From 34c4291165d22433c6bb78154fa1fbb9f18941aa Mon Sep 17 00:00:00 2001 From: Andrew Harris Date: Thu, 7 Mar 2024 09:57:55 -0500 Subject: [PATCH] feat: implement argo-events (JIRA:PUC-193) --- components/12-argo-events/argo-role.yaml | 135 ++++++++++++++++++ .../12-argo-events/argo-server-role.yaml | 83 +++++++++++ components/12-argo-events/default-role.yaml | 25 ++++ components/12-argo-events/kustomization.yaml | 12 ++ .../12-argo-events/native-eventbus.yaml | 24 ++++ .../12-argo-events/operate-workflow-sa.yaml | 35 +++++ .../12-argo-events/webhook-event-source.yaml | 24 ++++ .../12-argo-events/webhook-ingress.yaml | 26 ++++ components/12-argo-events/webhook-sensor.yaml | 44 ++++++ components/12-argo-events/workflow-rbac.yaml | 29 ++++ 10 files changed, 437 insertions(+) create mode 100644 components/12-argo-events/argo-role.yaml create mode 100644 components/12-argo-events/argo-server-role.yaml create mode 100644 components/12-argo-events/default-role.yaml create mode 100644 components/12-argo-events/native-eventbus.yaml create mode 100644 components/12-argo-events/operate-workflow-sa.yaml create mode 100644 components/12-argo-events/webhook-event-source.yaml create mode 100644 components/12-argo-events/webhook-ingress.yaml create mode 100644 components/12-argo-events/webhook-sensor.yaml create mode 100644 components/12-argo-events/workflow-rbac.yaml diff --git a/components/12-argo-events/argo-role.yaml b/components/12-argo-events/argo-role.yaml new file mode 100644 index 000000000..b71e60164 --- /dev/null +++ b/components/12-argo-events/argo-role.yaml @@ -0,0 +1,135 @@ +## bind this argo role in the _argo-events_ namespace with the argo service account in the _argo_ namespace + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + name: argo-role + namespace: argo-events +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-role-binding + namespace: argo-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo diff --git a/components/12-argo-events/argo-server-role.yaml b/components/12-argo-events/argo-server-role.yaml new file mode 100644 index 000000000..2ea2d1586 --- /dev/null +++ b/components/12-argo-events/argo-server-role.yaml @@ -0,0 +1,83 @@ +## bind this argo-server role in the _argo-events_ namespace with the argo-server service account in the _argo_ namespace + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + name: argo-server-role + namespace: argo-events +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - watch + - create + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows + - cronworkflows/finalizers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-server-role-binding + namespace: argo-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-server-role +subjects: +- kind: ServiceAccount + name: argo-server + namespace: argo diff --git a/components/12-argo-events/default-role.yaml b/components/12-argo-events/default-role.yaml new file mode 100644 index 000000000..e406d15fa --- /dev/null +++ b/components/12-argo-events/default-role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: default-role + namespace: argo-events +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: default-binding + namespace: argo-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: default-role +subjects: +- kind: ServiceAccount + name: default diff --git a/components/12-argo-events/kustomization.yaml b/components/12-argo-events/kustomization.yaml index 6f5a58b25..7b3e0d67b 100644 --- a/components/12-argo-events/kustomization.yaml +++ b/components/12-argo-events/kustomization.yaml @@ -6,3 +6,15 @@ resources: - namespace.yaml - https://github.com/argoproj/argo-events/releases/download/v1.9.1/namespace-install.yaml - https://github.com/argoproj/argo-events/releases/download/v1.9.1/install-validating-webhook.yaml + + ## configure rbac to integrate with argo-workflow + - default-role.yaml + - argo-server-role.yaml + - argo-role.yaml + - operate-workflow-sa.yaml + - workflow-rbac.yaml # https://raw.githubusercontent.com/argoproj/argo-events/master/examples/rbac/workflow-rbac.yaml # enables a Workflow Pod to be able to read and patch WorkflowTaskResults. Should not run in production + + ## deploy argo-event components + - native-eventbus.yaml # from https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/eventbus/native.yaml + - webhook-event-source.yaml + - webhook-sensor.yaml diff --git a/components/12-argo-events/native-eventbus.yaml b/components/12-argo-events/native-eventbus.yaml new file mode 100644 index 000000000..bdd698e24 --- /dev/null +++ b/components/12-argo-events/native-eventbus.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: EventBus +metadata: + name: default +spec: + nats: + native: + # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement. + replicas: 3 + # Optional, authen strategy, "none" or "token", defaults to "none" + auth: token +# containerTemplate: +# resources: +# requests: +# cpu: "10m" +# metricsContainerTemplate: +# resources: +# requests: +# cpu: "10m" +# antiAffinity: false +# persistence: +# storageClassName: standard +# accessMode: ReadWriteOnce +# volumeSize: 10Gi diff --git a/components/12-argo-events/operate-workflow-sa.yaml b/components/12-argo-events/operate-workflow-sa.yaml new file mode 100644 index 000000000..f5dcf737c --- /dev/null +++ b/components/12-argo-events/operate-workflow-sa.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + # namespace: argo-events + name: operate-workflow-sa +--- +# Similarly you can use a ClusterRole and ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operate-workflow-role + # namespace: argo-events +rules: + - apiGroups: + - argoproj.io + verbs: + - "*" + resources: + - workflows + - workflowtemplates + - cronworkflows + - clusterworkflowtemplates +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: operate-workflow-role-binding + # namespace: argo-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operate-workflow-role +subjects: + - kind: ServiceAccount + name: operate-workflow-sa diff --git a/components/12-argo-events/webhook-event-source.yaml b/components/12-argo-events/webhook-event-source.yaml new file mode 100644 index 000000000..f3baf6f8a --- /dev/null +++ b/components/12-argo-events/webhook-event-source.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: EventSource +metadata: + name: nautobot-webhook +spec: + service: + ports: + - name: secure + port: 13000 + targetPort: 13000 + webhook: + nautobot: + endpoint: /nautobot + method: POST + port: "13000" # must have a port defined above + # k8s secret that contains the cert + serverCertSecret: + name: webhook-ingress-tls # the TLS secret name created by cert-manager + key: tls.crt # the key name in the above referenced secret + # k8s secret that contains the private key + serverKeySecret: + name: webhook-ingress-tls # the TLS secret name created by cert-manager + key: tls.key # the key name in the above referenced secret diff --git a/components/12-argo-events/webhook-ingress.yaml b/components/12-argo-events/webhook-ingress.yaml new file mode 100644 index 000000000..9c6f4fe57 --- /dev/null +++ b/components/12-argo-events/webhook-ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: selfsigned-cluster-issuer + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + name: nautobot-webhook +spec: + ingressClassName: nginx + rules: + - host: events.local + http: + paths: + - path: /nautobot # must match endpoint defined in EventSource + pathType: Prefix + backend: + service: + name: nautobot-webhook-eventsource-svc + port: + number: 13000 # nmust match port defined in EventSource + tls: + - hosts: + - events.local + secretName: webhook-ingress-tls diff --git a/components/12-argo-events/webhook-sensor.yaml b/components/12-argo-events/webhook-sensor.yaml new file mode 100644 index 000000000..f9b2d733a --- /dev/null +++ b/components/12-argo-events/webhook-sensor.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Sensor +metadata: + name: nautobot-webhook +spec: + template: + serviceAccountName: operate-workflow-sa + dependencies: + - name: nautobot-dep + eventSourceName: nautobot-webhook # must match EventSource name + eventName: nautobot # must match event name defined in EventSource + triggers: + - template: + name: nautobot-workflow-trigger + k8s: + operation: create + source: + resource: + apiVersion: argoproj.io/v1alpha1 + kind: Workflow + metadata: + generateName: nautobot-webhook- + spec: + entrypoint: whalesay + arguments: + parameters: + - name: message + # the value will get overridden by event payload from test-dep + value: hello world + templates: + - name: whalesay + inputs: + parameters: + - name: message + container: + image: docker/whalesay:latest + command: [cowsay] + args: ["{{inputs.parameters.message}}"] + parameters: + - src: + dependencyName: nautobot-dep + dataKey: body + dest: spec.arguments.parameters.0.value diff --git a/components/12-argo-events/workflow-rbac.yaml b/components/12-argo-events/workflow-rbac.yaml new file mode 100644 index 000000000..05ef65855 --- /dev/null +++ b/components/12-argo-events/workflow-rbac.yaml @@ -0,0 +1,29 @@ +# This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults, +# which get shared with the Workflow Controller. The Controller uses the results to update Workflow status. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: executor-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default