From 37277315ce669a12e9a5a66ce03ab2a6e08eb184 Mon Sep 17 00:00:00 2001 From: Rein van 't Veer Date: Tue, 20 Jul 2021 20:18:26 +0200 Subject: [PATCH 1/2] feat(argo-workflows): Multiple workflow namespaces (#824) * allow workflow to be run in multiple namespaces, bump chart version Signed-off-by: reinvantveer * update helm install instructions Signed-off-by: reinvantveer * fix indents Signed-off-by: reinvantveer * add newlines Signed-off-by: reinvantveer * bump chart version Signed-off-by: reinvantveer * default to "argo" namespace for workflow service account Signed-off-by: reinvantveer * simplify setting service account, fix syntactical error in defaulting to "argo" namespace Signed-off-by: reinvantveer * Bump only the chart version, revert bumping the controller version: 3.0.8 does not exist yet as a workflow-controller image version Signed-off-by: reinvantveer * don't set a namespace if there isn't one provided Signed-off-by: reinvantveer * bump version Signed-off-by: reinvantveer * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer * re-use controller.workflowNamespaces instead of introducing workflow.namespaces, add additional inline comments on rbac.create effect Signed-off-by: reinvantveer * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer * dro now-redundant branch for controller.workflowNamespaces Signed-off-by: reinvantveer * use template helper "argo-workflows.fullname" instead of release name in order to be able to override the service account name Signed-off-by: reinvantveer * add missing "template" keyword Signed-off-by: reinvantveer * drop redundant $namespace assignment that was already moved inside the "range" function Signed-off-by: reinvantveer * replace "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer * drop redundant $namespace assignment that was already moved inside the "range" function Signed-off-by: reinvantveer * inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer * inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer * add missing "$" to denote target for templating the workflows fullname helper Signed-off-by: reinvantveer * restore `with` blocks for service account name and service account annotations Signed-off-by: reinvantveer * drop validations: considering cases of `workflowNamespaces`, `namespace` and `singleNamespace` Signed-off-by: reinvantveer * include case for single namespaces with default ("") namespace, otherwise (ternary) combine the workflow namespace and workflowNamespaces from the controller settings into a list to iterate over Signed-off-by: reinvantveer * wrap namespace configuration in `with` block to prevent setting it to "" Signed-off-by: reinvantveer * fix append vs. concat bug: append workflowNamespace to (possibly 0-lenght) list of controller.workflowNamespaces Signed-off-by: reinvantveer * fix namespace range with additional check for either single namespace being false, or append to the workflow namespaces: the first non-null (coalesce) from the workflow namespace or the namespace Argo is being deployed to. Signed-off-by: reinvantveer * add changelog entries Signed-off-by: reinvantveer * unwrap (inline) with-block for service account name Signed-off-by: reinvantveer Co-authored-by: Vlad Losev --- CONTRIBUTING.md | 2 +- charts/argo-workflows/Chart.yaml | 6 ++- .../templates/controller/workflow-rb.yaml | 19 ++++----- .../templates/controller/workflow-role.yaml | 40 ++++++++++--------- .../templates/controller/workflow-sa.yaml | 13 +++--- charts/argo-workflows/values.yaml | 8 +++- 6 files changed, 51 insertions(+), 37 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 070b0981..3d6e1782 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -55,7 +55,7 @@ annotations: Minimally: ``` -helm install charts/argo -n argo +helm install charts/argo-workflows -n argo argo version ``` diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 736b131d..70b9bf10 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.2.8 +version: 0.2.9 appVersion: "v3.0.7" icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm @@ -15,4 +15,6 @@ maintainers: - name: benjaminws annotations: artifacthub.io/changes: | - - "[Fixed]: Controller Role/ClusterRole to work with InstanceID" + - "[Changed]: Service accounts, roles and role bindings can now be auto-created for each workflow controller namespace" + - "[Fixed]: The contributer testing guidelines were updated to reflect the chart name change from 'argo' to + 'argo-workflows'" diff --git a/charts/argo-workflows/templates/controller/workflow-rb.yaml b/charts/argo-workflows/templates/controller/workflow-rb.yaml index 9b27c045..004d40d0 100644 --- a/charts/argo-workflows/templates/controller/workflow-rb.yaml +++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml @@ -1,19 +1,20 @@ {{- if .Values.workflow.rbac.create -}} + {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-workflows.fullname" . }}-workflow - {{- with .Values.workflow.namespace }} - namespace: {{ . }} - {{- end }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + namespace: {{ $namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-workflows.fullname" . }}-workflow + name: {{ template "argo-workflows.fullname" $ }}-workflow subjects: -- kind: ServiceAccount - name: {{ .Values.workflow.serviceAccount.name }} - {{- with .Values.workflow.namespace }} - namespace: {{ . }} + - kind: ServiceAccount + name: {{ $.Values.workflow.serviceAccount.name }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml index bf8b3cff..4ca10e8e 100644 --- a/charts/argo-workflows/templates/controller/workflow-role.yaml +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -1,25 +1,29 @@ {{- if .Values.workflow.rbac.create -}} + {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "argo-workflows.fullname" . }}-workflow - {{- with .Values.workflow.namespace }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + {{- with $namespace }} namespace: {{ . }} - {{- end }} + {{- end }} rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - patch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - watch + {{- end }} + {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml index dc84f2b1..2ea64771 100644 --- a/charts/argo-workflows/templates/controller/workflow-sa.yaml +++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -1,13 +1,16 @@ {{- if .Values.workflow.serviceAccount.create -}} + {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} +--- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.workflow.serviceAccount.name }} - {{- with .Values.workflow.namespace }} + name: {{ $.Values.workflow.serviceAccount.name }} + {{- with $namespace }} namespace: {{ . }} - {{- end }} - {{- with .Values.workflow.serviceAccount.annotations }} + {{- end }} + {{- with $.Values.workflow.serviceAccount.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 864c9931..ebd7fc92 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -29,13 +29,15 @@ kubeVersionOverride: "" singleNamespace: false workflow: - namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created. + namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in serviceAccount: create: false # Specifies whether a service account should be created annotations: {} name: "argo-workflow" # Service account which is used to run workflows rbac: - create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows + # Adds Role and RoleBinding for the above specified service account to be able to run workflows + # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) + create: true controller: image: @@ -109,6 +111,8 @@ controller: # Annotations applied to created service account annotations: {} name: workflow-controller + # Specify all namespaces to run worksflows need to be able to run in. This controls where the service + # account and RBAC resources will be created. If unspecified, will run in the default namespace. workflowNamespaces: - default containerRuntimeExecutor: docker From e393ef1ba2017973fc52208abcc5243e52b2443d Mon Sep 17 00:00:00 2001 From: Zadkiel Date: Tue, 20 Jul 2021 20:24:41 +0200 Subject: [PATCH 2/2] fix(argo-workflows): remove old default init service account (#834) * fix(argo-workflows): remove old default init service account Signed-off-by: GitHub * fix(argo-workflows): remove init.serviceAccount from README Signed-off-by: GitHub * chore(argo-workflows): update changelog Signed-off-by: GitHub * chore(argo-workflows): bump chart to 0.2.8 Signed-off-by: GitHub Co-authored-by: Vlad Losev --- charts/argo-workflows/Chart.yaml | 6 ++---- charts/argo-workflows/README.md | 2 +- charts/argo-workflows/values.yaml | 5 ----- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 70b9bf10..a342b248 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.2.9 +version: 0.2.10 appVersion: "v3.0.7" icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm @@ -15,6 +15,4 @@ maintainers: - name: benjaminws annotations: artifacthub.io/changes: | - - "[Changed]: Service accounts, roles and role bindings can now be auto-created for each workflow controller namespace" - - "[Fixed]: The contributer testing guidelines were updated to reflect the chart name change from 'argo' to - 'argo-workflows'" + - "[Fixed]: Removed init.serviceAccount unused fields" diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index 7e1c9dd7..e25a3840 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -10,7 +10,7 @@ This chart uses an install hook to configure the CRD definition. Installation of A few options are: -- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `init.serviceAccount` attribute +- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `serviceAccountName` field in the Workflow spec - Augment the `default` ServiceAccount permissions in the Namespace in which your Release is deployed to have the appropriate permissions ## Usage Notes diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index ebd7fc92..68f6f459 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -5,11 +5,6 @@ images: pullSecrets: [] # - name: argo-pull-secret -init: - # By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is - # being deployed to. In RBAC clusters, that will almost certainly fail. See the NOTES: section of the readme for more info. - serviceAccount: "" - createAggregateRoles: true ## String to partially override "argo-workflows.fullname" template