A complete, production-ready Kubernetes GitOps and workflow automation stack with enterprise-grade authorization
π Quick Start β’ Overview β’ Architecture β’ Contributing
β οΈ This project is experimental and subject to change. Use in production environments at your own discretion.
See User Guide
sequenceDiagram
autonumber
participant B as Bioinformatician
participant G as Git Repository
participant O as Calypr GitOps
participant S as Workflow Services
participant P as Portal Application
rect rgba(200, 220, 255, 0.35)
Note over O,P: Calypr Platform
end
B->>G: Commit new data<br/>and metadata updates
G-->>O: Trigger GitOps sync
rect rgba(200, 220, 255, 0.12)
O->>S: Apply updated configs<br/>and publish new data
S-->>O: Acknowledge deployment<br/>and updated records
O-->>G: Updated Git status
O->>P: Update portal manifests<br/>and reload content
P-->>B: Portal reflects<br/>latest validated data
end
Note over B,P: Git commits become the single source of truth,<br/>and all systems stay in sync automatically.
This repository provides a complete Kubernetes-native GitOps and workflow automation platform that combines:
- π€ Self-Service Onboarding - Custom CRDs for easy tenant and repository registration
- βοΈ Automated GitHub Integration - Self-service GitHub App onboarding with webhook management
- πͺ£ Data buckets - Per-repository isolated data storage
- πͺ΅ Artifact Management - S3-compatible storage for workflow artifacts (logs, outputs, etc.)
- π Argo Workflows - Kubernetes-native workflow engine
- π¦ Argo CD - Declarative GitOps continuous delivery
- π Authorization Adapter - Enterprise-grade RBAC with OIDC integration
- πͺ NGINX Ingress - Secure external access with per-request authorization
- π Vault Integration - Centralized secret management with HashiCorp Vault and External Secrets Operator
graph TB
subgraph "External"
U[π€ Git<br/>Browser & CLI]
GH[π¦ Git Repository]
FENCE[π Fence OIDC<br/>calypr-dev.ohsu.edu]
end
subgraph "Kubernetes Cluster"
subgraph "Ingress Layer"
NG[π NGINX Ingress<br/>SSL Termination]
end
subgraph "Security Namespace"
AD[π‘οΈ AuthZ Adapter<br/>Flask Service]
end
subgraph "ArgoCD Namespace"
ACD[π¦ Argo CD Server<br/>GitOps Controller]
end
subgraph "Argo Namespace"
AWS[π Argo Workflows<br/>Server & UI]
AWC[βοΈ Workflow Controller<br/>Job Execution]
end
subgraph "Tenant Namespace (wf-poc)"
WF[π Workflows<br/>Running Jobs]
SA[π₯ Service Accounts<br/>RBAC Roles]
end
subgraph "Storage"
S3[ποΈ S3 Compatible<br/>Artifact Repository]
end
end
%% User flows
U -->|HTTPS Requests| NG
NG -->|Auth Check| AD
AD -->|Validate Token| FENCE
%% Service routing
NG -->|Authorized Traffic| ACD
NG -->|Authorized Traffic| AWS
%% Internal workflows
ACD -->|Deploy Workflows| AWC
AWS -->|Submit Jobs| AWC
AWC -->|Execute| WF
AWC -->|Store Artifacts| S3
ACD -->|Sync from Git| GH
%% Styling
classDef external fill:#e1f5fe
classDef security fill:#f3e5f5
classDef argo fill:#e8f5e8
classDef storage fill:#fff3e0
class U,GH,FENCE external
class AD,NG security
class ACD,AWS,AWC,WF,SA argo
class S3 storage
- Verify your tooling before touching Kubernetes:
./scripts/check_tools.sh
- Prepare required environment variables and validate them with the Makefile helpers:
When you are ready to roll out, use the
make check-vars
deploytarget to run the full initialization pipeline. - Iterate on the chart and publish your latest changes straight to the cluster with:
make argo-stack ports
- QUICKSTART.md for a longer walkthrough.
- Makefile for all available targets.
- docs/development.md for detailed local development guide.
We welcome contributions! Please see our Contributing Guide for details.
Please use our issue tracker with:
- π Bug reports: Include logs, configuration, and reproduction steps
- β¨ Feature requests: Describe the use case and expected behavior
- π Documentation: Suggestions for improving this README
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- Argo Project for the excellent workflow and GitOps tools
- Gen3 for the Fence OIDC integration patterns
- OHSU for supporting this open-source initiative
β Star this repo if it helped you!