feat(argo-workflows): support google ManagedCertificate, FrontendConfig & BackendConfig for gce ingress (#2066)

* feat: add gke stuff

Signed-off-by: julien.michaud <julien.michaud@mirakl.com>

* update readme and chart.yaml file

Signed-off-by: julien.michaud <julien.michaud@mirakl.com>

* fix readme

Signed-off-by: julien.michaud <julien.michaud@mirakl.com>

* docs: Apply changes from code review

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

---------

Signed-off-by: julien.michaud <julien.michaud@mirakl.com>
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argo-workflows/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v3.4.7
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.27.0
+version: 0.28.0
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -17,4 +17,8 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: added
-      description: Allow extraObjects to contain string templates
+      description: Add support for Google ManagedCertificate on GKE
+    - kind: added
+      description: Add support for Google FrontendConfig on GKE
+    - kind: added
+      description: Add support for Google BackendConfig on GKE

charts/argo-workflows/README.md

@@ -102,6 +102,7 @@ Fields to note:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart |
+| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
 | crds.annotations | object | `{}` | Annotations to be added to all CRDs |
 | crds.install | bool | `true` | Install and upgrade CRDs |
 | crds.keep | bool | `true` | Keep CRDs on chart uninstall |
@@ -240,6 +241,12 @@ Fields to note:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine |
+| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] |
+| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine |
+| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] |
+| server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate |
+| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
 | server.affinity | object | `{}` | Assign custom [affinity] rules |
 | server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer |
 | server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server |
@@ -333,6 +340,8 @@ Fields to note:
 1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig`
 
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
+[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
 [links]: https://argoproj.github.io/argo-workflows/links/
 [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
 [Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

charts/argo-workflows/README.md.gotmpl

@@ -188,6 +188,8 @@ Fields to note:
 1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig`
 
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
+[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
 [links]: https://argoproj.github.io/argo-workflows/links/
 [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
 [Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

charts/argo-workflows/templates/_helpers.tpl

@@ -166,3 +166,16 @@ Return the appropriate apiVersion for autoscaling
 {{- print "autoscaling/v2" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for GKE resources
+*/}}
+{{- define "argo-workflows.apiVersions.cloudgoogle" -}}
+{{- if .Values.apiVersionOverrides.cloudgoogle -}}
+{{- print .Values.apiVersionOverrides.cloudgoogle -}}
+{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
+{{- print "cloud.google.com/v1" -}}
+{{- else -}}
+{{- print "cloud.google.com/v1beta1" -}}
+{{- end -}}
+{{- end -}}

charts/argo-workflows/templates/server/gke/backendconfig.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.server.GKEbackendConfig.enabled }}
+apiVersion: {{ include "argo-workflows.apiVersions.cloudgoogle" . }}
+kind: BackendConfig
+metadata:
+  name: {{ template "argo-workflows.server.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+spec:
+  {{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
+{{- end }}

charts/argo-workflows/templates/server/gke/frontendconfig.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.server.GKEfrontendConfig.enabled }}
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: {{ template "argo-workflows.server.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+spec:
+  {{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }}
+{{- end }}

charts/argo-workflows/templates/server/gke/managedcertificate.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.server.GKEmanagedCertificate.enabled }}
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: {{ template "argo-workflows.server.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  domains:
+    {{- with .Values.server.GKEmanagedCertificate.domains }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/argo-workflows/values.yaml

@@ -33,6 +33,8 @@ kubeVersionOverride: ""
 apiVersionOverrides:
   # -- String to override apiVersion of autoscaling rendered by this helm chart
   autoscaling: "" # autoscaling/v2
+  # -- String to override apiVersion of GKE resources rendered by this helm chart
+  cloudgoogle: "" # cloud.google.com/v1
 
 # -- Restrict Argo to operate only in a single namespace (the namespace of the
 # Helm release) by apply Roles and RoleBindings instead of the Cluster
@@ -576,6 +578,40 @@ server:
       #   hosts:
       #     - argoworkflows.example.com
 
+  ## Create a Google Backendconfig  for use with the GKE Ingress Controller
+  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
+  GKEbackendConfig:
+    # -- Enable BackendConfig custom resource for Google Kubernetes Engine
+    enabled: false
+    # -- [BackendConfigSpec]
+    spec: {}
+  #  spec:
+  #    iap:
+  #      enabled: true
+  #      oauthclientCredentials:
+  #        secretName: argoworkflows-secret
+
+  ## Create a Google Managed Certificate for use with the GKE Ingress Controller
+  ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
+  GKEmanagedCertificate:
+    # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
+    enabled: false
+    # -- Domains for the Google Managed Certificate
+    domains:
+    - argoworkflows.example.com
+
+  ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
+  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
+  GKEfrontendConfig:
+    # -- Enable FrontConfig custom resource for Google Kubernetes Engine
+    enabled: false
+    # -- [FrontendConfigSpec]
+    spec: {}
+  # spec:
+  #   redirectToHttps:
+  #     enabled: true
+  #     responseCodeName: RESPONSE_CODE
+
   clusterWorkflowTemplates:
     # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
     enabled: true