Argo Workflows

Installation

wget https://github.com/argoproj/argo-workflows/releases/latest/download/argo-linux-amd64.gz \
&& gzip -d argo-linux-amd64.gz \
&& sudo mv argo-linux-amd64 /usr/local/bin/argo \
&& sudo chmod +x /usr/local/bin/argo

helm repo add argo https://argoproj.github.io/argo-helm \
&& helm repo update argo

mkdir -p workflow/argo/workflows/helm

helm search repo argo/argo-workflows -l | head -n 10

helm show values argo/argo-workflows \
    --version 0.16.3 \
    > workflow/argo/workflows/helm/values.yaml

helm upgrade argo-workflows argo/argo-workflows \
    --install \
    --version 0.16.3 \
    -n workflow \
    --values workflow/argo/workflows/helm/values.yaml

Service

Port forward

kubectl port-forward -n workflow service/argo-workflows-server 8006:2746

http://localhost:8006

VirtualService

workflow/argo/workflows/base/virtual-service.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argo-workflows
  namespace: workflow
spec:
  hosts:
    - <host-url>
  gateways:
    - <gateway>
  http:
    - match:
        - uri:
            prefix: "/"
      route:
        - destination:
            host: argo-workflows-server.workflow.svc.cluster.local
            port:
              number: 2746

User

SSO-Dex with Argo CD

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-sso
  namespace: workflow
data:
  # `echo -n argo-workflows-sso | base64`
  client-id: YXJnby13b3JrZmxvd3Mtc3Nv
  # `echo -n MY-SECRET-STRING-CAN-BE-UUID | base64`
  client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
EOF

workflow/argo/cd/helm/values.yaml

dex:
  env:
    - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: argo-workflows-sso
          key: client-secret

server:
  config:
    dex.config: |
      staticClients:
        - id: argo-workflows-sso
          name: Argo Workflow
          redirectURIs:
            - <workflow-server-uri>/oauth2/callback
          secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET

info

Dex는 클라이언트(aud(audience))대신 다른 클라이언트(azp(authorized party))에게 ID 토큰 발행을 맞길 수 있는 기능이 있습니다. staticClients.trustedPeers: []에 azp가 될 클라이언트의 id를 추가하면 됩니다.

workflow/argo/workflows/helm/values.yaml

server:
  extraArgs:
    - --auth-mode=sso
    - --auth-mode=client
    - --access-control-allow-origin=true

  # ConfigMap.data.sso |, name: workflow-controller-configmap
  sso:
    issuer: <argo-cd-server-uri>/api/dex
    sessionExpiry: 12h
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: <workflow-server-url>/oauth2/callback

OIDC

Keycloak

• Client
  • workflows client 추가
    • Settings
      • Enabled: on
      • Client Protocol: openid-connect
      • Access Type: confidential
      • Valid Redirect URIs
        • <url>/auth/callback
    • Credentials
      • Client Authenticator: Client ID and Secret
      • Secret: <workflows-client-secret>
• Client Scopes
  • groups client scope 추가
    • Settings
      • Protocol: openid-connect
      • Include in Token Scope: on
    • Mappers
      • groups mapper 추가
        • Mapper Type: Group Membership
        • Token Claim Name: groups
        • Full group path: off
• Client
  • argo client
    • Client Scopes
      • Default Client scopes
        • groups 추가
• Groups
  • workflows-admin 추가
  • workflows-dev 추가
• Users
  • 유저 추가
    • Email: <email>
    • Groups: <group>

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-sso
  namespace: workflow
stringData:
  client-id: workflows
  client-secret: <workflow-client-secret>
EOF

workflow/argo/workflows/helm/values.yaml

server:
  extraArgs:
    - --auth-mode=sso
    - --auth-mode=client
    - --access-control-allow-origin=true

  # ConfigMap.data.sso |, name: workflow-controller-configmap
  sso:
    issuer: <keycloak-url>/auth/realms/<realm>
    sessionExpiry: 12h
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: <workflow-server-url>/oauth2/callback

RBAC

workflow/argo/workflows/helm/values.yaml

server:
  # ConfigMap.data.config: |, name: workflow-controller-configmap
  sso:
    # openid는 기본으로 추가됩니다.
    scopes:
      - groups
      - email
      - profile
    rbac:
      enabled: true

workflow/argo/workflows/base/guest-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: guest-sa
  namespace: workflow
  annotations:
    workflows.argoproj.io/rbac-rule: "true"
    # 이 설정이 guest 설정이 될 수 있도록 다른 ServiceAccount는 precedence를 1
    # 이상으로 설정해주세요
    workflows.argoproj.io/rbac-rule-precedence: "0"

workflow/argo/workflows/base/admin-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-sa
  namespace: workflow
  annotations:
    # * `groups` - an array of the OIDC groups
    # * `iss` - the issuer ("argo-server")
    # * `sub` - the subject (typically the username)
    # https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md
    workflows.argoproj.io/rbac-rule: "'<group>' in groups"
    # 값이 클 수록 우선순위가 높아짐
    workflows.argoproj.io/rbac-rule-precedence: "1"

info

ServiceAccount에 원하는 목적에 맞는 Role과 ClusterRole을 생성 후 바인딩 시켜주세요.

Reference

• https://argoproj.github.io/argo-workflows
• https://dexidp.io/docs/custom-scopes-claims-clients/
• https://argoproj.github.io/argo-workflows/argo-server-sso/