Skip to main content

Argo Workflows


설치

wget https://github.com/argoproj/argo-workflows/releases/latest/download/argo-linux-amd64.gz \
&& gzip -d argo-linux-amd64.gz \
&& sudo mv argo-linux-amd64 /usr/local/bin/argo \
&& sudo chmod +x /usr/local/bin/argo
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update argo \
&& helm search repo argo/argo-workflows -l | head -n 10
helm show values argo/argo-workflows \
--version 0.32.1 \
> argo-workflows-values.yaml
argo-workflows-values.yaml
controller:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 256Mi

server:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 256Mi
helm template argo-workflows argo/argo-workflows \
--version 0.32.1 \
-n workflow \
-f argo-cd-values.yaml \
> argo-cd.yaml
helm upgrade argo-workflows argo/argo-workflows \
--install \
--history-max 3 \
--version 0.32.1 \
-n workflow \
--values argo-workflows-values.yaml

RBAC

argo-workflows-values.yaml
server:
# ConfigMap.data.config: |, name: workflow-controller-configmap
sso:
# openid는 기본으로 추가됩니다.
scopes:
- groups
- email
- profile
rbac:
enabled: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-workflows-guest
namespace: workflow
annotations:
workflows.argoproj.io/rbac-rule: "true"
# 이 설정이 guest 설정이 될 수 있도록 다른 ServiceAccount는 precedence를 1
# 이상으로 설정해주세요
workflows.argoproj.io/rbac-rule-precedence: "0"

---
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-guest.service-account-token
namespace: workflow
annotations:
kubernetes.io/service-account.name: argo-workflows-guest
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-workflows-admin
namespace: workflow
annotations:
# * `groups` - an array of the OIDC groups
# * `iss` - the issuer ("argo-server")
# * `sub` - the subject (typically the username)
# https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md
workflows.argoproj.io/rbac-rule: "'<group>' in groups"
# 값이 클 수록 우선순위가 높아짐
workflows.argoproj.io/rbac-rule-precedence: "1"

---
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-admin.service-account-token
namespace: workflow
annotations:
kubernetes.io/service-account.name: argo-workflows-admin
type: kubernetes.io/service-account-token
info

ServiceAccount에 원하는 목적에 맞는 Role과 ClusterRole을 생성 후 바인딩 시켜주세요.

User

SSO-Dex with Argo CD

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
namespace: workflow
data:
# `echo -n argo-workflows-sso | base64`
client-id: YXJnby13b3JrZmxvd3Mtc3Nv
# `echo -n MY-SECRET-STRING-CAN-BE-UUID | base64`
client-secret: TVktU0VDUkVULVNUUklORy1DQU4tQkUtVVVJRA==
EOF
argo-cd-values.yaml
dex:
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret

configs:
cm:
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflows
redirectURIs:
- <workflow-server-uri>/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
info

Dex는 클라이언트(aud(audience))대신 다른 클라이언트(azp(authorized party))에게 ID 토큰 발행을 맞길 수 있는 기능이 있습니다. staticClients.trustedPeers: []에 azp가 될 클라이언트의 id를 추가하면 됩니다.

argo-workflows-values.yaml
server:
extraArgs:
- --auth-mode=sso
- --auth-mode=client
- --access-control-allow-origin=true

# ConfigMap.data.sso |, name: workflow-controller-configmap
sso:
enabled: true
issuer: <argo-cd-server-uri>/api/dex
sessionExpiry: 12h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: <workflow-server-url>/oauth2/callback

OIDC

Keycloak

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
namespace: workflow
stringData:
client-id: argo-workflows
client-secret: <workflow-client-secret>
EOF
argo-workflows-values.yaml
server:
extraArgs:
- --auth-mode=sso
- --auth-mode=client
- --access-control-allow-origin=true

# ConfigMap.data.sso |, name: workflow-controller-configmap
sso:
enabled: true
issuer: <keycloak-url>/realms/<realm>
sessionExpiry: 12h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: <workflow-server-url>/oauth2/callback