feat: add argo-workflows v4.0.5 as OCM component

[dermorz]

What

Add Argo Workflows v4.0.5 as an OCM component.

Why

Argo Workflows is a runtime dependency of artifact-conduit. Packaging it as an OCM component makes it distributable and deployable in air-gapped environments alongside the rest of the stack.

Testing

• bash argo-workflows/tests/test-minimal.sh — kind cluster, single-replica install, hello-world workflow runs to Succeeded
• bash argo-workflows/tests/test-production.sh — 4-node kind cluster, 2-replica HA install, PDBs verified, DAG parallel workflow runs to Succeeded

Both tests pass 100%.

Notes for reviewers

• Follows the artifact-conduit pattern (no RGD/bootstrap) rather than the cert-manager pattern, since argo-workflows is a sibling dependency of artifact-conduit and the added complexity of KRO bootstrapping wasn't warranted here.
• workflow.serviceAccount.create: true and workflow.rbac.create: true are required in both value profiles — without them, workflow executor pods cannot post results back (workflowtaskresults RBAC) and every workflow fails with Error.
• Production profile uses authModes: [client] (Kubernetes RBAC) as the secure default; SSO/OIDC config is documented in comments in production-values.yaml and README.md.
• Chart version 1.0.14 corresponds to app version v4.0.5 (helm search repo argo/argo-workflows --versions).

Checklist

• Tests added/updated
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• New Features
  • Added Argo Workflows (v4.0.5) component with minimal and production deployment profiles and HA options
• Documentation
  • Updated components list and added Argo Workflows docs, quick-starts, SSO/OIDC examples, and configuration guidance
• Tests
  • Added end-to-end integration tests for minimal and production deployments
• Chores
  • Release workflow updated to include Argo Workflows in the build-and-push matrix

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dba5fb62-6faf-4255-864e-eaf0fbfc5443

📥 Commits

Reviewing files that changed from the base of the PR and between 6ac0672 and 25fe0f7.

📒 Files selected for processing (1)

• argo-workflows/values.yaml.tpl

---

📝 Walkthrough

Walkthrough

This PR introduces Argo Workflows v4.0.5 as a new OCM component, complete with component definition, Helm configurations for minimal and production deployments, docs, CI integration, and end-to-end tests for both deployment profiles.

Changes

Argo Workflows OCM Component

Layer / File(s)	Summary
Component Definition and Configuration Profiles argo-workflows/component-constructor.yaml, argo-workflows/minimal-values.yaml, argo-workflows/production-values.yaml	Defines opendefense.cloud/argo-workflows with Helm chart v1.0.14 and OCI images v4.0.5. Minimal profile enables dev/test with single replicas and basic auth; production profile enables HA with 2 replicas, Prometheus monitoring, PodDisruptionBudget, and pod scheduling constraints.
Component Documentation and Usage Guide argo-workflows/README.md	Documents Argo Workflows as Kubernetes-native workflow engine. Covers OCM resources, quick-start installation commands, configuration profiles comparison, SSO/OIDC authentication options, architecture (controller/server/executor), test scripts, and artifact-conduit dependency.
CI/CD and Root Repository Integration .github/workflows/release-ocm-components.yml, README.md	Adds ./argo-workflows to release workflow build-and-push matrix. Updates main README with Argo Workflows component entry, configuration options, and Helm quick-start snippet.
Minimal Deployment Validation Test argo-workflows/tests/test-minimal.sh	End-to-end test creating single-node kind cluster, installing Argo Workflows with minimal values, validating CRD presence, pod readiness, and executing hello-world workflow with log verification.
Production Deployment Validation Test argo-workflows/tests/test-production.sh	End-to-end test creating multi-node kind cluster, validating HA readiness (≥2 replicas for controller/server), PodDisruptionBudget presence, node spread, and executing DAG workflow with parallel and dependent steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• opendefensecloud/ocm-components#84: Modifies the same .github/workflows/release-ocm-components.yml workflow to add component directories to the build matrix.

Suggested reviewers

• yocaba

Poem

🐰 Workflow engines now dance with grace,
Argo hops into the OCM space!
Minimal checks and HA tests run true,
Helm charts, images, docs — all brand new.
The rabbit cheers: deploy, verify, woohoo!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Argo Workflows v4.0.5 as an OCM component, which is fully reflected in the changeset.
Description check	✅ Passed	The description follows the template structure with all required sections (What, Why, Testing, Notes for reviewers, Checklist) completed with substantive details and no gaps.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-argo-workflows-component

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

argo-workflows/tests/test-production.sh (1)

135-135: ⚡ Quick win

Use NAMESPACE consistently instead of hardcoded argo.

Line 9 defines NAMESPACE, but Lines 135/182/190-191/197/205 hardcode argo. This creates config drift and makes future namespace changes brittle.

Proposed refactor

 kubectl apply -f - <<'EOF'
 apiVersion: argoproj.io/v1alpha1
 kind: Workflow
 metadata:
   name: dag-parallel-test
-  namespace: argo
 spec:
   serviceAccountName: argo-workflow

-PHASE=$(kubectl get workflow dag-parallel-test -n argo -o jsonpath='{.status.phase}' 2>/dev/null || echo "")
+PHASE=$(kubectl get workflow dag-parallel-test -n "${NAMESPACE}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "")
...
-            kubectl describe workflow dag-parallel-test -n argo
-            kubectl get pods -n argo -l workflows.argoproj.io/workflow=dag-parallel-test -o wide
+            kubectl describe workflow dag-parallel-test -n "${NAMESPACE}"
+            kubectl get pods -n "${NAMESPACE}" -l workflows.argoproj.io/workflow=dag-parallel-test -o wide
...
-        kubectl describe workflow dag-parallel-test -n argo
+        kubectl describe workflow dag-parallel-test -n "${NAMESPACE}"
...
-FAILED_NODES=$(kubectl get workflow dag-parallel-test -n argo \
+FAILED_NODES=$(kubectl get workflow dag-parallel-test -n "${NAMESPACE}" \

Also applies to: 182-182, 190-191, 197-197, 205-205

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@argo-workflows/tests/test-production.sh` at line 135, Replace all hardcoded
occurrences of the literal namespace "argo" with the NAMESPACE variable so the
script uses the configured namespace consistently; specifically, change YAML
entries like `namespace: argo` and any CLI invocations or manifests that
reference "argo" to use `namespace: $NAMESPACE` or `-n "$NAMESPACE"` (or
`${NAMESPACE}`) as appropriate, ensuring proper quoting/expansion where used
(e.g., kubectl/argo commands and manifest templates) and update the occurrences
currently hardcoded to "argo" so they reference the NAMESPACE variable instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@argo-workflows/tests/test-production.sh`:
- Around line 115-120: The script currently only warns when no
PodDisruptionBudgets are found; change the behavior to fail fast by checking the
PDB_COUNT variable and, when PDB_COUNT is less than 1, call the error path
instead of log_warn and exit with a non-zero status; specifically replace the
block that uses PDB_COUNT and log_warn with logic that invokes log_error (or an
equivalent error logging helper) and exits (e.g., exit 1) so tests fail when no
PDBs are present.
- Around line 124-127: Add an assertion after computing CONTROLLER_NODES to
enforce HA: check if the CONTROLLER_NODES variable is less than 2 and, if so,
log an error and exit non‑zero; for example, use an if [ "$CONTROLLER_NODES" -lt
2 ] check, call log_error with a clear message about insufficient controller pod
spread, and exit 1; place this immediately after the existing CONTROLLER_NODES
assignment and the log_info call so the script fails when controller pods are
not spread across at least 2 nodes.

---

Nitpick comments:
In `@argo-workflows/tests/test-production.sh`:
- Line 135: Replace all hardcoded occurrences of the literal namespace "argo"
with the NAMESPACE variable so the script uses the configured namespace
consistently; specifically, change YAML entries like `namespace: argo` and any
CLI invocations or manifests that reference "argo" to use `namespace:
$NAMESPACE` or `-n "$NAMESPACE"` (or `${NAMESPACE}`) as appropriate, ensuring
proper quoting/expansion where used (e.g., kubectl/argo commands and manifest
templates) and update the occurrences currently hardcoded to "argo" so they
reference the NAMESPACE variable instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce890965-145d-4ead-8075-1ee7f3e1f846

📥 Commits

Reviewing files that changed from the base of the PR and between ed617b8 and 3b9da4f.

📒 Files selected for processing (8)

• .github/workflows/release-ocm-components.yml
• README.md
• argo-workflows/README.md
• argo-workflows/component-constructor.yaml
• argo-workflows/minimal-values.yaml
• argo-workflows/production-values.yaml
• argo-workflows/tests/test-minimal.sh
• argo-workflows/tests/test-production.sh