From 8ebf433d146ef89fe40884504fd789774cbf94c5 Mon Sep 17 00:00:00 2001 From: Anton Gilgur <4970083+agilgur5@users.noreply.github.com> Date: Sat, 17 Feb 2024 00:03:13 -0500 Subject: [PATCH] build(manifests): `quick-start` should use `cluster-install` (#12557) Signed-off-by: Anton Gilgur --- .github/workflows/ci-build.yaml | 1 + docs/quick-start.md | 16 - manifests/quick-start-minimal.yaml | 606 +++++++++++------- manifests/quick-start-mysql.yaml | 606 +++++++++++------- manifests/quick-start-postgres.yaml | 606 +++++++++++------- manifests/quick-start/base/kustomization.yaml | 2 +- .../base/overlays/argo-server-deployment.yaml | 1 - 7 files changed, 1094 insertions(+), 744 deletions(-) diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 5964dc9b499a..e378828ec6aa 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -72,6 +72,7 @@ jobs: - pkg/** - cmd/** - examples/** # examples are used within the fields lists + - manifests/** # a few of these are generated and committed # generation scripts - hack/cli/** - hack/jsonschema/** diff --git a/docs/quick-start.md b/docs/quick-start.md index 4c469f181cc4..4f3c20de4b3a 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -27,22 +27,6 @@ kubectl create namespace argo kubectl apply -n argo -f https://github.com/argoproj/argo-workflows/releases/download/v<>/quick-start-minimal.yaml ``` -### Patch argo-server authentication - -The argo-server (and thus the UI) defaults to client authentication, which requires clients to provide their Kubernetes bearer token to authenticate. For more information, refer to the [Argo Server Auth Mode documentation](argo-server-auth-mode.md). We will switch the authentication mode to `server` so that we can bypass the UI login for now: - -```bash -kubectl patch deployment \ - argo-server \ - --namespace argo \ - --type='json' \ - -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [ - "server", - "--auth-mode=server" -]}]' - -``` - ### Port-forward the UI Open a port-forward so you can access the UI: diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 394f0eb64abd..371158156f1a 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -891,11 +891,13 @@ apiVersion: v1 kind: ServiceAccount metadata: name: argo + namespace: argo --- apiVersion: v1 kind: ServiceAccount metadata: name: argo-server + namespace: argo --- apiVersion: v1 kind: ServiceAccount @@ -904,6 +906,27 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + name: argo-role + namespace: argo +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: annotations: workflows.argoproj.io/description: | @@ -929,16 +952,198 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: argo-role + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use artifact GC. + name: artifactgc rules: - apiGroups: - - coordination.k8s.io + - argoproj.io resources: - - leases + - workflowartifactgctasks + verbs: + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowartifactgctasks/status + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods verbs: - create - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: +- apiGroups: + - argoproj.io + resources: + - workfloweventbindings + verbs: + - list +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-cluster-role +rules: - apiGroups: - "" resources: @@ -991,6 +1196,8 @@ rules: resources: - workflowtemplates - workflowtemplates/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - get - list @@ -1010,12 +1217,6 @@ rules: verbs: - get - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - argoproj.io resources: @@ -1045,182 +1246,85 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: argo-server-role + name: argo-clusterworkflowtemplate-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create -- apiGroups: - - "" - resources: - - pods - - pods/exec - - pods/log - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - watch - - create - - patch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - apiGroups: - argoproj.io resources: - - eventsources - - sensors - - workflows - - workfloweventbindings - - workflowtemplates - - cronworkflows - - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - - create - get - list - watch - - update - - patch - - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - annotations: - workflows.argoproj.io/description: | - This is the minimum recommended permissions needed if you want to use artifact GC. - name: artifactgc + name: argo-server-cluster-role rules: - apiGroups: - - argoproj.io + - "" resources: - - workflowartifactgctasks + - configmaps verbs: - - list + - get - watch + - list - apiGroups: - - argoproj.io - resources: - - workflowartifactgctasks/status - verbs: - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - Recomended minimum permissions for the `emissary` executor. - name: executor -rules: -- apiGroups: - - argoproj.io + - "" resources: - - workflowtaskresults + - secrets verbs: + - get - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other pods. The same pattern would be suitable for other resurces, e.g. a service - name: pod-manager -rules: - apiGroups: - "" resources: - pods + - pods/exec + - pods/log verbs: - - create - get - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: submit-workflow-template -rules: -- apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - list + - watch + - delete - apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - events verbs: + - watch - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other workflows. The same pattern would be suitable for other resurces, e.g. a service - name: workflow-manager -rules: + - patch - apiGroups: - - argoproj.io + - "" resources: - - workflows + - serviceaccounts verbs: - - create - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-clusterworkflowtemplate-role -rules: + - list + - watch - apiGroups: - argoproj.io resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers verbs: + - create - get - list - watch + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1242,20 +1346,9 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - name: agent-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: agent -subjects: -- kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: name: argo-binding + namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -1263,18 +1356,19 @@ roleRef: subjects: - kind: ServiceAccount name: argo + namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: argo-server-binding + name: agent-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: argo-server-role + name: agent subjects: - kind: ServiceAccount - name: argo-server + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -1339,6 +1433,19 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: argo-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-cluster-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: argo-clusterworkflowtemplate-role-binding roleRef: @@ -1353,48 +1460,28 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-server-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-server-cluster-role subjects: - kind: ServiceAccount name: argo-server namespace: argo --- -apiVersion: v1 -data: - default-v1: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey - empty: "" - my-key: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey -kind: ConfigMap +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - annotations: - workflows.argoproj.io/default-artifact-repository: default-v1 - name: artifact-repositories + name: argo-server-clusterworkflowtemplate-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-server-clusterworkflowtemplate-role +subjects: +- kind: ServiceAccount + name: argo-server + namespace: argo --- apiVersion: v1 data: @@ -1452,6 +1539,40 @@ data: kind: ConfigMap metadata: name: workflow-controller-configmap + namespace: argo +--- +apiVersion: v1 +data: + default-v1: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey + empty: "" + my-key: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey +kind: ConfigMap +metadata: + annotations: + workflows.argoproj.io/default-artifact-repository: default-v1 + name: artifact-repositories --- apiVersion: v1 kind: Secret @@ -1605,6 +1726,7 @@ apiVersion: v1 kind: Service metadata: name: argo-server + namespace: argo spec: ports: - name: web @@ -1657,6 +1779,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: argo-server + namespace: argo spec: selector: matchLabels: @@ -1669,7 +1792,6 @@ spec: containers: - args: - server - - --namespaced - --auth-mode - server - --auth-mode @@ -1708,6 +1830,58 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + selector: + matchLabels: + app: workflow-controller + template: + metadata: + labels: + app: workflow-controller + spec: + containers: + - args: [] + command: + - workflow-controller + env: + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: quay.io/argoproj/workflow-controller:latest + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 6060 + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 30 + name: workflow-controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 6060 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: workflow-controller + securityContext: + runAsNonRoot: true + serviceAccountName: argo +--- +apiVersion: apps/v1 +kind: Deployment metadata: labels: app: httpbin @@ -1795,55 +1969,3 @@ spec: port: 9000 initialDelaySeconds: 5 periodSeconds: 10 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: workflow-controller -spec: - selector: - matchLabels: - app: workflow-controller - template: - metadata: - labels: - app: workflow-controller - spec: - containers: - - args: - - --namespaced - command: - - workflow-controller - env: - - name: LEADER_ELECTION_IDENTITY - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: quay.io/argoproj/workflow-controller:latest - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6060 - initialDelaySeconds: 90 - periodSeconds: 60 - timeoutSeconds: 30 - name: workflow-controller - ports: - - containerPort: 9090 - name: metrics - - containerPort: 6060 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: workflow-controller - securityContext: - runAsNonRoot: true - serviceAccountName: argo diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index a697071215f9..568a948fa55a 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -891,11 +891,13 @@ apiVersion: v1 kind: ServiceAccount metadata: name: argo + namespace: argo --- apiVersion: v1 kind: ServiceAccount metadata: name: argo-server + namespace: argo --- apiVersion: v1 kind: ServiceAccount @@ -904,6 +906,27 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + name: argo-role + namespace: argo +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: annotations: workflows.argoproj.io/description: | @@ -929,16 +952,198 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: argo-role + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use artifact GC. + name: artifactgc rules: - apiGroups: - - coordination.k8s.io + - argoproj.io resources: - - leases + - workflowartifactgctasks + verbs: + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowartifactgctasks/status + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods verbs: - create - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: +- apiGroups: + - argoproj.io + resources: + - workfloweventbindings + verbs: + - list +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-cluster-role +rules: - apiGroups: - "" resources: @@ -991,6 +1196,8 @@ rules: resources: - workflowtemplates - workflowtemplates/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - get - list @@ -1010,12 +1217,6 @@ rules: verbs: - get - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - argoproj.io resources: @@ -1045,182 +1246,85 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: argo-server-role + name: argo-clusterworkflowtemplate-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create -- apiGroups: - - "" - resources: - - pods - - pods/exec - - pods/log - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - watch - - create - - patch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - apiGroups: - argoproj.io resources: - - eventsources - - sensors - - workflows - - workfloweventbindings - - workflowtemplates - - cronworkflows - - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - - create - get - list - watch - - update - - patch - - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - annotations: - workflows.argoproj.io/description: | - This is the minimum recommended permissions needed if you want to use artifact GC. - name: artifactgc + name: argo-server-cluster-role rules: - apiGroups: - - argoproj.io + - "" resources: - - workflowartifactgctasks + - configmaps verbs: - - list + - get - watch + - list - apiGroups: - - argoproj.io - resources: - - workflowartifactgctasks/status - verbs: - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - Recomended minimum permissions for the `emissary` executor. - name: executor -rules: -- apiGroups: - - argoproj.io + - "" resources: - - workflowtaskresults + - secrets verbs: + - get - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other pods. The same pattern would be suitable for other resurces, e.g. a service - name: pod-manager -rules: - apiGroups: - "" resources: - pods + - pods/exec + - pods/log verbs: - - create - get - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: submit-workflow-template -rules: -- apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - list + - watch + - delete - apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - events verbs: + - watch - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other workflows. The same pattern would be suitable for other resurces, e.g. a service - name: workflow-manager -rules: + - patch - apiGroups: - - argoproj.io + - "" resources: - - workflows + - serviceaccounts verbs: - - create - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-clusterworkflowtemplate-role -rules: + - list + - watch - apiGroups: - argoproj.io resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers verbs: + - create - get - list - watch + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1242,20 +1346,9 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - name: agent-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: agent -subjects: -- kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: name: argo-binding + namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -1263,18 +1356,19 @@ roleRef: subjects: - kind: ServiceAccount name: argo + namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: argo-server-binding + name: agent-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: argo-server-role + name: agent subjects: - kind: ServiceAccount - name: argo-server + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -1339,6 +1433,19 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: argo-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-cluster-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: argo-clusterworkflowtemplate-role-binding roleRef: @@ -1353,48 +1460,28 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-server-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-server-cluster-role subjects: - kind: ServiceAccount name: argo-server namespace: argo --- -apiVersion: v1 -data: - default-v1: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey - empty: "" - my-key: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey -kind: ConfigMap +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - annotations: - workflows.argoproj.io/default-artifact-repository: default-v1 - name: artifact-repositories + name: argo-server-clusterworkflowtemplate-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-server-clusterworkflowtemplate-role +subjects: +- kind: ServiceAccount + name: argo-server + namespace: argo --- apiVersion: v1 data: @@ -1471,6 +1558,40 @@ data: kind: ConfigMap metadata: name: workflow-controller-configmap + namespace: argo +--- +apiVersion: v1 +data: + default-v1: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey + empty: "" + my-key: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey +kind: ConfigMap +metadata: + annotations: + workflows.argoproj.io/default-artifact-repository: default-v1 + name: artifact-repositories --- apiVersion: v1 kind: Secret @@ -1635,6 +1756,7 @@ apiVersion: v1 kind: Service metadata: name: argo-server + namespace: argo spec: ports: - name: web @@ -1701,6 +1823,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: argo-server + namespace: argo spec: selector: matchLabels: @@ -1713,7 +1836,6 @@ spec: containers: - args: - server - - --namespaced - --auth-mode - server - --auth-mode @@ -1752,6 +1874,58 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + selector: + matchLabels: + app: workflow-controller + template: + metadata: + labels: + app: workflow-controller + spec: + containers: + - args: [] + command: + - workflow-controller + env: + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: quay.io/argoproj/workflow-controller:latest + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 6060 + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 30 + name: workflow-controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 6060 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: workflow-controller + securityContext: + runAsNonRoot: true + serviceAccountName: argo +--- +apiVersion: apps/v1 +kind: Deployment metadata: labels: app: httpbin @@ -1878,55 +2052,3 @@ spec: port: 3306 nodeSelector: kubernetes.io/os: linux ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: workflow-controller -spec: - selector: - matchLabels: - app: workflow-controller - template: - metadata: - labels: - app: workflow-controller - spec: - containers: - - args: - - --namespaced - command: - - workflow-controller - env: - - name: LEADER_ELECTION_IDENTITY - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: quay.io/argoproj/workflow-controller:latest - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6060 - initialDelaySeconds: 90 - periodSeconds: 60 - timeoutSeconds: 30 - name: workflow-controller - ports: - - containerPort: 9090 - name: metrics - - containerPort: 6060 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: workflow-controller - securityContext: - runAsNonRoot: true - serviceAccountName: argo diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index 3cfacf0160c3..8c7c488f09c1 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -891,11 +891,13 @@ apiVersion: v1 kind: ServiceAccount metadata: name: argo + namespace: argo --- apiVersion: v1 kind: ServiceAccount metadata: name: argo-server + namespace: argo --- apiVersion: v1 kind: ServiceAccount @@ -904,6 +906,27 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + name: argo-role + namespace: argo +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: annotations: workflows.argoproj.io/description: | @@ -929,16 +952,198 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: argo-role + annotations: + workflows.argoproj.io/description: | + This is the minimum recommended permissions needed if you want to use artifact GC. + name: artifactgc rules: - apiGroups: - - coordination.k8s.io + - argoproj.io resources: - - leases + - workflowartifactgctasks + verbs: + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowartifactgctasks/status + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + Recomended minimum permissions for the `emissary` executor. + name: executor +rules: +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other pods. The same pattern would be suitable for other resurces, e.g. a service + name: pod-manager +rules: +- apiGroups: + - "" + resources: + - pods verbs: - create - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: submit-workflow-template +rules: +- apiGroups: + - argoproj.io + resources: + - workfloweventbindings + verbs: + - list +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + workflows.argoproj.io/description: | + This is an example of the permissions you would need if you wanted to use a resource template to create and manage + other workflows. The same pattern would be suitable for other resurces, e.g. a service + name: workflow-manager +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-cluster-role +rules: - apiGroups: - "" resources: @@ -991,6 +1196,8 @@ rules: resources: - workflowtemplates - workflowtemplates/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - get - list @@ -1010,12 +1217,6 @@ rules: verbs: - get - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - argoproj.io resources: @@ -1045,182 +1246,85 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: argo-server-role + name: argo-clusterworkflowtemplate-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create -- apiGroups: - - "" - resources: - - pods - - pods/exec - - pods/log - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - watch - - create - - patch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - apiGroups: - argoproj.io resources: - - eventsources - - sensors - - workflows - - workfloweventbindings - - workflowtemplates - - cronworkflows - - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers verbs: - - create - get - list - watch - - update - - patch - - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - annotations: - workflows.argoproj.io/description: | - This is the minimum recommended permissions needed if you want to use artifact GC. - name: artifactgc + name: argo-server-cluster-role rules: - apiGroups: - - argoproj.io + - "" resources: - - workflowartifactgctasks + - configmaps verbs: - - list + - get - watch + - list - apiGroups: - - argoproj.io - resources: - - workflowartifactgctasks/status - verbs: - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - Recomended minimum permissions for the `emissary` executor. - name: executor -rules: -- apiGroups: - - argoproj.io + - "" resources: - - workflowtaskresults + - secrets verbs: + - get - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other pods. The same pattern would be suitable for other resurces, e.g. a service - name: pod-manager -rules: - apiGroups: - "" resources: - pods + - pods/exec + - pods/log verbs: - - create - get - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: submit-workflow-template -rules: -- apiGroups: - - argoproj.io - resources: - - workfloweventbindings - verbs: - list + - watch + - delete - apiGroups: - - argoproj.io - resources: - - workflowtemplates - verbs: - - get -- apiGroups: - - argoproj.io + - "" resources: - - workflows + - events verbs: + - watch - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - workflows.argoproj.io/description: | - This is an example of the permissions you would need if you wanted to use a resource template to create and manage - other workflows. The same pattern would be suitable for other resurces, e.g. a service - name: workflow-manager -rules: + - patch - apiGroups: - - argoproj.io + - "" resources: - - workflows + - serviceaccounts verbs: - - create - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-clusterworkflowtemplate-role -rules: + - list + - watch - apiGroups: - argoproj.io resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers verbs: + - create - get - list - watch + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1242,20 +1346,9 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - name: agent-default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: agent -subjects: -- kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: name: argo-binding + namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -1263,18 +1356,19 @@ roleRef: subjects: - kind: ServiceAccount name: argo + namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: argo-server-binding + name: agent-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: argo-server-role + name: agent subjects: - kind: ServiceAccount - name: argo-server + name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -1339,6 +1433,19 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: argo-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-cluster-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: argo-clusterworkflowtemplate-role-binding roleRef: @@ -1353,48 +1460,28 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-server-clusterworkflowtemplate-role-binding + name: argo-server-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-server-clusterworkflowtemplate-role + name: argo-server-cluster-role subjects: - kind: ServiceAccount name: argo-server namespace: argo --- -apiVersion: v1 -data: - default-v1: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey - empty: "" - my-key: | - archiveLogs: true - s3: - bucket: my-bucket - endpoint: minio:9000 - insecure: true - accessKeySecret: - name: my-minio-cred - key: accesskey - secretKeySecret: - name: my-minio-cred - key: secretkey -kind: ConfigMap +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - annotations: - workflows.argoproj.io/default-artifact-repository: default-v1 - name: artifact-repositories + name: argo-server-clusterworkflowtemplate-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-server-clusterworkflowtemplate-role +subjects: +- kind: ServiceAccount + name: argo-server + namespace: argo --- apiVersion: v1 data: @@ -1471,6 +1558,40 @@ data: kind: ConfigMap metadata: name: workflow-controller-configmap + namespace: argo +--- +apiVersion: v1 +data: + default-v1: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey + empty: "" + my-key: | + archiveLogs: true + s3: + bucket: my-bucket + endpoint: minio:9000 + insecure: true + accessKeySecret: + name: my-minio-cred + key: accesskey + secretKeySecret: + name: my-minio-cred + key: secretkey +kind: ConfigMap +metadata: + annotations: + workflows.argoproj.io/default-artifact-repository: default-v1 + name: artifact-repositories --- apiVersion: v1 kind: Secret @@ -1635,6 +1756,7 @@ apiVersion: v1 kind: Service metadata: name: argo-server + namespace: argo spec: ports: - name: web @@ -1701,6 +1823,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: argo-server + namespace: argo spec: selector: matchLabels: @@ -1713,7 +1836,6 @@ spec: containers: - args: - server - - --namespaced - --auth-mode - server - --auth-mode @@ -1752,6 +1874,58 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + selector: + matchLabels: + app: workflow-controller + template: + metadata: + labels: + app: workflow-controller + spec: + containers: + - args: [] + command: + - workflow-controller + env: + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: quay.io/argoproj/workflow-controller:latest + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 6060 + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 30 + name: workflow-controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 6060 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: workflow-controller + securityContext: + runAsNonRoot: true + serviceAccountName: argo +--- +apiVersion: apps/v1 +kind: Deployment metadata: labels: app: httpbin @@ -1876,55 +2050,3 @@ spec: timeoutSeconds: 2 nodeSelector: kubernetes.io/os: linux ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: workflow-controller -spec: - selector: - matchLabels: - app: workflow-controller - template: - metadata: - labels: - app: workflow-controller - spec: - containers: - - args: - - --namespaced - command: - - workflow-controller - env: - - name: LEADER_ELECTION_IDENTITY - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: quay.io/argoproj/workflow-controller:latest - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6060 - initialDelaySeconds: 90 - periodSeconds: 60 - timeoutSeconds: 30 - name: workflow-controller - ports: - - containerPort: 9090 - name: metrics - - containerPort: 6060 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: workflow-controller - securityContext: - runAsNonRoot: true - serviceAccountName: argo diff --git a/manifests/quick-start/base/kustomization.yaml b/manifests/quick-start/base/kustomization.yaml index 317a8c472904..75a3516262b3 100644 --- a/manifests/quick-start/base/kustomization.yaml +++ b/manifests/quick-start/base/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../namespace-install + - ../../cluster-install - minio - httpbin - webhooks diff --git a/manifests/quick-start/base/overlays/argo-server-deployment.yaml b/manifests/quick-start/base/overlays/argo-server-deployment.yaml index de2bd7d54bef..698e9dc36aaa 100644 --- a/manifests/quick-start/base/overlays/argo-server-deployment.yaml +++ b/manifests/quick-start/base/overlays/argo-server-deployment.yaml @@ -9,7 +9,6 @@ spec: - name: argo-server args: - server - - --namespaced - --auth-mode - server - --auth-mode