Skip to main content

Argo Workflows


Installation

wget https://github.com/argoproj/argo-workflows/releases/latest/download/argo-linux-amd64.gz \
&& gzip -d argo-linux-amd64.gz \
&& sudo mv argo-linux-amd64 /usr/local/bin/argo \
&& sudo chmod +x /usr/local/bin/argo
helm repo add argo https://argoproj.github.io/argo-helm \
&& helm repo update argo
mkdir -p workflow/argo/workflows/helm
helm search repo argo/argo-workflows -l | head -n 10
helm show values argo/argo-workflows \
--version 0.16.3 \
> workflow/argo/workflows/helm/values.yaml
helm upgrade argo-workflows argo/argo-workflows \
--install \
--version 0.16.3 \
-n workflow \
--values workflow/argo/workflows/helm/values.yaml

Service

Port forward

kubectl port-forward -n workflow service/argo-workflows-server 8006:2746

http://localhost:8006

VirtualService

workflow/argo/workflows/base/virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: argo-workflows
namespace: workflow
spec:
hosts:
- <host-url>
gateways:
- <gateway>
http:
- match:
- uri:
prefix: "/"
route:
- destination:
host: argo-workflows-server.workflow.svc.cluster.local
port:
number: 2746

User

SSO-Dex with Argo CD

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
namespace: workflow
data:
# `echo -n argo-workflows-sso | base64`
client-id: YXJnby13b3JrZmxvd3Mtc3Nv
# `echo -n MY-SECRET-STRING-CAN-BE-UUID | base64`
client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
EOF
workflow/argo/cd/helm/values.yaml
dex:
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret

server:
config:
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- <workflow-server-uri>/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
info

Dex는 클라이언트(aud(audience))대신 다른 클라이언트(azp(authorized party))에게 ID 토큰 발행을 맞길 수 있는 기능이 있습니다. staticClients.trustedPeers: []에 azp가 될 클라이언트의 id를 추가하면 됩니다.

workflow/argo/workflows/helm/values.yaml
server:
extraArgs:
- --auth-mode=sso
- --auth-mode=client
- --access-control-allow-origin=true

# ConfigMap.data.sso |, name: workflow-controller-configmap
sso:
issuer: <argo-cd-server-uri>/api/dex
sessionExpiry: 12h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: <workflow-server-url>/oauth2/callback

OIDC

Keycloak

  • Client
    • workflows client 추가
      • Settings
        • Enabled: on
        • Client Protocol: openid-connect
        • Access Type: confidential
        • Valid Redirect URIs
          • <url>/auth/callback
      • Credentials
        • Client Authenticator: Client ID and Secret
        • Secret: <workflows-client-secret>
  • Client Scopes
    • groups client scope 추가
      • Settings
        • Protocol: openid-connect
        • Include in Token Scope: on
      • Mappers
        • groups mapper 추가
          • Mapper Type: Group Membership
          • Token Claim Name: groups
          • Full group path: off
  • Client
    • argo client
      • Client Scopes
        • Default Client scopes
          • groups 추가
  • Groups
    • workflows-admin 추가
    • workflows-dev 추가
  • Users
    • 유저 추가
      • Email: <email>
      • Groups: <group>
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
namespace: workflow
stringData:
client-id: workflows
client-secret: <workflow-client-secret>
EOF
workflow/argo/workflows/helm/values.yaml
server:
extraArgs:
- --auth-mode=sso
- --auth-mode=client
- --access-control-allow-origin=true

# ConfigMap.data.sso |, name: workflow-controller-configmap
sso:
issuer: <keycloak-url>/auth/realms/<realm>
sessionExpiry: 12h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: <workflow-server-url>/oauth2/callback

RBAC

workflow/argo/workflows/helm/values.yaml
server:
# ConfigMap.data.config: |, name: workflow-controller-configmap
sso:
# openid는 기본으로 추가됩니다.
scopes:
- groups
- email
- profile
rbac:
enabled: true
workflow/argo/workflows/base/guest-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: guest-sa
namespace: workflow
annotations:
workflows.argoproj.io/rbac-rule: "true"
# 이 설정이 guest 설정이 될 수 있도록 다른 ServiceAccount는 precedence를 1
# 이상으로 설정해주세요
workflows.argoproj.io/rbac-rule-precedence: "0"
workflow/argo/workflows/base/admin-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-sa
namespace: workflow
annotations:
# * `groups` - an array of the OIDC groups
# * `iss` - the issuer ("argo-server")
# * `sub` - the subject (typically the username)
# https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md
workflows.argoproj.io/rbac-rule: "'<group>' in groups"
# 값이 클 수록 우선순위가 높아짐
workflows.argoproj.io/rbac-rule-precedence: "1"
info

ServiceAccount에 원하는 목적에 맞는 Role과 ClusterRole을 생성 후 바인딩 시켜주세요.

Reference