Initial upload

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/base/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - install.yaml

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/dev/external-secret.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-oidc
+  namespace: argo
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  target:
+    name: keycloak-oidc
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: keycloak-clients
+        property: ARGO_WORKFLOWS_CLIENT_ID
+    - secretKey: secret-key
+      remoteRef:
+        key: keycloak-clients
+        property: ARGO_WORKFLOWS_CLIENT_SECRET

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/dev/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+  - ../base
+  - external-secret.yaml
+  - sa-admin.yaml
+patches:
+  - path: patches/cm-argo-workflows.yaml
+  - path: patches/deployment-argo-server.yaml

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/dev/patches/cm-argo-workflows.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: workflow-controller-configmap
+  namespace: argo
+data:
+  config: |
+    sso:
+      insecureSkipVerify: true 
+      issuer: https://ABC/keycloak/realms/cnoe
+      clientId:
+        name: keycloak-oidc
+        key: client-id
+      clientSecret:
+        name: keycloak-oidc
+        key: secret-key
+      redirectUrl: https://ABC:443/argo-workflows/oauth2/callback
+      rbac:
+        enabled: true
+      scopes:
+        - openid
+        - profile
+        - email
+        - groups
+    nodeEvents:
+      enabled: false

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/dev/patches/deployment-argo-server.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argo-server
+  namespace: argo
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+spec:
+  template:
+    spec:
+      containers:
+        - name: argo-server
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 2746
+              scheme: HTTP
+          env:
+            - name: BASE_HREF
+              value: "/argo-workflows/"
+          args:
+            - server
+            - --configmap=workflow-controller-configmap
+            - --auth-mode=client
+            - --auth-mode=sso
+            - "--secure=false"
+            - "--loglevel"
+            - "info"
+            - "--log-format"
+            - "text"

otc/ABC/stacks/ref-implementation/argo-workflows/manifests/dev/sa-admin.yaml

@@ -0,0 +1,32 @@
+# Used by users in the admin group
+# TODO Need to tighten up permissions.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin
+  namespace: argo
+  annotations:
+    workflows.argoproj.io/rbac-rule: "'admin' in groups"
+    workflows.argoproj.io/rbac-rule-precedence: "10"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin
+    namespace: argo
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin.service-account-token
+  annotations:
+    kubernetes.io/service-account.name: admin
+  namespace: argo
+type: kubernetes.io/service-account-token