argo-workflow-exec-iamguarded

Chainguard Container for argo-workflow-exec-iamguarded

Iamguarded-compatible versions of Argo Workflows CLI, executor, and workflow controller components

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/argo-workflow-exec-iamguarded:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

These images are Iamguarded-compatible versions of the standard Argo Workflows components, differing from the upstream and standard Chainguard Argo Workflows images in the following ways:

Installation paths

Iamguarded images install binaries to /opt/iamguarded/argo-workflow-{component}/bin/ rather than the standard system paths. The PATH environment variable is configured to include these Iamguarded paths.

User and permissions

The images run as UID 1001 (non-root) with GID 0. The working directory is set to /opt/iamguarded/argo-workflow-{component}.

Component structure

Three separate container images are provided:

• argo-cli-iamguarded: Command-line interface for managing workflows
• argo-exec-iamguarded: Workflow executor for running workflow steps
• argo-workflowcontroller-iamguarded: Workflow controller for managing workflow lifecycle

Each component is versioned independently and can be deployed according to your Argo Workflows architecture requirements.

Prerequisites

To use these images, you need:

• A Kubernetes cluster with Argo Workflows installed
• kubectl configured to access your cluster
• Access to Chainguard's private registry (cgr.dev)
• Appropriate RBAC permissions to deploy and manage Argo Workflows resources

These images are designed to work with existing Argo Workflows deployments. You can replace the standard Argo Workflows images with their Iamguarded equivalents.

Getting Started

Deploying with Iamguarded images

If you have an existing Argo Workflows deployment, update your Deployment or StatefulSet manifests to use the Iamguarded images. Replace the image references:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: workflow-controller
  namespace: argo
spec:
  template:
    spec:
      containers:
      - name: workflow-controller
        image: cgr.dev/ORGANIZATION/argo-workflowcontroller-iamguarded:latest
        # ... rest of your configuration

For the executor, update your ConfigMap or controller configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: workflow-controller-configmap
  namespace: argo
data:
  config: |
    executor:
      image: cgr.dev/ORGANIZATION/argo-exec-iamguarded:latest

Running a test workflow

After deploying the Iamguarded images, verify the installation by creating a simple workflow:

cat <<EOF | kubectl apply -f -
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: hello-iamguarded
  namespace: argo
spec:
  entrypoint: main
  templates:
  - name: main
    container:
      image: cgr.dev/chainguard/busybox:latest
      command: ["echo"]
      args: ["hello from Iamguarded Argo Workflows"]
EOF

Check the workflow status:

kubectl get workflows -n argo
kubectl logs -n argo hello-iamguarded

Using the CLI

The Iamguarded CLI image can be used to interact with your Argo Workflows installation:

docker run --rm -v ~/.kube:/home/nonroot/.kube:ro \
  cgr.dev/ORGANIZATION/argo-cli-iamguarded:latest \
  list -n argo

Configuration

Environment variables

The Iamguarded images use the following environment configuration:

PATH: Automatically configured to /opt/iamguarded/argo-workflow-{component}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

GRPC_ENFORCE_ALPN_ENABLED: Set to false for the CLI component to ensure compatibility with gRPC services.

Working directory

Each component uses a dedicated working directory:

• CLI: /opt/iamguarded/argo-workflow-cli
• Executor: /opt/iamguarded/argo-workflow-exec
• Workflow Controller: /opt/iamguarded/argo-workflow-controller

User and group

All components run as:

• User ID: 1001
• Group ID: 0

Additional packages

The workflow controller image includes tzdata for timezone support, which is required for proper scheduling and time-based workflow operations.

Documentation and Resources

For comprehensive information about Argo Workflows:

• Argo Workflows Official Documentation
• Argo Workflows GitHub Repository
• Argo Workflows Examples

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.