feat(server): allow SSO ServiceAccount to override UI default namespace#16097
Open
trollkarlen wants to merge 1 commit into
Open
feat(server): allow SSO ServiceAccount to override UI default namespace#16097trollkarlen wants to merge 1 commit into
trollkarlen wants to merge 1 commit into
Conversation
trollkarlen
force-pushed
the
default-ns-pr
branch
3 times, most recently
from
ba667c2 to
f584d76
Compare
trollkarlen
force-pushed
the
default-ns-pr
branch
from
f584d76 to
c84cb05
Compare
trollkarlen
force-pushed
the
default-ns-pr
branch
from
c84cb05 to
aa7c021
Compare
…espace
Adds a `workflows.argoproj.io/default-namespace` annotation, read from the
matched SSO-mapping ServiceAccount in gatekeeper. When set, its value
replaces ServiceAccountNamespace in the claims returned via
/api/v1/userinfo, so the UI lands the user in their tenant namespace
instead of the install namespace. Opt-in; absent annotation preserves
prior behavior.
Also fixes three UI gaps that prevented the annotation from taking
effect on a freshly logged-in SSO user:
1. `getCurrentNamespace()` used `??` to fall back from
`current_namespace`, which preserves empty string. A user who
ever loaded the all-namespaces view persisted
`current_namespace = ""` to localStorage, shadowing both the
new SA-annotation default and the legacy SA-namespace default.
Switch to `||` so empty string falls through.
2. `WorkflowsList` initialized its local namespace state from
`getNamespace(match.params.namespace) || ""`, which only honors
managedNamespace and ignores the userNamespace seeded by
app-router from `/userinfo`. After the OAuth redirect to bare
`/workflows`, this left the page on namespace="" and a 403.
Add `getCurrentNamespace()` to the fallback chain.
3. `ClusterWorkflowTemplateDetails` fired the same bare
`services.workflows.list('')` to populate the "workflows that
reference this template" panel. Empty namespace means
"list across all namespaces" server-side, which only cluster-admin
principals are allowed, so every visit to a CWT details page
returned a permission-denied for tenant SSO users. Use the same
`getNamespaceWithDefault()` fallback chain
(current → userNamespace → managedNamespace → 'default') so the
panel works for tenant users; only cluster-admins lose
cross-namespace visibility on this one panel (they still have
it via the main Workflows list).
Signed-off-by: Robert Marklund <robbelibobban@gmail.com>
trollkarlen
force-pushed
the
default-ns-pr
branch
from
aa7c021 to
9d8c1ce
Compare
Author
|
Please review this |
Author
|
I think the failing test is a test env failure(s). |
tico24
reviewed
Jun 8, 2026
tico24
left a comment
tico24
left a comment
Member
There was a problem hiding this comment.
Only reviewed the docs here, since that is the part I am codeowner of (docs/, .features/). I have not looked at the Go server changes, the UI changes, or .spelling.
|
|
||
| ### Per-user default UI namespace | ||
|
|
||
| By default, the Argo UI's "current namespace" is initialized from the matched |
Member
There was a problem hiding this comment.
The docs guidelines ask for one sentence per line of markdown, and MD013 (line length) is off in this repo, so there is no need to hard-wrap. The rest of this file already does it, e.g. the As of Kubernetes v1.24... lines just above. Mind reflowing this new section to one sentence per line? Keeps the diff clean when someone later edits a single sentence.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a 'workflows.argoproj.io/default-namespace' annotation, read from the matched SSO-mapping ServiceAccount in gatekeeper. When set, its value replaces ServiceAccountNamespace in the claims returned via /api/v1/userinfo, so the UI lands the user in their tenant namespace instead of the install namespace. Opt-in; absent annotation preserves prior behavior.
Fixes
So the default namespace can be a user scoped NS and not install NS
Motivation
For multi tenancy with one server and oauth and dynamic provisioning
Modifications
Verification
Added tests
Documentation
Added docs
AI
yes, opencode