feat: add argo-workflows v4.0.5 as OCM component

.github/workflows/release-ocm-components.yml

@@ -13,6 +13,7 @@ jobs:
     strategy:
       matrix:
         component:
+          - ./argo-workflows
           - ./artifact-conduit
           - ./cert-manager
           - ./cloudnative-pg

README.md

@@ -12,6 +12,30 @@ Components can reference each other to fulfill dependencies rather than duplicat
 
 ## Available Components
 
+### Argo Workflows (v4.0.5)
+
+Kubernetes-native Workflow Engine
+
+- **Status**: ✅ Ready
+- **CNCF**: Graduated Project
+- **License**: Apache 2.0
+- **Configurations**:
+  - Minimal (single replica, server auth, dev/test)
+  - Production (HA with 2 replicas, client/SSO auth, PDBs, monitoring)
+- **Documentation**: [argo-workflows/README.md](argo-workflows/README.md)
+- **Used by**: Artifact Conduit (artifact-conduit component)
+
+Quick Start:
+
+```bash
+helm repo add argo https://argoproj.github.io/argo-helm
+helm install argo-workflows argo/argo-workflows \
+  --version 1.0.14 \
+  --namespace argo \
+  --create-namespace \
+  --values argo-workflows/minimal-values.yaml
+```
+
 ### Keycloak (v26.4.5)
 
 Identity and Access Management

argo-workflows/README.md

@@ -0,0 +1,117 @@
+# Argo Workflows OCM Component
+
+Argo Workflows v4.0.5 packaged as an OCM component. Argo Workflows is a CNCF graduated project providing a Kubernetes-native workflow engine for orchestrating parallel jobs, ML pipelines, data processing, and CI/CD.
+
+## OCM Resources
+
+| Resource | Type | Description |
+|---|---|---|
+| `argo-workflows-chart` | helmChart | Official Argo Workflows Helm chart v1.0.14 |
+| `argo-workflows-controller-image` | ociImage | Workflow controller (`quay.io/argoproj/workflow-controller:v4.0.5`) |
+| `argo-workflows-server-image` | ociImage | Argo server/UI (`quay.io/argoproj/argocli:v4.0.5`) |
+| `argo-workflows-executor-image` | ociImage | Workflow executor (`quay.io/argoproj/argoexec:v4.0.5`) |
+| `argo-workflows-minimal-config` | yaml | Minimal Helm values (dev/test) |
+| `argo-workflows-production-config` | yaml | Production Helm values (HA) |
+
+## Quick Start
+
+### Build OCM Component
+
+```bash
+cd argo-workflows
+ocm add componentversion --version 4.0.5 --create --file ./ctf component-constructor.yaml
+```
+
+### Install via Helm (Minimal)
+
+```bash
+helm repo add argo https://argoproj.github.io/argo-helm
+helm install argo-workflows argo/argo-workflows \
+  --version 1.0.14 \
+  --namespace argo \
+  --create-namespace \
+  --values minimal-values.yaml
+```
+
+### Install via Helm (Production)
+
+```bash
+helm install argo-workflows argo/argo-workflows \
+  --version 1.0.14 \
+  --namespace argo \
+  --create-namespace \
+  --values production-values.yaml
+```
+
+## Configuration Profiles
+
+### Minimal (dev/test)
+
+| Parameter | Value |
+|---|---|
+| Controller replicas | 1 |
+| Server replicas | 1 |
+| Auth mode | `server` (no token required) |
+| Workflow archive | disabled |
+| Prometheus monitoring | disabled |
+| Controller CPU request | 50m |
+| Controller memory request | 128Mi |
+
+### Production (HA)
+
+| Parameter | Value |
+|---|---|
+| Controller replicas | 2 |
+| Server replicas | 2 |
+| Auth mode | `client` (Kubernetes RBAC) |
+| Max concurrent workflows | 50 |
+| Prometheus monitoring | enabled |
+| PodDisruptionBudgets | enabled (minAvailable: 1) |
+| Pod anti-affinity | preferred (hostname) |
+| TopologySpreadConstraints | zone-aware |
+| Controller CPU request | 100m |
+| Controller memory request | 256Mi |
+
+#### SSO/OIDC Authentication
+
+The production profile defaults to `client` auth (Kubernetes service account tokens). To enable SSO, set in your values override:
+
+```yaml
+server:
+  authModes:
+    - sso
+  sso:
+    issuer: https://your-oidc-provider
+    clientId:
+      name: argo-workflows-sso
+      key: client-id
+    clientSecret:
+      name: argo-workflows-sso
+      key: client-secret
+    redirectUrl: https://argo-workflows.example.com/oauth2/callback
+```
+
+## Architecture
+
+Argo Workflows consists of three main components:
+
+- **Workflow Controller**: Watches Workflow CRs and schedules pods
+- **Argo Server**: REST API + web UI + CLI proxy
+- **Executor (argoexec)**: Sidecar injected into each workflow step pod; manages step lifecycle and artifact collection
+
+## Testing
+
+```bash
+# Minimal deployment on a local kind cluster
+bash tests/test-minimal.sh
+
+# Production HA deployment on a multi-node kind cluster
+bash tests/test-production.sh
+
+# Keep the cluster after tests for inspection
+bash tests/test-minimal.sh --skip-cleanup
+```
+
+## Dependency Note
+
+Argo Workflows is a core dependency of the `artifact-conduit` component. When deploying artifact-conduit, ensure argo-workflows is installed in the same cluster first.

argo-workflows/component-constructor.yaml

@@ -0,0 +1,64 @@
+components:
+  - name: opendefense.cloud/argo-workflows
+    provider:
+      name: argoproj.io
+    labels:
+      - name: app.kubernetes.io/name
+        value: argo-workflows
+      - name: app.kubernetes.io/component
+        value: workflow-engine
+      - name: app.kubernetes.io/part-of
+        value: argo-workflows
+    resources:
+      # Argo Workflows Helm Chart (official argoproj)
+      - name: argo-workflows-chart
+        type: helmChart
+        version: 1.0.14
+        relation: external
+        access:
+          type: helm
+          helmChart: argo-workflows:1.0.14
+          helmRepository: https://argoproj.github.io/argo-helm
+
+      # Workflow Controller Container Image
+      - name: argo-workflows-controller-image
+        type: ociImage
+        version: v4.0.5
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: quay.io/argoproj/workflow-controller:v4.0.5
+
+      # Argo Server (CLI/UI) Container Image
+      - name: argo-workflows-server-image
+        type: ociImage
+        version: v4.0.5
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: quay.io/argoproj/argocli:v4.0.5
+
+      # Workflow Executor (argoexec) Container Image
+      - name: argo-workflows-executor-image
+        type: ociImage
+        version: v4.0.5
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: quay.io/argoproj/argoexec:v4.0.5
+
+      # Minimal Configuration (single replica, no auth, dev/test)
+      - name: argo-workflows-minimal-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: minimal-values.yaml
+
+      # Production Configuration (HA, client auth, monitoring)
+      - name: argo-workflows-production-config
+        type: yaml
+        relation: local
+        input:
+          type: file
+          path: production-values.yaml

argo-workflows/minimal-values.yaml

@@ -0,0 +1,61 @@
+# Argo Workflows Minimal Configuration
+# Suitable for development and testing environments
+# Single replica, server auth mode (no token required), minimal resources
+
+crds:
+  install: true
+  keep: true
+
+# Create a dedicated service account and RBAC for workflow pods
+workflow:
+  serviceAccount:
+    create: true
+  rbac:
+    create: true
+
+controller:
+  replicas: 1
+  image:
+    registry: quay.io
+    repository: argoproj/workflow-controller
+    tag: "v4.0.5"
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 200m
+      memory: 256Mi
+  serviceMonitor:
+    enabled: false
+
+executor:
+  image:
+    registry: quay.io
+    repository: argoproj/argoexec
+    tag: "v4.0.5"
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      cpu: 200m
+      memory: 128Mi
+
+server:
+  enabled: true
+  replicas: 1
+  image:
+    registry: quay.io
+    repository: argoproj/argocli
+    tag: "v4.0.5"
+  # server mode: no authentication required — suitable for dev/test only
+  authModes:
+    - server
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 200m
+      memory: 256Mi