,7 +51,10 @@ rec { args = "--loglevel ${env.LOG_LEVEL} server --namespaced=${env.NAMESPACED} --auth-mode ${env.AUTH_MODE} --secure=${env.SECURE} --x-frame-options=SAMEORIGIN"; }; ui = { - env = { }; + env = { + ARGO_UI_SECURE = "${env.UI_SECURE}"; + ARGO_SECURE = "${env.SECURE}"; + }; args = "--cwd ui start"; }; } diff --git a/docs/running-locally.md b/docs/running-locally.md index 8e5c53ced90d..2aa3fec83511 100644 --- a/docs/running-locally.md +++ b/docs/running-locally.md @@ -154,6 +154,21 @@ To test SSO integration, use `PROFILE=sso`: make start UI=true PROFILE=sso ``` +## TLS + +By default, `make start` will start Argo in [plain text mode](tls.md#plain-text). +To simulate a TLS proxy in front of Argo, use `UI_SECURE=true` (which implies `UI=true`): + +```bash +make start UI_SECURE=true +``` + +To start Argo in [encrypted mode](tls.md#encrypted), use `SECURE=true`, which can be optionally combined with `UI_SECURE=true`: + +```bash +make start SECURE=true UI_SECURE=true +``` + ### Running E2E tests locally Start up Argo Workflows using the following: @@ -206,6 +221,12 @@ Tests often fail: that's good. To diagnose failure: If tests run slowly or time out, factory reset your Kubernetes cluster. +### Debugging using Visual Studio Code + +When using the Dev Container with VSCode, use the `Attach to argo server` and/or `Attach to workflow controller` launch configurations to attach to the `argo` or `workflow-controller` processes, respectively. + +This will allow you to start a debug session, where you can inspect variables and set breakpoints. + ## Committing Before you commit code and raise a PR, always run: diff --git a/hack/update-sso-redirect-url.sh b/hack/update-sso-redirect-url.sh new file mode 100755 index 000000000000..dece268307d5 --- /dev/null +++ b/hack/update-sso-redirect-url.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -eu -o pipefail + +# Rewrite the SSO redirect URL to use HTTPS to support "make start PROFILE=sso UI_SECURE=true". +# Can't use "kubectl patch" because the SSO config is a YAML string. +kubectl -n "${KUBE_NAMESPACE}" get configmap workflow-controller-configmap -o yaml | \ + sed 's@redirectUrl: http://localhost:8080/oauth2/callback@redirectUrl: https://localhost:8080/oauth2/callback@' | \ + kubectl apply -n "${KUBE_NAMESPACE}" -f - \ No newline at end of file diff --git a/manifests/quick-start/sso/dex/dex-cm.yaml b/manifests/quick-start/sso/dex/dex-cm.yaml index a99d186a28c2..689db0affb90 100644 --- a/manifests/quick-start/sso/dex/dex-cm.yaml +++ b/manifests/quick-start/sso/dex/dex-cm.yaml @@ -20,6 +20,7 @@ data: redirectURIs: - http://localhost:2746/oauth2/callback - http://localhost:8080/oauth2/callback + - https://localhost:8080/oauth2/callback name: Argo Server secret: ZXhhbXBsZS1hcHAtc2VjcmV0 connectors: diff --git a/ui/src/app/webpack.config.js b/ui/src/app/webpack.config.js index b2bb70d6973c..39ae90f9346b 100644 --- a/ui/src/app/webpack.config.js +++ b/ui/src/app/webpack.config.js @@ -7,10 +7,11 @@ const HtmlWebpackPlugin = require('html-webpack-plugin'); const webpack = require('webpack'); const isProd = process.env.NODE_ENV === 'production'; -const proxyConf = { - target: isProd ? '' : 'http://localhost:2746', - secure: false -}; +let proxyTarget = ''; +if (!isProd) { + const isSecure = process.env.ARGO_SECURE === 'true'; + proxyTarget = `${isSecure ? 'https' : 'http'}://localhost:2746`; +} console.log(`Bundling for ${isProd ? 'production' : 'development'}...`); @@ -99,6 +100,7 @@ const config = { ], devServer: { + server: process.env.ARGO_UI_SECURE === 'true' ? 'https' : 'http', // this needs to be disabled to allow EventSource to work compress: false, historyApiFallback: { @@ -107,15 +109,14 @@ const config = { headers: { 'X-Frame-Options': 'SAMEORIGIN' }, - proxy: { - '/api/v1': proxyConf, - '/artifact-files': proxyConf, - '/artifacts': proxyConf, - '/input-artifacts': proxyConf, - '/artifacts-by-uid': proxyConf, - '/input-artifacts-by-uid': proxyConf, - '/oauth2': proxyConf - } + proxy: [ + { + context: ['/api/v1', '/artifact-files', '/artifacts', '/input-artifacts', '/artifacts-by-uid', '/input-artifacts-by-uid', '/oauth2'], + target: proxyTarget, + secure: false, + xfwd: true // add x-forwarded-* headers to simulate real-world reverse proxy servers + } + ] } };