From fcc4535b666b2d514cbf238b07cfc7446bad0b6d Mon Sep 17 00:00:00 2001
From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com>
Date: Tue, 25 Jun 2024 10:34:42 -0600
Subject: [PATCH] Argo to use IRSA for Artifact Upload (#2324)

* changing argo to use a service account instead of s3 creds as it is more secure

* changing the location of when to annotate the service accounts.

* moving annotation commands again for testing

* adding a sleep command to see if the sa gets annotated

* forgot to add namespace to the command

* removing argo-s3-creds from values.yaml

* reverting my changes

* testing out commenting the "artifactRespository" section entirely.

* commenting out only the access and secret access keys

* testing the "iamEnbpointResolution" value.

* testing the "useStaticCredentials" key in the values.yaml

* cleaning up files and adding the "gen3 awsrole create" command to allows SA's to assume role. Also, fixing the setup argo db to use environment variables instead of the argo s3 secret as it no longer exists.

* getting rid of create-role command as the "awsrole create" will automatically do that.

* changing the setup script to allow workflows to be run from any namespace!

* testing creating a service account in each namespace so workflows can be run from anywhere.

* Changes that allow for the following:
Create ONE sa in the argo namespace.
Create ONE role in the argo namespace.
Create multiple inline bucket policies for every namespace so any namespace can access separate buckets.

* Update values.yaml

* changing the kube-setup script to use the "default" sa in the role Trust policy and removing the argo sa as there is no need for it anymore.

* fixing typo

* revertting kube-setup-argo changes as PR 2360 was opened separately

* Update values.yaml

---------

Co-authored-by: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com>
---
 kube/services/argo/values.yaml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/kube/services/argo/values.yaml b/kube/services/argo/values.yaml
index 23dda4a5a..011253e1e 100644
--- a/kube/services/argo/values.yaml
+++ b/kube/services/argo/values.yaml
@@ -92,18 +92,13 @@ server:
 # -- Influences the creation of the ConfigMap for the workflow-controller itself.
 useDefaultArtifactRepo: true
 
+# -- Use static credentials for S3 (eg. when not using AWS IRSA)
+useStaticCredentials: false
 artifactRepository:
   # -- Archive the main container logs as an artifact
   archiveLogs: true
   # -- Store artifact in a S3-compliant object store
   s3:
-    # Note the `key` attribute is not the actual secret, it's the PATH to
-    # the contents in the associated secret, as defined by the `name` attribute.
-    accessKeySecret:
-      name: argo-s3-creds
-      key: AccessKeyId
-    secretKeySecret:
-      name: argo-s3-creds
-      key: SecretAccessKey
     bucket: GEN3_ARGO_BUCKET
     endpoint: s3.amazonaws.com
+    useSDKCreds: true