feat: Allow multiple extenal URLs for SSO access

[tjamet]

With #4780, were introduced security measures to ensure the return_url is pointing to the current ArgoCD instance.

In several occasions, an ArgoCD isntance could be exposed through multiple network connections. Internal addresses and restricted public addresses.

Currently, a single base URL can be configured in the the argocd configmap, preventing from exposing ArgoCD on several access paths.

This change allows to define multiple hosts on which ArgoCD can be exposed, keeping backward compatibility by adding a field additionalUrls accepting a list of additional URLS on which argoCD can be exposed

Fixes #5388

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

[codecov]

Codecov Report

Attention: Patch coverage is 32.55814% with 29 lines in your changes missing coverage. Please review.

Project coverage is 49.88%. Comparing base (696e6e8) to head (18b08d5).
Report is 1506 commits behind head on master.

Files with missing lines	Patch %	Lines
util/settings/settings.go	7.14%	24 Missing and 2 partials ⚠️
server/logout/logout.go	25.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14208      +/-   ##
==========================================
- Coverage   49.89%   49.88%   -0.01%     
==========================================
  Files         263      263              
  Lines       45219    45254      +35     
==========================================
+ Hits        22563    22577      +14     
- Misses      20439    20460      +21     
  Partials     2217     2217              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tjamet]

Alternatively, we can make the configuration field be URLs instead of additionalURLs and deprecate URL.
Happy to go both paths as you tell me

[csantanapr]

This is very useful PR @tjamet 👍

[huynhsontung]

+1 for using urls and deprecating url

[trc-ikeskin]

Any progress on this PR. We could really use this feature.
@tjamet can I somehow support with this PR?

[tjamet]

Hi!
I have tested this feature internally and it worked for us, I added a few fixes for log-out recently though.
It's great to see interest in this feature.
Maybe, I can push the images on my own docker hub account for you to give feedback on the feature?
Would you be interested in this?

I will post a reminder in the CNCF slack in a few days.
Here is a thread where I referenced this PR, maybe we can also use it?

[tjamet]

@trc-ikeskin I have pushed a build of this branch on my github container registry, if you want to take a look and provide feedback:
https://github.com/tjamet/argo-cd/pkgs/container/argo-cd%2Fargocd/126159769?tag=2.9.0-1eb72892

It is built from tjamet/master that has an additional commit to allow this build

[BulatSaif]

Can we merge this, please?

[trc-ikeskin]

@BulatSaif I guess if you want to see progress on this one you will have to do some actual testing on the feature. Unfortunately we had to move on to other customers.

[avosepp]

How can I help test this functionality to help get it merged?

[tabathad]

Also eager to see this PR merged and ready to help with any additional testing or changes needed. Please let us know how we can help!

[agaudreault]

I think the feature should be documented in the ArgoCD https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/ documentation.

Is url deprecated? are urls valid on their own or only additional urls? Is this feature supported by all identity providers, or only by OIDC?

[agaudreault]

If only the url is necessary to find the config, pass only the URL instead of the whole request object.

Suggested change

	func (a *ClientApp) oauth2Config(r *http.Request, scopes []string) (*oauth2.Config, error) {
	func (a *ClientApp) oauth2Config(request *url.URL, scopes []string) (*oauth2.Config, error) {

[agaudreault]

The error message does not seem accurate

[agaudreault]

Is Dex using this new URLs setting? It seems unclear if Dex should be valid if there are only URLs configured.

[KojoRising]

+1, this would be super useful. Happy to help add some testing/documentation if needed.

[vinelias]

Any news on that?

[agaudreault]

As @tjamet does not seem active, @vinelias, @KojoRising, @avo-sepp, @tabathad you can fork @tjamet's work and submit a new PR with the require code changes, tests and answers for the questions above.

[ClifHouck]

@tjamet @vinelias @KojoRising @avo-sepp @tabathad: I'm going to marshal this across the finish line, if I can. New PR here: #18927

[agaudreault]

Closing in favor of #18927

[tjamet]

Sorry, I missed the latest updates and comments on this PR
Let me know if I can further help. I remain super interested in getting this change through