apiVersion: v1 kind: Secret metadata: name: argo-artifacts namespace: ml type: Opaque stringData: accesskey: "minioadmin" # <-- change secretkey: "minioadmin" # <-- change --- apiVersion: v1 kind: ConfigMap metadata: name: workflow-controller-configmap namespace: ml data: config: | artifactRepository: s3: bucket: argo-artifacts endpoint: minio.betelgeusebytes.io # no scheme here insecure: false # https via Ingress accessKeySecret: name: argo-artifacts key: accesskey secretKeySecret: name: argo-artifacts key: secretkey keyFormat: "{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}" --- # k8s/argo/workflows/ns-rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: argo-server namespace: ml --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argo-namespaced namespace: ml rules: - apiGroups: [""] resources: ["pods","pods/log","secrets","configmaps","events","persistentvolumeclaims","serviceaccounts"] verbs: ["get","list","watch","create","delete","patch","update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get","list","watch","create","delete","patch","update"] - apiGroups: ["argoproj.io"] resources: ["workflows","workflowtemplates","cronworkflows","workfloweventbindings","sensors","eventsources","workflowtasksets","workflowartifactgctasks","workflowtaskresults"] verbs: ["get","list","watch","create","delete","patch","update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: argo-namespaced-binding namespace: ml subjects: - kind: ServiceAccount name: argo-server namespace: ml roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argo-namespaced --- # k8s/argo/workflows/controller.yaml apiVersion: apps/v1 kind: Deployment metadata: { name: workflow-controller, namespace: ml } spec: replicas: 1 selector: { matchLabels: { app: workflow-controller } } template: metadata: { labels: { app: workflow-controller } } spec: serviceAccountName: argo-server containers: - name: controller image: quay.io/argoproj/workflow-controller:latest args: ["--namespaced"] env: - name: LEADER_ELECTION_IDENTITY valueFrom: fieldRef: fieldPath: metadata.name ports: [{ containerPort: 9090 }] readinessProbe: httpGet: { path: /metrics, port: 9090, scheme: HTTPS } initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: { path: /metrics, port: 9090, scheme: HTTPS } initialDelaySeconds: 20 periodSeconds: 20 --- # k8s/argo/workflows/server.yaml apiVersion: apps/v1 kind: Deployment metadata: { name: argo-server, namespace: ml } spec: replicas: 1 selector: { matchLabels: { app: argo-server } } template: metadata: { labels: { app: argo-server } } spec: serviceAccountName: argo-server containers: - name: server image: quay.io/argoproj/argocli:latest args: ["server","--auth-mode","server","--namespaced","--secure=false"] ports: [{ containerPort: 2746 }] readinessProbe: httpGet: { path: /, port: 2746, scheme: HTTP } initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: { path: /, port: 2746, scheme: HTTP } initialDelaySeconds: 20 periodSeconds: 20 --- apiVersion: v1 kind: Service metadata: { name: argo-server, namespace: ml } spec: { selector: { app: argo-server }, ports: [ { port: 80, targetPort: 2746 } ] } --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argo namespace: ml annotations: { cert-manager.io/cluster-issuer: letsencrypt-prod } spec: ingressClassName: nginx tls: [{ hosts: ["argo.betelgeusebytes.io"], secretName: argo-tls }] rules: - host: argo.betelgeusebytes.io http: paths: - path: / pathType: Prefix backend: { service: { name: argo-server, port: { number: 80 } } }