Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add k8s example to auth docs #782

Merged
merged 2 commits into from
Sep 20, 2023
Merged

Add k8s example to auth docs #782

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6e28025
add k8s example to auth docs
flaviuvadan Sep 19, 2023
c0df85d
add note on dependency
flaviuvadan Sep 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 54 additions & 3 deletions docs/walk-through/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# Authentication

There are multiple ways you can authenticate with Argo Workflows. The way you authenticate generally depends on your
unique organization setup. If you submit workflows through Hera directly you have multiple ways to authenticate with
the Argo server.
The way you authenticate generally depends on your unique organization setup. If you submit workflows through Hera
directly you have multiple ways to authenticate with the Argo server.

Note that the follow examples combine a global config with a workflow submission for illustration purposes. You can
write a thin wrapper for your own organization, such as `myorg.workflows`, that provides an `__init__.py` to set these
Expand Down Expand Up @@ -85,6 +84,8 @@ w.create()

#### A [TokenGenerator](https://github.com/argoproj-labs/hera/blob/1762bbfcb9b186b62a152b69e04675434a4e76ea/src/hera/auth/__init__.py#L22)

##### Generating a plain string token via a `TokenGenerator`

```python
from hera.auth import TokenGenerator
from hera.shared import global_config
Expand All @@ -100,6 +101,56 @@ class MyTokenGenerator(TokenGenerator):
global_config.host = "https://my-argo-server.com"
global_config.token = MyTokenGenerator


# the workflow automatically creates a workflow service, which uses the global config
# host and token generator for authentication
with Workflow(
generate_name="test-",
entrypoint="c",
) as w:
Container(name="c", image="alpine:3.13", command=["sh", "-c", "echo hello world"])

w.create()
```

##### Generating a K8s token via `TokenGenerator`

```python
import base64
import errno
import os
from typing import Optional

# note: you need to install the `kubernetes` dependency as Hera does not provide this
from kubernetes import client, config
flaviuvadan marked this conversation as resolved.
Show resolved Hide resolved

from hera.auth import TokenGenerator
from hera.shared import global_config
from hera.workflows import Workflow, Container


class K8sTokenGenerator(TokenGenerator):
def __init__(self, service_account: str, namespace: str = "default", config_file: Optional[str] = None) -> None:
self.service_account = service_account
self.namespace = namespace
self.config_file = config_file

def __call__(self) -> str:
if self.config_file is not None and not os.path.isfile(self.config_file):
raise FileNotFoundError(errno.ENOENT, os.strerror(errno.ENOENT), self.config_file)

config.load_kube_config(config_file=self.config_file)
v1 = client.CoreV1Api()
secret_name = v1.read_namespaced_service_account(self.service_account, self.namespace).secrets[0].name
sec = v1.read_namespaced_secret(secret_name, self.namespace).data
return base64.b64decode(sec["token"]).decode()


global_config.host = "https://my-argo-server.com"
global_config.token = K8sTokenGenerator("my-service-account")

# the workflow automatically creates a workflow service, which uses the global config
# host and token generator for authentication
with Workflow(
generate_name="test-",
entrypoint="c",
Expand Down
Loading