orkestra icon indicating copy to clipboard operation
orkestra copied to clipboard
verified publisher icon Azure

Orkestra should use the ApplicationGroup namespace as the namespace for Argo workflows

Open jonathan-innis opened this issue 4 years ago • 10 comments

Is your feature request related to a problem? Please describe. Currently, we use always use the orkestra namespace to run the argo workflows. Instead of using this always, we should use the ApplicaitonGroup namespace and generate the workflows in that namespace. This will allow teams that have security models that separate their logic into different namespaces to use multiple application groups in different namespaces.

jonathan-innis avatar May 13 '21 06:05 jonathan-innis

This will cause us to create a service account and assign this service account the ClusterRole binding that allows the executor to do any of the actions that it needs to do to provision the resources

jonathan-innis avatar May 13 '21 06:05 jonathan-innis

@jonathan-innis Can we close this as a "will not fix" ?

nitishm avatar May 14 '21 07:05 nitishm

This one wasn't the "won't fix" one, I think we said we might take this at a later date

jonathan-innis avatar May 14 '21 20:05 jonathan-innis

oops

nitishm avatar May 14 '21 21:05 nitishm

Also, these workflows not being in separate namespaces prevents us from parallelizing the tests which will be critical as the full reconciliation loop takes quite a while if we run these in serial

jonathan-innis avatar May 15 '21 16:05 jonathan-innis

So, we do have an env variable for specifying the workflow namespace WORKFLOW_NAMESPACE being set through the values.yaml in the deployment.yaml

         env:
         - name: WORKFLOW_NAMESPACE 
           value: {{ .Release.Namespace }} 
         - name: WORKFLOW_SERVICEACCOUNT_NAME 
           value: {{ include "orkestra.serviceAccountName" . }}

Can you give this a try since I haven't really tried it outside of the orkestra namespace. I am guessing the ServiceAccounts are going to be an issue that must be addressed in a different namespace.

nitishm avatar May 15 '21 20:05 nitishm

I still think that a user's expectation would be that an applicationGroup would deploy the workflow in the namespace specified in the AppGroup .metadata.namespace, deploying the service account as well

jonathan-innis avatar May 24 '21 02:05 jonathan-innis

Since ApplicationGroup is cluster-scoped do you want to just add a targetNamespace field to the .spec?

nitishm avatar May 24 '21 03:05 nitishm

Is there a specific reason why we chose to have an application group be cluster-scoped? I'm curious the logic here because we could run everything within the namespace

jonathan-innis avatar Jun 05 '21 22:06 jonathan-innis

I suppose not. A previous version needed to be when we started out but not anymore.

nitishm avatar Jun 06 '21 00:06 nitishm