feat: implement argo-events (JIRA:PUC-193)

components/12-argo-events/argo-role.yaml

@@ -0,0 +1,135 @@
+## bind this argo role in the _argo-events_ namespace with the argo service account in the _argo_ namespace
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+  name: argo-role
+  namespace: argo-events
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  - persistentvolumeclaims/finalizers
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  - workflowtasksets
+  - workflowtasksets/finalizers
+  - workflowartifactgctasks
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+  - create
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtemplates
+  - workflowtemplates/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtaskresults
+  verbs:
+  - list
+  - watch
+  - deletecollection
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - cronworkflows
+  - cronworkflows/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - get
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-role-binding
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-role
+subjects:
+- kind: ServiceAccount
+  name: argo
+  namespace: argo

components/12-argo-events/argo-server-role.yaml

@@ -0,0 +1,83 @@
+## bind this argo-server role in the _argo-events_ namespace with the argo-server service account in the _argo_ namespace
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+  name: argo-server-role
+  namespace: argo-events
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  - pods/log
+  verbs:
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - watch
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - eventsources
+  - sensors
+  - workflows
+  - workfloweventbindings
+  - workflowtemplates
+  - cronworkflows
+  - cronworkflows/finalizers
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-role-binding
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-server-role
+subjects:
+- kind: ServiceAccount
+  name: argo-server
+  namespace: argo

components/12-argo-events/default-role.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: default-role
+  namespace: argo-events
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default-binding
+  namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: default-role
+subjects:
+- kind: ServiceAccount
+  name: default

components/12-argo-events/kustomization.yaml

@@ -6,3 +6,15 @@ resources:
   - namespace.yaml
   - https://github.com/argoproj/argo-events/releases/download/v1.9.1/namespace-install.yaml
   - https://github.com/argoproj/argo-events/releases/download/v1.9.1/install-validating-webhook.yaml
+
+  ## configure rbac to integrate with argo-workflow
+  - default-role.yaml
+  - argo-server-role.yaml
+  - argo-role.yaml
+  - operate-workflow-sa.yaml
+  - workflow-rbac.yaml  # https://raw.githubusercontent.com/argoproj/argo-events/master/examples/rbac/workflow-rbac.yaml  # enables a Workflow Pod to be able to read and patch WorkflowTaskResults. Should not run in production
+
+  ## deploy argo-event components
+  - native-eventbus.yaml  # from https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/eventbus/native.yaml
+  - webhook-event-source.yaml
+  - webhook-sensor.yaml

components/12-argo-events/native-eventbus.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventBus
+metadata:
+  name: default
+spec:
+  nats:
+    native:
+      # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement.
+      replicas: 3
+      # Optional, authen strategy, "none" or "token", defaults to "none"
+      auth: token
+#      containerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      metricsContainerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      antiAffinity: false
+#      persistence:
+#        storageClassName: standard
+#        accessMode: ReadWriteOnce
+#        volumeSize: 10Gi

components/12-argo-events/operate-workflow-sa.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  # namespace: argo-events
+  name: operate-workflow-sa
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+  # namespace: argo-events
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - "*"
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+  # namespace: argo-events
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa

components/12-argo-events/webhook-event-source.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: nautobot-webhook
+spec:
+  service:
+    ports:
+    - name: secure
+      port: 13000
+      targetPort: 13000
+  webhook:
+    nautobot:
+      endpoint: /nautobot
+      method: POST
+      port: "13000"                   # must have a port defined above
+      # k8s secret that contains the cert
+      serverCertSecret:
+        name: webhook-ingress-tls     # the TLS secret name created by cert-manager
+        key: tls.crt                  # the key name in the above referenced secret
+      # k8s secret that contains the private key
+      serverKeySecret:
+        name: webhook-ingress-tls     # the TLS secret name created by cert-manager
+        key: tls.key                  # the key name in the above referenced secret

components/12-argo-events/webhook-ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  name: nautobot-webhook
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: events.local
+    http:
+      paths:
+      - path: /nautobot        # must match endpoint defined in EventSource
+        pathType: Prefix
+        backend:
+          service:
+            name: nautobot-webhook-eventsource-svc
+            port:
+              number: 13000   # nmust match port defined in EventSource
+  tls:
+  - hosts:
+    - events.local
+    secretName: webhook-ingress-tls