Argo Workflows

설치

wget https://github.com/argoproj/argo-workflows/releases/latest/download/argo-linux-amd64.gz \
&& gzip -d argo-linux-amd64.gz \
&& sudo mv argo-linux-amd64 /usr/local/bin/argo \
&& sudo chmod +x /usr/local/bin/argo

helm repo add argo https://argoproj.github.io/argo-helm

helm repo update argo \
&& helm search repo argo/argo-workflows -l | head -n 10

helm show values argo/argo-workflows \
    --version 0.39.0 \
    > argo-workflows-values.yaml

argo-workflows-values.yaml
commonLabels: {}

controller:
  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      memory: 256Mi

  retentionPolicy:
    completed: 10
    failed: 100
    errored: 100

server:
  authModes:
    - client # kubernetes 토큰을 사용한 인증

  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      memory: 256Mi

helm template argo-workflows argo/argo-workflows \
    --version 0.39.0 \
    -n workflow \
    -f argo-cd-values.yaml \
    > argo-cd.yaml

helm upgrade argo-workflows argo/argo-workflows \
    --install \
    --history-max 5 \
    --version 0.39.0 \
    -n workflow \
    --values argo-workflows-values.yaml

RBAC

https://argoproj.github.io/argo-workflows/argo-server-sso/

argo-workflows-values.yaml
server:
  # ConfigMap.data.config: |, name: workflow-controller-configmap
  sso:
    # openid는 기본으로 추가됩니다.
    scopes:
      - groups
      - email
      - profile
    rbac:
      enabled: true

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-workflows-guest
  namespace: workflow
  annotations:
    workflows.argoproj.io/rbac-rule: "true"
    # 이 설정이 guest 설정이 될 수 있도록 다른 ServiceAccount는 precedence를 1
    # 이상으로 설정해주세요
    workflows.argoproj.io/rbac-rule-precedence: "0"

---
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-guest.service-account-token
  namespace: workflow
  annotations:
    kubernetes.io/service-account.name: argo-workflows-guest
type: kubernetes.io/service-account-token

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-workflows-admin
  namespace: workflow
  annotations:
    # * `groups` - an array of the OIDC groups
    # * `iss` - the issuer ("argo-server")
    # * `sub` - the subject (typically the username)
    # https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md
    workflows.argoproj.io/rbac-rule: "'<group>' in groups"
    # 값이 클 수록 우선순위가 높아짐
    workflows.argoproj.io/rbac-rule-precedence: "1"

---
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-admin.service-account-token
  namespace: workflow
  annotations:
    kubernetes.io/service-account.name: argo-workflows-admin
type: kubernetes.io/service-account-token

info

ServiceAccount에 원하는 목적에 맞는 Role과 ClusterRole을 생성 후 바인딩 시켜주세요.

User

SSO-Dex with Argo CD

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-sso
  namespace: workflow
data:
  # `echo -n argo-workflows-sso | base64`
  client-id: YXJnby13b3JrZmxvd3Mtc3Nv
  # `echo -n MY-SECRET-STRING-CAN-BE-UUID | base64`
  client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
EOF

argo-cd-values.yaml
dex:
  env:
    - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: argo-workflows-sso
          key: client-secret

configs:
  cm:
    dex.config: |
      staticClients:
        - id: argo-workflows-sso
          name: Argo Workflows
          redirectURIs:
            - <workflow-server-uri>/oauth2/callback
          secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET

info

Dex는 클라이언트(aud(audience))대신 다른 클라이언트(azp(authorized party))에게 ID 토큰 발행을 맞길 수 있는 기능이 있습니다. staticClients.trustedPeers: []에 azp가 될 클라이언트의 id를 추가하면 됩니다.

argo-workflows-values.yaml
server:
  extraArgs:
    - --access-control-allow-origin=true

  authModes:
    - sso

  # ConfigMap.data.sso |, name: workflow-controller-configmap
  sso:
    enabled: true
    issuer: <argo-cd-server-uri>/api/dex
    sessionExpiry: 12h
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: <workflow-server-url>/oauth2/callback

OIDC

Keycloak

Keycloak OIDC

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-sso
  namespace: workflow
stringData:
  client-id: argo-workflows
  client-secret: <workflow-client-secret>
EOF

argo-workflows-values.yaml
server:
  extraArgs:
    - --access-control-allow-origin=true

  authModes:
    - sso

  # ConfigMap.data.sso |, name: workflow-controller-configmap
  sso:
    enabled: true
    issuer: <keycloak-url>/realms/<realm>
    sessionExpiry: 12h
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: <workflow-server-url>/oauth2/callback

설치​

RBAC​

User​

SSO-Dex with Argo CD​

OIDC​

Keycloak​

설치

RBAC

User

SSO-Dex with Argo CD

OIDC

Keycloak