skodjob · Frawless · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
diff --git a/install/roles/automation-hub/defaults/main.yml b/install/roles/automation-hub/defaults/main.yml
@@ -2,7 +2,7 @@
 # defaults file
 infra_monitoring_namespace: skodjob-monitoring
 infra_ci_namespace: skodjob-pipelines
-infra_workflow_namespace: skodjob-ci
+infra_workflows_namespace: skodjob-ci
 infra_argo_namespace: skodjob-gitops
 
 openshift_pipelines_namespace: openshift-pipelines

diff --git a/install/roles/automation-hub/tasks/infra-setup/install/install_argo.yaml b/install/roles/automation-hub/tasks/infra-setup/install/install_argo.yaml
@@ -56,7 +56,7 @@
     namespace: "{{ infra_argo_namespace }}"
     state: present
     verify_ssl: no
-    src: templates/argo/install/argocd.yaml
+    template: templates/argo/install/argocd.yaml
     apply: true
   retries: 20
   delay: 5

diff --git a/...-setup/install/install_argo_workflow.yaml → ...setup/install/install_argo_workflows.yaml b/...-setup/install/install_argo_workflow.yaml → ...setup/install/install_argo_workflows.yaml
@@ -1,5 +1,5 @@
 ---
-- name: Create {{ infra_workflow_namespace }} namespace on Infra cluster
+- name: Create {{ infra_workflows_namespace }} namespace on Infra cluster
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     verify_ssl: no
@@ -8,19 +8,19 @@
       apiVersion: v1
       kind: Namespace
       metadata:
-        name: "{{ infra_workflow_namespace }}"
+        name: "{{ infra_workflows_namespace }}"
         labels:
           project: "skodjob"
           secret: "cert-manager"
           strimzi.io/sync-secrets: "true"
 
 - name: Clean helm releases for workflows
-  shell: "oc delete secret -l owner=helm -n {{ infra_workflow_namespace }} || true"
+  shell: "oc delete secret -l owner=helm -n {{ infra_workflows_namespace }} || true"
   environment:
     KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
 
-- name: Make default SA admin in {{ infra_workflow_namespace }} namespace
-  shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ infra_workflow_namespace }}:default -n {{ infra_workflow_namespace }}"
+- name: Make default SA admin in {{ infra_workflows_namespace }} namespace
+  shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ infra_workflows_namespace }}:default -n {{ infra_workflows_namespace }}"
   environment:
     KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
 
@@ -31,10 +31,10 @@
 
 - name: Install Argo Workflow
   kubernetes.core.helm:
-    name: "{{ infra_workflow_namespace }}"
+    name: "{{ infra_workflows_namespace }}"
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     chart_ref: argo/argo-workflows
-    release_namespace: "{{ infra_workflow_namespace }}"
+    release_namespace: "{{ infra_workflows_namespace }}"
     create_namespace: True
     force: True
     wait: True
@@ -47,23 +47,40 @@
       server:
         replicas: 3
         authModes:
-          - client
-          - server
+          - sso
         ingress:
           enabled: true
           hosts:
-            - "{{ argo_workflow_url }}"
+            - "{{ argo_workflows_url }}"
           tls:
             - secretName: "{{ cm_certificate_secret }}"
               hosts:
-                - "{{ argo_workflow_url }}"
+                - "{{ argo_workflows_url }}"
+        # Configuration for SSO - using ArgoCD Dex server that is connected to OpenShift OAuth Proxy
+        sso:
+          enabled: true
+          insecureSkipVerify: false
+          issuer: "https://{{ argo_cd_url }}/api/dex"
+          sessionExpiry: 240h
+          clientId:
+            name: "{{ argo_workflows_sso_secret_name }}"
+            key: client-id
+          clientSecret:
+            name: "{{ argo_workflows_sso_secret_name }}"
+            key: client-secret
+          redirectUrl: "https://{{ argo_workflows_url }}/oauth2/callback"
+          # RBAC
+          rbac:
+            enabled: false
+          scopes:
+            - groups
 
 - name: Install Argo Events
   kubernetes.core.helm:
-    name: "{{ infra_workflow_namespace }}-events"
+    name: "{{ infra_workflows_namespace }}-events"
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     chart_ref: argo/argo-events
-    release_namespace: "{{ infra_workflow_namespace }}"
+    release_namespace: "{{ infra_workflows_namespace }}"
     create_namespace: True
     purge: True
     force: True
@@ -76,7 +93,7 @@
 - name: Create EventBus and ServiceAccount
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     state: present
     verify_ssl: no
     src: "{{ item }}"
@@ -92,7 +109,7 @@
 - name: Wait for EventBus creation
   kubernetes.core.k8s_info:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     kind: EventBus
     api_version: argoproj.io/v1alpha1
     name: skodjob

diff --git a/install/roles/automation-hub/tasks/infra-setup/prepare_access.yaml b/install/roles/automation-hub/tasks/infra-setup/prepare_access.yaml
@@ -15,7 +15,7 @@
     - "{{ infra_ci_namespace }}"
     - "{{ openshift_pipelines_namespace }}"
     - "{{ infra_argo_namespace }}"
-    - "{{ infra_workflow_namespace }}"
+    - "{{ infra_workflows_namespace }}"
 
 - name: "Create ServiceAccount for remote access on {{ worker.name }}"
   kubernetes.core.k8s:
@@ -70,7 +70,7 @@
   loop_control:
     loop_var: namespaceName
   loop:
-    - "{{ infra_workflow_namespace }}"
+    - "{{ infra_workflows_namespace }}"
     - "{{ infra_ci_namespace }}"
 
 # TODO - investigate deletion of this
@@ -95,7 +95,7 @@
     loop_var: namespaceName
   loop:
     - "{{ infra_argo_namespace }}"
-    - "{{ infra_workflow_namespace }}"
+    - "{{ infra_workflows_namespace }}"
     - "{{ openshift_pipelines_namespace }}"
     - "{{ infra_ci_namespace }}"
 

diff --git a/install/roles/automation-hub/tasks/main.yml b/install/roles/automation-hub/tasks/main.yml
@@ -95,10 +95,10 @@
   tags: [acs, infra, security, never]
 
 - import_tasks: infra-setup/install/install_strimzi.yaml
-  tags: [infra, ci, workflow, strimzi, never]
+  tags: [infra, ci, workflows, strimzi, never]
 
-- import_tasks: infra-setup/install/install_argo_workflow.yaml
-  tags: [infra, ci, workflow, never]
+- import_tasks: infra-setup/install/install_argo_workflows.yaml
+  tags: [infra, ci, workflows, never]
 
 - import_tasks: infra-setup/install/install_links.yaml
   tags: [infra, console-link, links, never]
@@ -123,7 +123,7 @@
   tags: [tekton-pipelines, strimzi-infra, never]
 
 - import_tasks: scenario-deployment/workflows/infra-argo-workflows.yaml
-  tags: [workflow, infra, never]
+  tags: [workflows, infra, never]
 
 # Teardown
 - import_tasks: infra-setup/delete/delete_argo.yaml

diff --git a/install/roles/automation-hub/tasks/scenario-deployment/workflows/infra-argo-workflows.yaml b/install/roles/automation-hub/tasks/scenario-deployment/workflows/infra-argo-workflows.yaml
@@ -2,7 +2,7 @@
 - name: Create Infra Argo Workflows
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     state: present
     template: "{{ item }}"
     verify_ssl: no
@@ -14,7 +14,7 @@
 - name: Create EventSources and Sensors
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     state: present
     template: "{{ item }}"
     verify_ssl: no
@@ -24,7 +24,7 @@
 - name: Wait for EventSources - Deployed
   kubernetes.core.k8s_info:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     kind: EventSource
     api_version: argoproj.io/v1alpha1
     name: "{{ item }}"
@@ -47,7 +47,7 @@
 - name: Wait for EventSources - SourcesProvided
   kubernetes.core.k8s_info:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     kind: EventSource
     api_version: argoproj.io/v1alpha1
     name: "{{ item }}"
@@ -62,7 +62,7 @@
 - name: Wait for Sensors - Deployed
   kubernetes.core.k8s_info:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     kind: Sensor
     api_version: argoproj.io/v1alpha1
     name: "{{ item }}"
@@ -85,7 +85,7 @@
 - name: Wait for Sensors - TriggersProvided
   kubernetes.core.k8s_info:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
-    namespace: "{{ infra_workflow_namespace }}"
+    namespace: "{{ infra_workflows_namespace }}"
     kind: Sensor
     api_version: argoproj.io/v1alpha1
     name: "{{ item }}"

diff --git a/...tion-hub/templates/argo-workflows/eventsource/event-source-automation-hub-install.yaml.j2 b/...tion-hub/templates/argo-workflows/eventsource/event-source-automation-hub-install.yaml.j2
@@ -27,7 +27,7 @@ metadata:
     owner-name: automation-hub
   name: automation-hub-eventsource-svc
 spec:
-  host: "automation-hub-eventsource-svc-{{ infra_workflow_namespace }}.apps.{{ infra_root_domain }}"
+  host: "automation-hub-eventsource-svc-{{ infra_workflows_namespace }}.apps.{{ infra_root_domain }}"
   port:
     targetPort: 12000
   to:

diff --git a/...es/automation-hub/templates/argo-workflows/workflows/infra/automation-hub-install.yaml.j2 b/...es/automation-hub/templates/argo-workflows/workflows/infra/automation-hub-install.yaml.j2
@@ -65,7 +65,7 @@ spec:
                 - name: status
                   value: "{% raw %}{{ workflow.status }}{% endraw %}"
                 - name: button_url
-                  value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
+                  value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
                 - name: button_text
                   value: "Workflow link :argocd:"
                 - name: url

diff --git a/install/roles/automation-hub/templates/argo-workflows/workflows/infra/cleaner.j2 b/install/roles/automation-hub/templates/argo-workflows/workflows/infra/cleaner.j2
@@ -55,7 +55,7 @@ spec:
                   - name: status
                     value: "{% raw %}{{ workflow.status }}{% endraw %}"
                   - name: button_url
-                    value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
+                    value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
                   - name: button_text
                     value: "Workflow link :argocd:"
                   - name: url

diff --git a/install/roles/automation-hub/templates/argo-workflows/workflows/infra/secret-copy.yaml.j2 b/install/roles/automation-hub/templates/argo-workflows/workflows/infra/secret-copy.yaml.j2
@@ -88,7 +88,7 @@ spec:
                   - name: status
                     value: "{% raw %}{{ workflow.status }}{% endraw %}"
                   - name: button_url
-                    value: "https://{{ argo_workflow_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
+                    value: "https://{{ argo_workflows_url }}/workflows/argo/{% raw %}{{ workflow.name }}{% endraw %}"
                   - name: button_text
                     value: "Workflow link :argocd:"
                   - name: url

diff --git a/install/roles/automation-hub/templates/argo/install/argocd.yaml b/install/roles/automation-hub/templates/argo/install/argocd.yaml
@@ -1,3 +1,18 @@
+---
+# This is a secret used for Dex server to be usable by Argo Workflows
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argo-workflows-sso
+  labels:
+    project: skodjob
+    app: argo
+  annotations:
+    replicator.v1.mittwald.de/replicate-to: "{{ infra_workflows_namespace }}"
+data:
+  client-id: "{{ argo_workflows_client_id }}"
+  client-secret: "{{ argo_workflows_client_secret }}"
+---
 apiVersion: argoproj.io/v1beta1
 kind: ArgoCD
 metadata:
@@ -6,6 +21,7 @@ metadata:
     project: skodjob
 spec:
   server:
+    replicas: 3
     autoscale:
       enabled: true
     grpc:
@@ -90,6 +106,21 @@ spec:
         requests:
           cpu: 250m
           memory: 128Mi
+      env:
+        - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: "{{ argo_workflows_sso_secret_name }}"
+              key: client-secret
+      config: |
+        # Setting staticClients allows Argo Workflows to use Argo CD's Dex installation for authentication
+        staticClients:
+          # This is the OIDC client ID in plaintext
+          - id: {{ argo_workflows_client_id }}
+            name: Argo Workflows
+            redirectURIs:
+              - https://{{ argo_workflows_url }}/oauth2/callback
+            secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
   ha:
     enabled: false
     resources:

diff --git a/install/roles/automation-hub/templates/console-link/skodjob-ci.yaml.j2 b/install/roles/automation-hub/templates/console-link/skodjob-ci.yaml.j2
@@ -10,6 +10,6 @@ spec:
       data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARdSURBVEhLnVRLbBtVFA0bRFlQCQmxYMOOz4IFsGJBsyhN4jENTSu6QGIBBVSKmn4wtlNFkYqISiqk8hMCVkkaPqWqKE3iqG1CWtKQtHX8iWs7dmN78hk78+bNeDx2Pk6dy33Prw5Vk7bpka78/Obec94971N1P/SNzb02HNdP+6dNNZTOFcNpa9mvWPpIwjh/IUDqAeARkboxnA1mnkaS0WR2HtKFRVDWCNlcAG/KmOwd014UZQ+GviB5PqhYJiMm80s8wiQHwTkTIws3cBw38jCTLwtFMrliX4jWivJ7oy+UfdI3Y9EMkuaLtyBG8+DPZCGgaBDxjsDE5fMwnpD5XDBjQiJb4CJRFPEEyHOCZn1cidMzbOWMfFw1OVF0dBDIF++A7paAflYH5KAEyV+/R1Gdf08KkasJIyJo1sY5n/ZMVLVWckvLENctXhwJjgFt3gHWyWYuwEI7VAtaYy2kfvm63B1aN5NfgBTul8dHqgXd3egPae5Z9NVEAVbIYvZnQXxk+6rA4TouoB62Q1BWeB6zknUxdFP/Q9Ddie6xTH1/hMbJwhIo1mJ5ZbMUiLMBNLREd5bJWVAUIPvKEbvk4bnMTi4wQQ2Pl2wXtKvo8au7ByNU1ReLkMQT4k8bkG7/DoqxEBQTE6C3OdB/JHehyHEHFJMx/k39qgkC0yoEWLdMIKYvdfvUtwXtKsoCulIWKMCN614oTkagp6cHOjs74ZaWAfIJ2nNAwvEcdHR0QG9vLxRvhmHC080FWAf/xIz5tQV8mbcGQiTELMrgPoRHRmF5JgmpVArC4TCUcllQ96FAowQly+RzsizD8nQCYufOVCy6FNFUZregvRN94+ruaWuBH9HArAak/VsomQasFCzI/ngMtE/ZMZXA/OkYzuXxmw70h1YIJqYrm3w5qrcJurvx1/XZx0OKVcguLsOUOQ8BGW1x7ADSaAeK5JVNRhHtgB3IfgnC3quVYxoj+ZLHl35W0K2NgdCck3WhoE1+fBbokTc5qeq2VwT+H+PxJCTMArDjPRQ3ugTN+mCv4/CkPsAK5Nw8XrJ6TnShsQESPV2gnjoBfx/dWxFIajq35ppsyswBQXNv/D48tQmf6P6p3ALoLbs4keKohepXX4Jt1a/D6Idb+BxtssMMdjs6aUR7x5SnRPmDgXUyENY/zrR9VLq9WvlQDUT3b62sXmveuTIYJa2nQvCoKNsYyB7pFeKw/6vjpvKbjJeM4i8PB5uzK+oH9pdF+sagvG97YW6P9K7mlH7TXbYCu8H8JjNyHBtuW0Fz2QIsh7xXc/9nej0g2TfUVZdAS7K3rWFjNkddtosi7eGBAp8j4QiSxRg5EpfEeATjtEh7eFCnzUndtrOGSxpC4iXDZYvg+Aqbw//tIm3jSLZseUxz2beh/18i0QkkPImr95Z/pS4W2MFx3IsGraX2CVG2MUwd3LVJc9e9gaSt1C39ibGXNkk1KHiRCWvOup26c+tmkb4Gqqr+A9mtJPsGSKEdAAAAAElFTkSuQmCC
     section: Skodjob
   href: >-
-    https://{{ argo_workflow_url }}
+    https://{{ argo_workflows_url }}
   location: ApplicationMenu
   text: Skodjob-CI
diff --git a/install/secrets/clusters.yaml b/install/secrets/clusters.yaml