feat(argo-workflows): update and document SSO and Ingress

We won't be able to make this dynamic and do substitution because that
goes against the nature of how kustomize likes to have everything
declarative. The dns_zone value was a hack and it doesn't work outside
of an AIO setup. Document for the user how they can get things setup and
drop applying the SSO and Ingress settings, which aren't necessary if
you don't want to hit the UI or the API. Renamed the directory to make
it more clear what part this is and be consistent with the app name.

Author: cardoe

apps/site/argo-workflows.yaml

@@ -2,50 +2,6 @@
 component: argo
 sources:
   - ref: understack
-    path: 'components/argo'
-    kustomize:
-      patches:
-        - target:
-            kind: ConfigMap
-            name: workflow-controller-configmap
-          patch: |-
-            - op: replace
-              path: /data/sso
-              value: |-
-                # This is the root URL of the OIDC provider (required).
-                issuer: https://dex.{{.dns_zone}}
-                # This defines how long your login is valid for (in hours). (optional)
-                # If omitted, defaults to 10h. Example below is 10 days.
-                sessionExpiry: 240h
-                # This is name of the secret and the key in it that contain OIDC client
-                # ID issued to the application by the provider (required).
-                clientId:
-                  name: argo-sso
-                  key: client-id
-                # This is name of the secret and the key in it that contain OIDC client
-                # secret issued to the application by the provider (required).
-                clientSecret:
-                  name: argo-sso
-                  key: client-secret
-                # This is the redirect URL supplied to the provider (optional). It must
-                # be in the form <argo-server-root-url>/oauth2/callback. It must be
-                # browser-accessible. If omitted, will be automatically generated.
-                redirectUrl: https://workflows.{{.dns_zone}}/oauth2/callback
-                # Additional scopes to request. Typically needed for SSO RBAC. >= v2.12
-                scopes:
-                  - groups
-                  - email
-                  - profile
-                # RBAC Config. >= v2.12
-                rbac:
-                  enabled: false
-        - target:
-            kind: Ingress
-            name: argo-workflows
-          patch: |-
-            - op: replace
-              path: /spec/rules/0/host
-              value: workflows.{{.dns_zone}}
-            - op: replace
-              path: /spec/tls/0/hosts/0
-              value: workflows.{{.dns_zone}}
+    path: 'components/argo-workflows'
+  - ref: deploy
+    path: '{{.name}}/manifests/argo-workflows'

components/argo/argo-server-deployment.yaml renamed to components/argo-workflows/argo-server-deployment.yaml

@@ -15,9 +15,6 @@ resources:
   - argo-server-role.yaml
   - argo-server-rolebinding.yaml
 
-  # ingress for workflows.${DNS_ZONE} to the argo server for the UI
-  - ingress.yaml
-
   # external secret for SSO auth
   - external-secret-argo-sso.yaml
 
@@ -73,5 +70,4 @@ configMapGenerator:
   - name: workflow-controller-configmap
     behavior: merge
     files:
-      - sso
       - workflowDefaults=workflow-defaults

components/argo/argo-server-role.yaml renamed to components/argo-workflows/argo-server-role.yaml

@@ -13,6 +13,10 @@ clientId:
 clientSecret:
   name: argo-sso
   key: client-secret
+# This is the redirect URL supplied to the provider (optional). It must
+# be in the form <argo-server-root-url>/oauth2/callback. It must be
+# browser-accessible. If omitted, will be automatically generated.
+redirectUrl: https://workflows.argo.svc/oauth2/callback
 # Additional scopes to request. Typically needed for SSO RBAC. >= v2.12
 scopes:
   - groups