fix(server): Update argo-server crt/key owner

[dtaniwaki]

Checklist:

• My organization is added to USERS.md.

The self-signed key bundled in the argocli image cannot be used.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argo-server
spec:
  selector:
    matchLabels:
      app: argo-server
  template:
    metadata:
      labels:
        app: argo-server
    spec:
      serviceAccountName: argo-server
      containers:
      - name: argo-server
        image: argoproj/argocli:v2.11.8
        securityContext:
          capabilities:
            drop:
              - ALL
        args:
        - server
        - --configmap
        - argo-server-cm
        - --auth-mode
        - sso
        - --secure
        ports:
        - name: web
          containerPort: 2746
        readinessProbe:
          httpGet:
            port: 2746
            scheme: HTTP
            path: /
          initialDelaySeconds: 10
          periodSeconds: 20
        volumeMounts:
        - mountPath: /tmp
          name: tmp
      volumes:
      - name: tmp
        emptyDir: { }
      securityContext:
        runAsUser: 8737 # argo UID
        runAsGroup: 8737 # argo UID
      nodeSelector:
        kubernetes.io/os: linux

Here's the log.

$ k logs argo-server-6dd9dc9cbd-8pqm8
time="2020-12-16T00:38:54Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=argo secure=true
time="2020-12-16T00:38:54Z" level=fatal msg="open argo-server.key: permission denied"

[alexec]

We've not seen this problem, which is odd.

[alexec]

@dtaniwaki are you doubly sure this is a problem? How come we can execute argo if it is ?

[dtaniwaki]

I signed off the commit just 1 second before your approval, but the code change is the same.

[dtaniwaki]

Hmm... It's a problem in my company cluster which is very strict and force non-root. Let me try it in minikube just in case.

[dtaniwaki]

I found it's reproducible in my minikube. Maybe, you miss the security context and your pod is running as root?

[dtaniwaki]

However, I guess this change affects your currently working environment because the root user will not be able to read the argo-server.key.

[alexec]

v2.11 does not have runAsNonRoot:

https://github.com/argoproj/argo/blob/release-2.11/Dockerfile

[alexec]

v2.12 does, but this is not released yet.

[alexec]

@simster7 @sarabala1979 v2.12.0 Argo Server is unusable because the server cannot read its keys. I've just merged this PR, but we need v2.12.1.

[simster7]

@alexec Ill make a new release tonight