Argo Changes to Allow Workflow Runs From All NS

.secrets.baseline

@@ -342,7 +342,7 @@
         "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 217,
+        "line_number": 191,
         "type": "Secret Keyword"
       }
     ],

gen3/bin/awsrole.sh

@@ -20,6 +20,7 @@ gen3_awsrole_help() {
 # NOTE: service-account to role is 1 to 1
 #
 # @param serviceAccount to link to the role
+# @param flag (optional) - specify a flag to use a different trust policy
 #
 function gen3_awsrole_ar_policy() {
   local serviceAccount="$1"
@@ -32,6 +33,9 @@ function gen3_awsrole_ar_policy() {
   local issuer_url
   local account_id
   local vpc_name
+  shift || return 1
+  local flag=$1
+
   vpc_name="$(gen3 api environment)" || return 1
   issuer_url="$(aws eks describe-cluster \
                        --name ${vpc_name} \
@@ -42,7 +46,42 @@ function gen3_awsrole_ar_policy() {
 
   local provider_arn="arn:aws:iam::${account_id}:oidc-provider/${issuer_url}"
 
-  cat - <<EOF
+  if [[ "$flag" == "all_namespaces" ]]; then
+    # Use a trust policy that allows role to be used by multiple namespaces.
+    cat - <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "${provider_arn}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "ForAllValues:StringLike": {
+          "${issuer_url}:aud": "sts.amazonaws.com",
+          "${issuer_url}:sub": [
+            "system:serviceaccount:*:${serviceAccount}",
+            "system:serviceaccount:argo:default"
+          ]
+        }
+      }
+    }
+  ]
+}
+EOF
+  else
+    # Use default policy
+    cat - <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -68,8 +107,10 @@ function gen3_awsrole_ar_policy() {
   ]
 }
 EOF
+  fi
 }
 
+
 #
 # Annotate the given service account with the given IAM role
 #
@@ -128,8 +169,15 @@ _tfplan_role() {
   local saName="$1"
   shift || return 1
   local namespace="$1"
+  shift || return 1
+  local flag=""
+  # Check if the "all_namespaces" flag is provided
+  if [[ "$1" == "-f" || "$1" == "--flag" ]]; then
+    flag="$2"
+    shift 2
+  fi
   local arDoc
-  arDoc="$(gen3_awsrole_ar_policy "$saName" "$namespace")" || return 1
+  arDoc="$(gen3_awsrole_ar_policy "$saName" "$namespace" "$flag")" || return 1
   gen3 workon default "${rolename}_role"
   gen3 cd
   cat << EOF > config.tfvars
@@ -199,6 +247,13 @@ EOF
     gen3_log_err $errMsg
     return 1
   fi
+  shift || return 1
+  local flag=""
+  # Check if the "all_namespaces" flag is provided
+  if [[ "$1" == "-f" || "$1" == "--flag" ]]; then
+    flag="$2"
+    shift 2
+  fi
 
   # check if the name is already used by another entity
   local entity_type
@@ -216,7 +271,7 @@ EOF
   fi
 
   TF_IN_AUTOMATION="true"
-  if ! _tfplan_role $rolename $saName $namespace; then
+  if ! _tfplan_role $rolename $saName $namespace -f $flag; then
     return 1
   fi
   if ! _tfapply_role $rolename; then

gen3/bin/kube-setup-argo.sh

@@ -28,7 +28,10 @@ function setup_argo_buckets {
 
   # try to come up with a unique but composable bucket name
   bucketName="gen3-argo-${accountNumber}-${environment//_/-}"
-  userName="gen3-argo-${environment//_/-}-user"
+  nameSpace="$(gen3 db namespace)"
+  roleName="gen3-argo-${environment//_/-}-role"
+  bucketPolicy="argo-bucket-policy-${nameSpace}"
+  internalBucketPolicy="argo-internal-bucket-policy-${nameSpace}"
   if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo."s3-bucket"') ]]; then
     if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then
       gen3_log_info "Using S3 bucket found in manifest: ${bucketName}"
@@ -114,70 +117,41 @@ EOF
   ]
 }
 EOF
-  if ! secret="$(g3kubectl get secret argo-s3-creds -n argo 2> /dev/null)"; then
-    gen3_log_info "setting up bucket $bucketName"
-
-    if aws s3 ls --page-size 1 "s3://${bucketName}" > /dev/null 2>&1; then
-      gen3_log_info "${bucketName} s3 bucket already exists"
-      # continue on ...
-    elif ! aws s3 mb "s3://${bucketName}"; then
-      gen3_log_err "failed to create bucket ${bucketName}"
-    fi
-
-    gen3_log_info "Creating IAM user ${userName}"
-    if ! aws iam get-user --user-name ${userName} > /dev/null 2>&1; then
-      aws iam create-user --user-name ${userName} || true
-    else
-      gen3_log_info "IAM user ${userName} already exits.."
-    fi
-
-    secret=$(aws iam create-access-key --user-name ${userName})
-    if ! g3kubectl get namespace argo > /dev/null 2>&1; then
-      gen3_log_info "Creating argo namespace"
-      g3kubectl create namespace argo || true
-      g3kubectl label namespace argo app=argo || true
-      g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n argo || true
-    fi
-  else
-    # Else we want to recreate the argo-s3-creds secret so make a temp file with the current creds and delete argo-s3-creds secret
-    gen3_log_info "Argo S3 setup already completed"
-    local secretFile="$XDG_RUNTIME_DIR/temp_key_file_$$.json"
-    cat > "$secretFile" <<EOF
-{
-  "AccessKey": {
-    "AccessKeyId": "$(g3kubectl -n argo get secrets argo-s3-creds -o json | jq -r .data.AccessKeyId | base64 -d)",
-    "SecretAccessKey": "$(g3kubectl -n argo get secrets argo-s3-creds -o json | jq -r .data.SecretAccessKey | base64 -d)"
-  }
-}
-EOF
-    secret=$(cat $secretFile)
+  # Create argo SA within the current namespace
+  gen3_log_info "Creating argo SA in the current namespace"
+  g3kubectl create sa argo -n $nameSpace | true
+  if aws s3 ls --page-size 1 "s3://${bucketName}" > /dev/null 2>&1; then
+    gen3_log_info "${bucketName} s3 bucket already exists"
+    # continue on ...
+  elif ! aws s3 mb "s3://${bucketName}"; then
+    gen3_log_err "failed to create bucket ${bucketName}"
   fi
-
-  gen3_log_info "Creating s3 creds secret in argo namespace"
-  if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then
-    if [[ -z $internalBucketName ]]; then
-      g3kubectl delete secret -n argo argo-s3-creds || true
-      g3kubectl create secret -n argo generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
-      g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
-    else
-      g3kubectl delete secret -n argo argo-s3-creds || true
-      g3kubectl create secret -n argo generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} --from-literal=internalbucketname=${internalBucketName} || true
-      g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
-    fi
+  if ! g3kubectl get namespace argo > /dev/null 2>&1; then
+    gen3_log_info "Creating argo namespace"
+    g3kubectl create namespace argo || true
+    g3kubectl label namespace argo app=argo || true
+    # Grant admin access within the argo namespace to the default SA in the argo namespace
+    g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n argo || true
+  fi
+  gen3_log_info "Creating IAM role ${roleName}"
+  if aws iam get-role --role-name "${roleName}" > /dev/null 2>&1; then
+      gen3_log_info "IAM role ${roleName} already exists.."
+      roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text)
+      gen3_log_info "Role annotate"
+      g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo
+      g3kubectl annotate serviceaccount argo eks.amazonaws.com/role-arn=${roleArn} -n $nameSpace
   else
-    g3kubectl create sa argo || true
-    # Grant admin access within the current namespace to the argo SA in the current namespace
-    g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=$(gen3 db namespace):argo -n $(gen3 db namespace) || true
-    aws iam put-user-policy --user-name ${userName} --policy-name argo-bucket-policy --policy-document file://$policyFile || true
-    if [[ -z $internalBucketName ]]; then
-      aws iam put-user-policy --user-name ${userName} --policy-name argo-internal-bucket-policy --policy-document file://$internalBucketPolicyFile || true
-      g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
-    else
-      g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret  | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret  | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} --from-literal=internalbucketname=${internalBucketName} || true
-
-    fi
+        gen3 awsrole create $roleName argo $nameSpace -f all_namespaces
+        roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text)
+        g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo
   fi
 
+  # Grant admin access within the current namespace to the argo SA in the current namespace
+  g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=$nameSpace:argo -n $nameSpace || true
+  aws iam put-role-policy --role-name ${roleName} --policy-name ${bucketPolicy} --policy-document file://$policyFile || true
+  if [[ -z $internalBucketName ]]; then
+    aws iam put-role-policy --role-name ${roleName} --policy-name ${internalBucketPolicy} --policy-document file://$internalBucketPolicyFile || true
+  fi
 
   ## if new bucket then do the following
   # Get the aws keys from secret
@@ -189,9 +163,9 @@ EOF
   aws s3api put-bucket-lifecycle --bucket ${bucketName} --lifecycle-configuration file://$bucketLifecyclePolicyFile
 
   # Always update the policy, in case manifest buckets change
-  aws iam put-user-policy --user-name ${userName} --policy-name argo-bucket-policy --policy-document file://$policyFile
+  aws iam put-role-policy --role-name ${roleName} --policy-name ${bucketPolicy} --policy-document file://$policyFile
   if [[ ! -z $internalBucketPolicyFile ]]; then
-    aws iam put-user-policy --user-name ${userName} --policy-name argo-internal-bucket-policy --policy-document file://$internalBucketPolicyFile
+    aws iam put-role-policy --role-name ${roleName} --policy-name ${internalBucketPolicy} --policy-document file://$internalBucketPolicyFile
   fi
   if [[ ! -z $(g3k_config_lookup '.indexd_admin_user' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo.indexd_admin_user') ]]; then
     if [[ ! -z $(g3k_config_lookup '.indexd_admin_user' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then
@@ -231,11 +205,12 @@ if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then
   if (! helm status argo -n argo > /dev/null 2>&1 )  || [[ "$1" == "--force" ]]; then
     DBHOST=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_host | base64 -d)
     DBNAME=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_database | base64 -d)
-    if [[ -z $(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.internalbucketname | base64 -d) ]]; then
-      BUCKET=$(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.bucketname | base64 -d)
+    if [[ -z $internalBucketName ]]; then
+      BUCKET=$bucketName
     else
-      BUCKET=$(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.internalbucketname | base64 -d)
+      BUCKET=$internalBucketName
     fi
+
     valuesFile="$XDG_RUNTIME_DIR/values_$$.yaml"
     valuesTemplate="${GEN3_HOME}/kube/services/argo/values.yaml"
 

kube/services/argo/workflows/fence-usersync-cron.yaml

@@ -0,0 +1,10 @@
+apiVersion: argoproj.io/v1alpha1
+kind: CronWorkflow
+metadata:
+  name: fence-usersync-cron
+spec:
+  serviceAccountName: argo
+  schedule: "*/30 * * * *"
+  workflowSpec:
+    workflowTemplateRef:
+      name: fence-usersync-workflow