Skip to content

Commit

Permalink
Allow SSO in Argo Workflows and re-use Dex server from Argo CD deploy…
Browse files Browse the repository at this point in the history
…ment (#388)

* Allow SSO in Argo Workflows and re-use Dex server from Argo CD deployment

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Try to fix lint

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

---------

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
  • Loading branch information
Frawless authored Jan 15, 2025
1 parent 811460c commit 6e03a44
Showing 13 changed files with 83 additions and 35 deletions.
2 changes: 1 addition & 1 deletion install/roles/automation-hub/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@
# defaults file
infra_monitoring_namespace: skodjob-monitoring
infra_ci_namespace: skodjob-pipelines
infra_workflow_namespace: skodjob-ci
infra_workflows_namespace: skodjob-ci
infra_argo_namespace: skodjob-gitops

openshift_pipelines_namespace: openshift-pipelines
Original file line number Diff line number Diff line change
@@ -56,7 +56,7 @@
namespace: "{{ infra_argo_namespace }}"
state: present
verify_ssl: no
src: templates/argo/install/argocd.yaml
template: templates/argo/install/argocd.yaml
apply: true
retries: 20
delay: 5
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
- name: Create {{ infra_workflow_namespace }} namespace on Infra cluster
- name: Create {{ infra_workflows_namespace }} namespace on Infra cluster
kubernetes.core.k8s:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
verify_ssl: no
@@ -8,19 +8,19 @@
apiVersion: v1
kind: Namespace
metadata:
name: "{{ infra_workflow_namespace }}"
name: "{{ infra_workflows_namespace }}"
labels:
project: "skodjob"
secret: "cert-manager"
strimzi.io/sync-secrets: "true"

- name: Clean helm releases for workflows
shell: "oc delete secret -l owner=helm -n {{ infra_workflow_namespace }} || true"
shell: "oc delete secret -l owner=helm -n {{ infra_workflows_namespace }} || true"
environment:
KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"

- name: Make default SA admin in {{ infra_workflow_namespace }} namespace
shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ infra_workflow_namespace }}:default -n {{ infra_workflow_namespace }}"
- name: Make default SA admin in {{ infra_workflows_namespace }} namespace
shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ infra_workflows_namespace }}:default -n {{ infra_workflows_namespace }}"
environment:
KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"

@@ -31,10 +31,10 @@

- name: Install Argo Workflow
kubernetes.core.helm:
name: "{{ infra_workflow_namespace }}"
name: "{{ infra_workflows_namespace }}"
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
chart_ref: argo/argo-workflows
release_namespace: "{{ infra_workflow_namespace }}"
release_namespace: "{{ infra_workflows_namespace }}"
create_namespace: True
force: True
wait: True
@@ -47,23 +47,40 @@
server:
replicas: 3
authModes:
- client
- server
- sso
ingress:
enabled: true
hosts:
- "{{ argo_workflow_url }}"
- "{{ argo_workflows_url }}"
tls:
- secretName: "{{ cm_certificate_secret }}"
hosts:
- "{{ argo_workflow_url }}"
- "{{ argo_workflows_url }}"
# Configuration for SSO - using ArgoCD Dex server that is connected to OpenShift OAuth Proxy
sso:
enabled: true
insecureSkipVerify: false
issuer: "https://{{ argo_cd_url }}/api/dex"
sessionExpiry: 240h
clientId:
name: "{{ argo_workflows_sso_secret_name }}"
key: client-id
clientSecret:
name: "{{ argo_workflows_sso_secret_name }}"
key: client-secret
redirectUrl: "https://{{ argo_workflows_url }}/oauth2/callback"
# RBAC
rbac:
enabled: false
scopes:
- groups

- name: Install Argo Events
kubernetes.core.helm:
name: "{{ infra_workflow_namespace }}-events"
name: "{{ infra_workflows_namespace }}-events"
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
chart_ref: argo/argo-events
release_namespace: "{{ infra_workflow_namespace }}"
release_namespace: "{{ infra_workflows_namespace }}"
create_namespace: True
purge: True
force: True
@@ -76,7 +93,7 @@
- name: Create EventBus and ServiceAccount
kubernetes.core.k8s:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
state: present
verify_ssl: no
src: "{{ item }}"
@@ -92,7 +109,7 @@
- name: Wait for EventBus creation
kubernetes.core.k8s_info:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
kind: EventBus
api_version: argoproj.io/v1alpha1
name: skodjob
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@
- "{{ infra_ci_namespace }}"
- "{{ openshift_pipelines_namespace }}"
- "{{ infra_argo_namespace }}"
- "{{ infra_workflow_namespace }}"
- "{{ infra_workflows_namespace }}"

- name: "Create ServiceAccount for remote access on {{ worker.name }}"
kubernetes.core.k8s:
@@ -70,7 +70,7 @@
loop_control:
loop_var: namespaceName
loop:
- "{{ infra_workflow_namespace }}"
- "{{ infra_workflows_namespace }}"
- "{{ infra_ci_namespace }}"

# TODO - investigate deletion of this
@@ -95,7 +95,7 @@
loop_var: namespaceName
loop:
- "{{ infra_argo_namespace }}"
- "{{ infra_workflow_namespace }}"
- "{{ infra_workflows_namespace }}"
- "{{ openshift_pipelines_namespace }}"
- "{{ infra_ci_namespace }}"

8 changes: 4 additions & 4 deletions install/roles/automation-hub/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -95,10 +95,10 @@
tags: [acs, infra, security, never]

- import_tasks: infra-setup/install/install_strimzi.yaml
tags: [infra, ci, workflow, strimzi, never]
tags: [infra, ci, workflows, strimzi, never]

- import_tasks: infra-setup/install/install_argo_workflow.yaml
tags: [infra, ci, workflow, never]
- import_tasks: infra-setup/install/install_argo_workflows.yaml
tags: [infra, ci, workflows, never]

- import_tasks: infra-setup/install/install_links.yaml
tags: [infra, console-link, links, never]
@@ -123,7 +123,7 @@
tags: [tekton-pipelines, strimzi-infra, never]

- import_tasks: scenario-deployment/workflows/infra-argo-workflows.yaml
tags: [workflow, infra, never]
tags: [workflows, infra, never]

# Teardown
- import_tasks: infra-setup/delete/delete_argo.yaml
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@
- name: Create Infra Argo Workflows
kubernetes.core.k8s:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
state: present
template: "{{ item }}"
verify_ssl: no
@@ -14,7 +14,7 @@
- name: Create EventSources and Sensors
kubernetes.core.k8s:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
state: present
template: "{{ item }}"
verify_ssl: no
@@ -24,7 +24,7 @@
- name: Wait for EventSources - Deployed
kubernetes.core.k8s_info:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
kind: EventSource
api_version: argoproj.io/v1alpha1
name: "{{ item }}"
@@ -47,7 +47,7 @@
- name: Wait for EventSources - SourcesProvided
kubernetes.core.k8s_info:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
kind: EventSource
api_version: argoproj.io/v1alpha1
name: "{{ item }}"
@@ -62,7 +62,7 @@
- name: Wait for Sensors - Deployed
kubernetes.core.k8s_info:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
kind: Sensor
api_version: argoproj.io/v1alpha1
name: "{{ item }}"
@@ -85,7 +85,7 @@
- name: Wait for Sensors - TriggersProvided
kubernetes.core.k8s_info:
kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
namespace: "{{ infra_workflow_namespace }}"
namespace: "{{ infra_workflows_namespace }}"
kind: Sensor
api_version: argoproj.io/v1alpha1
name: "{{ item }}"
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ metadata:
owner-name: automation-hub
name: automation-hub-eventsource-svc
spec:
host: "automation-hub-eventsource-svc-{{ infra_workflow_namespace }}.apps.{{ infra_root_domain }}"
host: "automation-hub-eventsource-svc-{{ infra_workflows_namespace }}.apps.{{ infra_root_domain }}"
port:
targetPort: 12000
to:
Original file line number Diff line number Diff line change
@@ -65,7 +65,7 @@ spec:
- name: status
value: "{% raw %}{{ workflow.status }}{% endraw %}"
- name: button_url
value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
- name: button_text
value: "Workflow link :argocd:"
- name: url
Original file line number Diff line number Diff line change
@@ -55,7 +55,7 @@ spec:
- name: status
value: "{% raw %}{{ workflow.status }}{% endraw %}"
- name: button_url
value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
- name: button_text
value: "Workflow link :argocd:"
- name: url
Original file line number Diff line number Diff line change
@@ -88,7 +88,7 @@ spec:
- name: status
value: "{% raw %}{{ workflow.status }}{% endraw %}"
- name: button_url
value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
- name: button_text
value: "Workflow link :argocd:"
- name: url
31 changes: 31 additions & 0 deletions install/roles/automation-hub/templates/argo/install/argocd.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
---
# This is a secret used for Dex server to be usable by Argo Workflows
apiVersion: v1
kind: Secret
metadata:
name: argo-workflows-sso
labels:
project: skodjob
app: argo
annotations:
replicator.v1.mittwald.de/replicate-to: "{{ infra_workflows_namespace }}"
data:
client-id: "{{ argo_workflows_client_id }}"
client-secret: "{{ argo_workflows_client_secret }}"
---
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
@@ -6,6 +21,7 @@ metadata:
project: skodjob
spec:
server:
replicas: 3
autoscale:
enabled: true
grpc:
@@ -90,6 +106,21 @@ spec:
requests:
cpu: 250m
memory: 128Mi
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: "{{ argo_workflows_sso_secret_name }}"
key: client-secret
config: |
# Setting staticClients allows Argo Workflows to use Argo CD's Dex installation for authentication
staticClients:
# This is the OIDC client ID in plaintext
- id: {{ argo_workflows_client_id }}
name: Argo Workflows
redirectURIs:
- https://{{ argo_workflows_url }}/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
ha:
enabled: false
resources:
Original file line number Diff line number Diff line change
@@ -10,6 +10,6 @@ spec:
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARdSURBVEhLnVRLbBtVFA0bRFlQCQmxYMOOz4IFsGJBsyhN4jENTSu6QGIBBVSKmn4wtlNFkYqISiqk8hMCVkkaPqWqKE3iqG1CWtKQtHX8iWs7dmN78hk78+bNeDx2Pk6dy33Prw5Vk7bpka78/Obec94971N1P/SNzb02HNdP+6dNNZTOFcNpa9mvWPpIwjh/IUDqAeARkboxnA1mnkaS0WR2HtKFRVDWCNlcAG/KmOwd014UZQ+GviB5PqhYJiMm80s8wiQHwTkTIws3cBw38jCTLwtFMrliX4jWivJ7oy+UfdI3Y9EMkuaLtyBG8+DPZCGgaBDxjsDE5fMwnpD5XDBjQiJb4CJRFPEEyHOCZn1cidMzbOWMfFw1OVF0dBDIF++A7paAflYH5KAEyV+/R1Gdf08KkasJIyJo1sY5n/ZMVLVWckvLENctXhwJjgFt3gHWyWYuwEI7VAtaYy2kfvm63B1aN5NfgBTul8dHqgXd3egPae5Z9NVEAVbIYvZnQXxk+6rA4TouoB62Q1BWeB6zknUxdFP/Q9Ddie6xTH1/hMbJwhIo1mJ5ZbMUiLMBNLREd5bJWVAUIPvKEbvk4bnMTi4wQQ2Pl2wXtKvo8au7ByNU1ReLkMQT4k8bkG7/DoqxEBQTE6C3OdB/JHehyHEHFJMx/k39qgkC0yoEWLdMIKYvdfvUtwXtKsoCulIWKMCN614oTkagp6cHOjs74ZaWAfIJ2nNAwvEcdHR0QG9vLxRvhmHC080FWAf/xIz5tQV8mbcGQiTELMrgPoRHRmF5JgmpVArC4TCUcllQ96FAowQly+RzsizD8nQCYufOVCy6FNFUZregvRN94+ruaWuBH9HArAak/VsomQasFCzI/ngMtE/ZMZXA/OkYzuXxmw70h1YIJqYrm3w5qrcJurvx1/XZx0OKVcguLsOUOQ8BGW1x7ADSaAeK5JVNRhHtgB3IfgnC3quVYxoj+ZLHl35W0K2NgdCck3WhoE1+fBbokTc5qeq2VwT+H+PxJCTMArDjPRQ3ugTN+mCv4/CkPsAK5Nw8XrJ6TnShsQESPV2gnjoBfx/dWxFIajq35ppsyswBQXNv/D48tQmf6P6p3ALoLbs4keKohepXX4Jt1a/D6Idb+BxtssMMdjs6aUR7x5SnRPmDgXUyENY/zrR9VLq9WvlQDUT3b62sXmveuTIYJa2nQvCoKNsYyB7pFeKw/6vjpvKbjJeM4i8PB5uzK+oH9pdF+sagvG97YW6P9K7mlH7TXbYCu8H8JjNyHBtuW0Fz2QIsh7xXc/9nej0g2TfUVZdAS7K3rWFjNkddtosi7eGBAp8j4QiSxRg5EpfEeATjtEh7eFCnzUndtrOGSxpC4iXDZYvg+Aqbw//tIm3jSLZseUxz2beh/18i0QkkPImr95Z/pS4W2MFx3IsGraX2CVG2MUwd3LVJc9e9gaSt1C39ibGXNkk1KHiRCWvOup26c+tmkb4Gqqr+A9mtJPsGSKEdAAAAAElFTkSuQmCC
section: Skodjob
href: >-
https://{{ argo_workflow_url }}
https://{{ argo_workflows_url }}
location: ApplicationMenu
text: Skodjob-CI
Binary file modified install/secrets/clusters.yaml
Binary file not shown.

0 comments on commit 6e03a44

Please sign in to comment.