Argo Workflows
Argo Workflows is a generic workflow engine that runs on Kubernetes. While it supports SSO via OpenID Connect, it has an additional requirement to map the logged-in user to a ServiceAccount that is authorized to interact with the cluster. This chart automates the integration with a just-in-time workflow that:
- Creates a
ServiceAccountto represent the user - Create's a
Secret, bound to the user'sServiceAccountthat Argo will use - Map's the user's groups to
RoleBindings andClusterRoleBindings to provide identical permissions - Provisions the user's
ServiceAccountto the mappedRoleBindings andClusterRoleBindings
The first step is to setup OpenUnison, then setup Argo Workflows.
OpenUnison Setup
First, create a secret with random data for your client secret:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: argowf
namespace: openunison
data:
clientsecret: ZG9ub3R1c2UhISEh
Next, you'll need to add following values to your openunison values:
argowf:
# The hostname for Argo Workflows
hostname: argowf.talos.local
# the namespace where Argo Workflows are installed
namespace: argowf
group_map:
# you can choose to create this ConfigMap manually by specifying false
create: true
# list each group and the binding they'll be mapped to
map:
-
# the name of the group from the user's JWT
group: "CN=k8s-admins,CN=Users,DC=ent2k22,DC=tremolo,DC=dev"
# If mapping to a ClusterRoleBinding, specify crb. If mapping to a RoleBinding, specify rb
kind: crb
# the name of the binding
name: argowf-clusteradmins
# If a RoleBinding, the Namespace the RoleBinding is in
namespace: ""
Next, update OpenUnison's values to call the jit-argowf Workflow after authentication:
Once updated, rerun the tremolo/orchestra-login-portal chart and install the tremolo/argowf chart:
$ helm upgrade orchestra-login-portal tremolo/orchestra-login-portal -n openunison -f /path/to/openunison-values.yaml
$ helm upgrade --install argowf tremolo/argowf -n openunison -f /path/to/openunison-values.yaml
When you next login to OpenUnison, a ServiceAccount for your user will be created in the Argo Workflow namespace along with the Secret. Also, permissions will be synced based on your mappings. Next, you can move on to deploying Argo.
Argo Workflow Setup
The first step is to create your namespace and a Secret that will store your OpenID Connect configuration. Assuming you're deploying Argo to the argowf Namespace, create a Secret with the same secret value that you created in the openunison Namespace above:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: argowf
namespace: argowf
data:
# base64 encoded argowf
clientid: YXJnb3dm
# the same value as created earlier in the openunison namespace
clientsecret: ZG9ub3R1c2UhISEh
Finally, deploy Argo Workflow with this minimum values yaml:
server:
ingress:
enabled: true
ingressClassName: nginx
hosts:
- argowf.talos.local
tls:
- hosts:
- argowf.talos.local
authModes:
- sso
sso:
enabled: true
issuer: https://k8sou.talos.local/auth/idp/k8sIdp
clientId:
name: argowf
key: clientid
clientSecret:
name: argowf
key: clientsecret
redirectUrl: https://argowf.talos.local/oauth2/callback
customGroupClaimName: groups
insecureSkipVerify: true
Change all instances of argowf.talos.local to Argo's host name. Change all instances of k8sou.talos.local to the host name for OpenUnison.
Logging In
Once deployed, login to OpenUnison and click on the Argo Workflows badge:
You'll be logged in to Argo Workflows and go directly to the Workflows page. If you click on the user info icon, you'll see that you're logged in and your groups:
Next Steps
You can check out our blog post that dives into the background on how the integration works. You can also look at automating onboarding via OpenUnison using the Namespace as a Service portal.