Argo Workflows
The deployment of Argo Workflows in this project uses Minio to provide an artifacts S3-compatiable bucket. This data store is provided under minio-tenant-argo-workflows Minio Tenant documented k8s / Minio / Overview
The bucket artifacts
and credentials are manually created.
The following URLs are proxied by Gateway Device 1. argo workflows: http://argo.cluster.home/workflows/
NGINX Reverse-Proxy
The proxy_buffering
is set to off due to a bug where side-panels in Argo Workflows fail to re-load.
server { server_name argo.cluster.home resolver 127.0.0.1; proxy_buffering off;
location / {
proxy_pass http://argo.cluster.home;
proxy_pass_header content-security-policy;
}
}
NGINX Ingress
The Argo Workflows deployment has a simple Ingress definition.
server:
ingress:
enabled: true
ingressClassName: "nginx"
baseHref: /
hosts:
- argo.cluster.home
Name: argo-workflows-server
Labels: app.kubernetes.io/component=server
app.kubernetes.io/instance=argo-workflows
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=argo-workflows-server
app.kubernetes.io/part-of=argo-workflows
helm.sh/chart=argo-workflows-0.28.2
Namespace: argo-workflows
Address: 192.168.57.200
Ingress Class: nginx
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
argo.cluster.home
/ argo-workflows-server:2746 (10.244.186.87:2746)
Annotations: meta.helm.sh/release-name: argo-workflows
meta.helm.sh/release-namespace: argo-workflows
Events: <none>
Workflow Credentials
Argo Workflows, by default, does not have very many persmissions to run anything in a Workflow. The security has to be setup afterwards using k8s RBACs and Namespaces.
Argo-Test Namespace
This is created for any Argo Workflows to run in.
Minio Artifact Bucket Credentials
In this project, the Argo Workflows run in argo-test Namespace where there is a access key and secret for the minio artifacts buckets.
http://storage.cluster.home/console/
Access to this bucket is saved as a k8s Secret that the Argo Workflow will use.
The Minio Tenant Access Key and Secret should be converted to base64.
echo -n "iQlfBNHIpasdeFdjM5laD" | base64
VFsZkJOSElwYXNkZUZkak01bGFE
Then create a k8s Secret in the same k8s Namespace where Argo Workflows will read whenever a Workflow is launched.
apiVersion: v1
kind: Secret
metadata:
name: minio-tenant-argo-workflows-credentials
namespace: argo-test
type: Opaque
data:
accesskey: VFsZkJOSElwYXNkZUZkak01bGFE
secretkey: azcyeDc5aHA1aENTQ3VTTEd5RWESbTJPQVVBY0VZeGMwZXJjZ1hwUg==
This secret then has to be configured in Argo Workflow values.yaml… here is an extract of provisioning the Argo Workflow controller… since Minio TLS is disabled, the S3 access is set to ‘insecure: true’.
Note, the accesskey
is not the value of the accesskey, but the name of the field within the secret listed under name
field.
The region
is arbitary as this doesn’t mean anything Minio but is required for a compatiable/valid S3 bucket request.
The bucket is called artifacts
and exists under minio argo-workflow tenant.
controller:
singleNamespace: false
workflowNamespaces:
- argo-test
artifactRepository:
s3:
insecure: true
bucket: artifacts
endpoint: storage.cluster.home
region: us-east-1
accessKeySecret:
name: minio-tenant-argo-workflows-credentials
key: accesskey
secretKeySecret:
name: minio-tenant-argo-workflows-credentials
key: secretkey
Argo Workflow Executor SA
The Executor is a ServiceAccount that is specified in a Workflow. To be able to access the Minio Tenant bucket artifacts
the ServiceAccount must have the necessary RBAC permissions.
Create RBAC ServiceAccount called default
, Role called executor
and RoleBinding to bind the SA to the Role.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: executor
namespace: argo-test
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- patch
These are enough permissions to run Whalesay Test below and access the S3 artifact bucket.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-test-workflows
namespace: argo-test
subjects:
- kind: ServiceAccount
name: default
namespace: argo-test
roleRef:
kind: Role
name: executor
apiGroup: rbac.authorization.k8s.io
Whalesay Passing Artifacts Test
The following test workflow attempts to create some log files as artifacts and pass them between stages in the workflow.
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
namespace: argo-test
labels:
example: 'true'
generateName: artifact-passing-
spec:
entrypoint: artifact-example
templates:
- name: artifact-example
steps:
- - name: generate-artifact
template: whalesay
- - name: consume-artifact
template: print-message
arguments:
artifacts:
- name: message
from: '{{steps.generate-artifact.outputs.artifacts.hello-art}}'
- name: whalesay
container:
image: docker/whalesay:latest
command:
- sh
- '-c'
args:
- cowsay hello world | tee /tmp/hello_world.txt
outputs:
artifacts:
- name: hello-art
path: /tmp/hello_world.txt
- name: print-message
inputs:
artifacts:
- name: message
path: /tmp/message
container:
image: alpine:latest
command:
- sh
- '-c'
args:
- cat /tmp/message