diff --git a/infra/cdk8s.ts b/infra/cdk8s.ts index f60b91f1b..63c7a2ebf 100644 --- a/infra/cdk8s.ts +++ b/infra/cdk8s.ts @@ -13,9 +13,12 @@ const app = new App(); async function main(): Promise { // Get cloudformation outputs const cfnOutputs = await getCfnOutputs(ClusterName); - const missingKeys = [...Object.values(CfnOutputKeys.Karpenter), ...Object.values(CfnOutputKeys.FluentBit)].filter( - (f) => cfnOutputs[f] == null, - ); + //FIXME: is there a better way to do that? + const missingKeys = [ + ...Object.values(CfnOutputKeys.Karpenter), + ...Object.values(CfnOutputKeys.FluentBit), + ...Object.values(CfnOutputKeys.Argo), + ].filter((f) => cfnOutputs[f] == null); if (missingKeys.length > 0) { throw new Error(`Missing CloudFormation Outputs for keys ${missingKeys.join(', ')}`); } diff --git a/infra/charts/argo.workflows.ts b/infra/charts/argo.workflows.ts index 856489d84..793e2e10a 100644 --- a/infra/charts/argo.workflows.ts +++ b/infra/charts/argo.workflows.ts @@ -62,7 +62,7 @@ export class ArgoWorkflows extends Chart { replicas: 2, workflowDefaults: { spec: { - serviceAccountName: 'workflow-runner-sa', + serviceAccountName: props.saName, ttlStrategy: { secondsAfterCompletion: Duration.days(7).toSeconds() }, podGC: { strategy: 'OnPodCompletion' }, tolerations: [ diff --git a/infra/eks/cluster.ts b/infra/eks/cluster.ts index 24c22496f..d42b1ab47 100644 --- a/infra/eks/cluster.ts +++ b/infra/eks/cluster.ts @@ -212,11 +212,16 @@ export class LinzEksCluster extends Stack { metadata: { name: 'argo' }, }); const argoRunnerSa = this.cluster.addServiceAccount('ArgoRunnerServiceAccount', { - name: 'argo-runner-sa', + name: 'workflow-runner-sa', namespace: 'argo', }); argoRunnerSa.node.addDependency(argoNs); new CfnOutput(this, 'ArgoRunnerServiceAccountRoleArn', { value: argoRunnerSa.role.roleArn }); new CfnOutput(this, CfnOutputKeys.Argo.RunnerServiceAccountName, { value: argoRunnerSa.serviceAccountName }); + + // give read/write on the temporary (scratch) bucket + this.tempBucket.grantReadWrite(argoRunnerSa.role); + // give permission to the sa to assume a role + argoRunnerSa.role.addToPrincipalPolicy(new PolicyStatement({ actions: ['sts:AssumeRole'], resources: ['*'] })); } }