Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argo Changes to Allow Workflow Runs From All NS #2360

Merged
merged 21 commits into from
Oct 18, 2023
Merged
Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
981a1df
making changes to allow argo workflows to run from any namespace. In …
EliseCastle23 Sep 11, 2023
b5d3085
adding in the ability to pass in a flag to modify the trust policy an…
EliseCastle23 Sep 12, 2023
144b5f1
Merge branch 'master' into GPE-957
EliseCastle23 Sep 12, 2023
607ece4
modifying the awsrole script to ensure the "flag" gets passed in prop…
EliseCastle23 Sep 12, 2023
ff0a26b
adding the workflow template and workflow cron for the fence usersync…
EliseCastle23 Sep 13, 2023
358c444
fixing a syntax error in awsrole and remove default namespace logic f…
EliseCastle23 Sep 13, 2023
e03f97f
removing this line as it is repetative
EliseCastle23 Sep 13, 2023
0ec0ec3
removing the service account name
EliseCastle23 Sep 13, 2023
d30761b
granting default sa permissions in each namespace
EliseCastle23 Sep 13, 2023
24f7e78
making changes to grant the "argo" service account permissions in oth…
EliseCastle23 Sep 14, 2023
4a619f0
adding the "argo" service account to the usersync workflow templates …
EliseCastle23 Sep 14, 2023
2e5ac04
fixing syntax error
EliseCastle23 Sep 14, 2023
26c0885
fixing syntax error
EliseCastle23 Sep 14, 2023
936fabf
modifying the flag that is used to pass the "all_namespaces" var and …
EliseCastle23 Sep 14, 2023
13e194f
explicitly setting "flag" for troubleshooting and modifying the al na…
EliseCastle23 Sep 14, 2023
9389e5a
testing a different method
EliseCastle23 Sep 14, 2023
0e54633
correcting the multiple namespace policy
EliseCastle23 Sep 14, 2023
fd96b4f
correcting the rolebinding for the default sa in the argo namespace
EliseCastle23 Sep 14, 2023
1b5b2ff
changing the schedule for fence usersync cron and changing the "kind"…
EliseCastle23 Sep 14, 2023
feb25cd
Merge branch 'master' into GPE-957
EliseCastle23 Sep 14, 2023
4bef1e9
Merge branch 'master' into GPE-957
EliseCastle23 Oct 18, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "^.secrets.baseline$",
"lines": null
},
"generated_at": "2023-08-10T17:51:06Z",
"generated_at": "2023-09-14T15:47:27Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down Expand Up @@ -338,7 +338,7 @@
"hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897",
"is_secret": false,
"is_verified": false,
"line_number": 217,
"line_number": 191,
"type": "Secret Keyword"
}
],
Expand Down
61 changes: 58 additions & 3 deletions gen3/bin/awsrole.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ gen3_awsrole_help() {
# NOTE: service-account to role is 1 to 1
#
# @param serviceAccount to link to the role
# @param flag (optional) - specify a flag to use a different trust policy
#
function gen3_awsrole_ar_policy() {
local serviceAccount="$1"
Expand All @@ -32,6 +33,9 @@ function gen3_awsrole_ar_policy() {
local issuer_url
local account_id
local vpc_name
shift || return 1
local flag=$1

vpc_name="$(gen3 api environment)" || return 1
issuer_url="$(aws eks describe-cluster \
--name ${vpc_name} \
Expand All @@ -42,7 +46,42 @@ function gen3_awsrole_ar_policy() {

local provider_arn="arn:aws:iam::${account_id}:oidc-provider/${issuer_url}"

cat - <<EOF
if [[ "$flag" == "all_namespaces" ]]; then
# Use a trust policy that allows role to be used by multiple namespaces.
cat - <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "${provider_arn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAllValues:StringLike": {
"${issuer_url}:aud": "sts.amazonaws.com",
"${issuer_url}:sub": [
"system:serviceaccount:*:${serviceAccount}",
"system:serviceaccount:argo:default"
]
}
}
}
]
}
EOF
else
# Use default policy
cat - <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -68,8 +107,10 @@ function gen3_awsrole_ar_policy() {
]
}
EOF
fi
}


#
# Annotate the given service account with the given IAM role
#
Expand Down Expand Up @@ -128,8 +169,15 @@ _tfplan_role() {
local saName="$1"
shift || return 1
local namespace="$1"
shift || return 1
local flag=""
# Check if the "all_namespaces" flag is provided
if [[ "$1" == "-f" || "$1" == "--flag" ]]; then
flag="$2"
shift 2
fi
local arDoc
arDoc="$(gen3_awsrole_ar_policy "$saName" "$namespace")" || return 1
arDoc="$(gen3_awsrole_ar_policy "$saName" "$namespace" "$flag")" || return 1
gen3 workon default "${rolename}_role"
gen3 cd
cat << EOF > config.tfvars
Expand Down Expand Up @@ -199,6 +247,13 @@ EOF
gen3_log_err $errMsg
return 1
fi
shift || return 1
local flag=""
# Check if the "all_namespaces" flag is provided
if [[ "$1" == "-f" || "$1" == "--flag" ]]; then
flag="$2"
shift 2
fi

# check if the name is already used by another entity
local entity_type
Expand All @@ -216,7 +271,7 @@ EOF
fi

TF_IN_AUTOMATION="true"
if ! _tfplan_role $rolename $saName $namespace; then
if ! _tfplan_role $rolename $saName $namespace -f $flag; then
return 1
fi
if ! _tfapply_role $rolename; then
Expand Down
107 changes: 41 additions & 66 deletions gen3/bin/kube-setup-argo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,10 @@ function setup_argo_buckets {

# try to come up with a unique but composable bucket name
bucketName="gen3-argo-${accountNumber}-${environment//_/-}"
userName="gen3-argo-${environment//_/-}-user"
nameSpace="$(gen3 db namespace)"
roleName="gen3-argo-${environment//_/-}-role"
bucketPolicy="argo-bucket-policy-${nameSpace}"
internalBucketPolicy="argo-internal-bucket-policy-${nameSpace}"
if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo."s3-bucket"') ]]; then
if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then
gen3_log_info "Using S3 bucket found in manifest: ${bucketName}"
Expand Down Expand Up @@ -114,70 +117,41 @@ EOF
]
}
EOF
if ! secret="$(g3kubectl get secret argo-s3-creds -n argo 2> /dev/null)"; then
gen3_log_info "setting up bucket $bucketName"

if aws s3 ls --page-size 1 "s3://${bucketName}" > /dev/null 2>&1; then
gen3_log_info "${bucketName} s3 bucket already exists"
# continue on ...
elif ! aws s3 mb "s3://${bucketName}"; then
gen3_log_err "failed to create bucket ${bucketName}"
fi

gen3_log_info "Creating IAM user ${userName}"
if ! aws iam get-user --user-name ${userName} > /dev/null 2>&1; then
aws iam create-user --user-name ${userName} || true
else
gen3_log_info "IAM user ${userName} already exits.."
fi

secret=$(aws iam create-access-key --user-name ${userName})
if ! g3kubectl get namespace argo > /dev/null 2>&1; then
gen3_log_info "Creating argo namespace"
g3kubectl create namespace argo || true
g3kubectl label namespace argo app=argo || true
g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n argo || true
fi
else
# Else we want to recreate the argo-s3-creds secret so make a temp file with the current creds and delete argo-s3-creds secret
gen3_log_info "Argo S3 setup already completed"
local secretFile="$XDG_RUNTIME_DIR/temp_key_file_$$.json"
cat > "$secretFile" <<EOF
{
"AccessKey": {
"AccessKeyId": "$(g3kubectl -n argo get secrets argo-s3-creds -o json | jq -r .data.AccessKeyId | base64 -d)",
"SecretAccessKey": "$(g3kubectl -n argo get secrets argo-s3-creds -o json | jq -r .data.SecretAccessKey | base64 -d)"
}
}
EOF
secret=$(cat $secretFile)
# Create argo SA within the current namespace
gen3_log_info "Creating argo SA in the current namespace"
g3kubectl create sa argo -n $nameSpace | true
if aws s3 ls --page-size 1 "s3://${bucketName}" > /dev/null 2>&1; then
gen3_log_info "${bucketName} s3 bucket already exists"
# continue on ...
elif ! aws s3 mb "s3://${bucketName}"; then
gen3_log_err "failed to create bucket ${bucketName}"
fi

gen3_log_info "Creating s3 creds secret in argo namespace"
if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then
if [[ -z $internalBucketName ]]; then
g3kubectl delete secret -n argo argo-s3-creds || true
g3kubectl create secret -n argo generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
else
g3kubectl delete secret -n argo argo-s3-creds || true
g3kubectl create secret -n argo generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} --from-literal=internalbucketname=${internalBucketName} || true
g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
fi
if ! g3kubectl get namespace argo > /dev/null 2>&1; then
gen3_log_info "Creating argo namespace"
g3kubectl create namespace argo || true
g3kubectl label namespace argo app=argo || true
# Grant admin access within the argo namespace to the default SA in the argo namespace
g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n argo || true
fi
gen3_log_info "Creating IAM role ${roleName}"
if aws iam get-role --role-name "${roleName}" > /dev/null 2>&1; then
gen3_log_info "IAM role ${roleName} already exists.."
roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text)
gen3_log_info "Role annotate"
g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo
g3kubectl annotate serviceaccount argo eks.amazonaws.com/role-arn=${roleArn} -n $nameSpace
else
g3kubectl create sa argo || true
# Grant admin access within the current namespace to the argo SA in the current namespace
g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=$(gen3 db namespace):argo -n $(gen3 db namespace) || true
aws iam put-user-policy --user-name ${userName} --policy-name argo-bucket-policy --policy-document file://$policyFile || true
if [[ -z $internalBucketName ]]; then
aws iam put-user-policy --user-name ${userName} --policy-name argo-internal-bucket-policy --policy-document file://$internalBucketPolicyFile || true
g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} || true
else
g3kubectl create secret generic argo-s3-creds --from-literal=AccessKeyId=$(echo $secret | jq -r .AccessKey.AccessKeyId) --from-literal=SecretAccessKey=$(echo $secret | jq -r .AccessKey.SecretAccessKey) --from-literal=bucketname=${bucketName} --from-literal=internalbucketname=${internalBucketName} || true

fi
gen3 awsrole create $roleName argo $nameSpace -f all_namespaces
roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text)
g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo
fi

# Grant admin access within the current namespace to the argo SA in the current namespace
g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=$nameSpace:argo -n $nameSpace || true
aws iam put-role-policy --role-name ${roleName} --policy-name ${bucketPolicy} --policy-document file://$policyFile || true
if [[ -z $internalBucketName ]]; then
aws iam put-role-policy --role-name ${roleName} --policy-name ${internalBucketPolicy} --policy-document file://$internalBucketPolicyFile || true
fi

## if new bucket then do the following
# Get the aws keys from secret
Expand All @@ -189,9 +163,9 @@ EOF
aws s3api put-bucket-lifecycle --bucket ${bucketName} --lifecycle-configuration file://$bucketLifecyclePolicyFile

# Always update the policy, in case manifest buckets change
aws iam put-user-policy --user-name ${userName} --policy-name argo-bucket-policy --policy-document file://$policyFile
aws iam put-role-policy --role-name ${roleName} --policy-name ${bucketPolicy} --policy-document file://$policyFile
if [[ ! -z $internalBucketPolicyFile ]]; then
aws iam put-user-policy --user-name ${userName} --policy-name argo-internal-bucket-policy --policy-document file://$internalBucketPolicyFile
aws iam put-role-policy --role-name ${roleName} --policy-name ${internalBucketPolicy} --policy-document file://$internalBucketPolicyFile
fi
if [[ ! -z $(g3k_config_lookup '.indexd_admin_user' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo.indexd_admin_user') ]]; then
if [[ ! -z $(g3k_config_lookup '.indexd_admin_user' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then
Expand Down Expand Up @@ -231,11 +205,12 @@ if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then
if (! helm status argo -n argo > /dev/null 2>&1 ) || [[ "$1" == "--force" ]]; then
DBHOST=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_host | base64 -d)
DBNAME=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_database | base64 -d)
if [[ -z $(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.internalbucketname | base64 -d) ]]; then
BUCKET=$(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.bucketname | base64 -d)
if [[ -z $internalBucketName ]]; then
BUCKET=$bucketName
else
BUCKET=$(kubectl get secrets -n argo argo-s3-creds -o json | jq -r .data.internalbucketname | base64 -d)
BUCKET=$internalBucketName
fi

valuesFile="$XDG_RUNTIME_DIR/values_$$.yaml"
valuesTemplate="${GEN3_HOME}/kube/services/argo/values.yaml"

Expand Down
10 changes: 10 additions & 0 deletions kube/services/argo/workflows/fence-usersync-cron.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: fence-usersync-cron
spec:
serviceAccountName: argo
schedule: "*/30 * * * *"
workflowSpec:
workflowTemplateRef:
name: fence-usersync-workflow
Loading