Add Argo Workflow Admission controller

nebari/constants.py

@@ -11,4 +11,6 @@
 
 DEFAULT_CONDA_STORE_IMAGE_TAG = "v0.4.14"
 
+DEFAULT_NEBARI_WORKFLOW_CONTROLLER_IMAGE_TAG = "update_nwc-05c3b99-20230512"
+
 LATEST_SUPPORTED_PYTHON_VERSION = "3.10"

nebari/deploy.py

@@ -235,7 +235,7 @@ def guided_install(
             provision_07_kubernetes_services(stage_outputs, config, disable_checks)
             provision_08_nebari_tf_extensions(stage_outputs, config, disable_checks)
 
-            print("Nebari deployed successfully")
+        print("Nebari deployed successfully")
 
     print("Services:")
     for service_name, service in stage_outputs["stages/07-kubernetes-services"][

nebari/schema.py

@@ -86,9 +86,15 @@ class HelmExtension(Base):
 # ============== Argo-Workflows =========
 
 
+class NebariWorkflowController(Base):
+    enabled: bool
+    image_tag: typing.Optional[str]
+
+
 class ArgoWorkflows(Base):
     enabled: bool
     overrides: typing.Optional[typing.Dict]
+    nebari_workflow_controller: typing.Optional[NebariWorkflowController]
 
 
 # ============== kbatch =============

nebari/stages/input_vars.py

@@ -6,6 +6,7 @@
 from nebari.constants import (
     DEFAULT_CONDA_STORE_IMAGE_TAG,
     DEFAULT_GKE_RELEASE_CHANNEL,
+    DEFAULT_NEBARI_WORKFLOW_CONTROLLER_IMAGE_TAG,
     DEFAULT_TRAEFIK_IMAGE_TAG,
 )
 
@@ -349,6 +350,18 @@ def stage_07_kubernetes_services(stage_outputs, config):
         "argo-workflows-overrides": [
             json.dumps(config.get("argo_workflows", {}).get("overrides", {}))
         ],
+        "nebari-workflow-controller": config["argo_workflows"]
+        .get("nebari_workflow_controller", {})
+        .get("enabled", True),
+        "keycloak-read-only-user-credentials": stage_outputs[
+            "stages/06-kubernetes-keycloak-configuration"
+        ]["keycloak-read-only-user-credentials"]["value"],
+        "workflow-controller-image-tag": config.get("argo_workflows", {})
+        .get("nebari_workflow_controller", {})
+        .get(
+            "image_tag",
+            DEFAULT_NEBARI_WORKFLOW_CONTROLLER_IMAGE_TAG,
+        ),
         # kbatch
         "kbatch-enabled": config["kbatch"]["enabled"],
         # prefect

nebari/template/stages/05-kubernetes-keycloak/modules/kubernetes/keycloak-helm/main.tf

@@ -23,7 +23,7 @@ resource "helm_release" "keycloak" {
     })
   ], var.overrides)
 
-  set {
+  set_sensitive {
     name  = "nebari_bot_password"
     value = var.nebari-bot-password
   }

nebari/template/stages/06-kubernetes-keycloak-configuration/main.tf

@@ -47,6 +47,34 @@ resource "keycloak_default_groups" "default" {
   ]
 }
 
+data "keycloak_realm" "master" {
+  realm = "master"
+}
+
+resource "random_password" "keycloak-view-only-user-password" {
+  length  = 32
+  special = false
+}
+
+resource "keycloak_user" "read-only-user" {
+  realm_id = data.keycloak_realm.master.id
+  username = "read-only-user"
+  initial_password {
+    value     = random_password.keycloak-view-only-user-password.result
+    temporary = false
+  }
+}
+
+resource "keycloak_user_roles" "user_roles" {
+  realm_id = data.keycloak_realm.master.id
+  user_id  = keycloak_user.read-only-user.id
+
+  role_ids = [
+    data.keycloak_role.view-users.id,
+  ]
+  exhaustive = true
+}
+
 # needed for keycloak monitoring to function
 resource "keycloak_realm_events" "realm_events" {
   realm_id = keycloak_realm.main.id

nebari/template/stages/06-kubernetes-keycloak-configuration/outputs.tf

@@ -2,3 +2,14 @@ output "realm_id" {
   description = "Realm id used for nebari resources"
   value       = keycloak_realm.main.id
 }
+
+output "keycloak-read-only-user-credentials" {
+  description = "Credentials for user that can read users/groups, but not modify them"
+  sensitive   = true
+  value = {
+    username  = keycloak_user.read-only-user.username
+    password  = random_password.keycloak-view-only-user-password.result
+    client_id = "admin-cli"
+    realm     = data.keycloak_realm.master.realm
+  }
+}

nebari/template/stages/06-kubernetes-keycloak-configuration/permissions.tf

@@ -9,6 +9,21 @@ data "keycloak_role" "manage-users" {
   name      = "manage-users"
 }
 
+data "keycloak_openid_client" "nebari-realm" {
+  depends_on = [
+    keycloak_realm.main,
+  ]
+  realm_id  = data.keycloak_realm.master.id
+  client_id = "${var.realm}-realm"
+}
+
+data "keycloak_role" "view-users" {
+  realm_id  = data.keycloak_realm.master.id
+  client_id = data.keycloak_openid_client.nebari-realm.id
+  name      = "view-users"
+}
+
+
 data "keycloak_role" "query-users" {
   realm_id  = keycloak_realm.main.id
   client_id = data.keycloak_openid_client.realm_management.id

nebari/template/stages/07-kubernetes-services/argo-workflows.tf

@@ -11,6 +11,24 @@ variable "argo-workflows-overrides" {
   default     = []
 }
 
+variable "nebari-workflow-controller" {
+  description = "Nebari Workflow Controller enabled"
+  type        = bool
+  default     = true
+}
+
+
+variable "keycloak-read-only-user-credentials" {
+  description = "Keycloak password for nebari-bot"
+  type        = map(string)
+  default     = {}
+}
+
+variable "workflow-controller-image-tag" {
+  description = "Image tag for nebari-workflow-controller"
+  type        = string
+}
+
 
 # ====================== RESOURCES =======================
 module "argo-workflows" {
@@ -21,6 +39,9 @@ module "argo-workflows" {
   external-url = var.endpoint
   realm_id     = var.realm_id
 
-  node-group = var.node_groups.general
-  overrides  = var.argo-workflows-overrides
+  node-group                          = var.node_groups.general
+  overrides                           = var.argo-workflows-overrides
+  keycloak-read-only-user-credentials = var.keycloak-read-only-user-credentials
+  workflow-controller-image-tag       = var.workflow-controller-image-tag
+  nebari-workflow-controller          = var.nebari-workflow-controller
 }