feat(argo-workflows): Multiple workflow namespaces (#824)

* allow workflow to be run in multiple namespaces, bump chart version Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * update helm install instructions Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * fix indents Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * add newlines Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * bump chart version Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * default to "argo" namespace for workflow service account Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * simplify setting service account, fix syntactical error in defaulting to "argo" namespace Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * Bump only the chart version, revert bumping the controller version: 3.0.8 does not exist yet as a workflow-controller image version Signed-off-by: reinvantveer <reinvantveer@gmail.com> * don't set a namespace if there isn't one provided Signed-off-by: reinvantveer <reinvantveer@gmail.com> * bump version Signed-off-by: reinvantveer <reinvantveer@gmail.com> * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * re-use controller.workflowNamespaces instead of introducing workflow.namespaces Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * re-use controller.workflowNamespaces instead of introducing workflow.namespaces, add additional inline comments on rbac.create effect Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * dro now-redundant branch for controller.workflowNamespaces Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * use template helper "argo-workflows.fullname" instead of release name in order to be able to override the service account name Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * add missing "template" keyword Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * drop redundant $namespace assignment that was already moved inside the "range" function Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * replace "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * drop redundant $namespace assignment that was already moved inside the "range" function Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * add missing "$" to denote target for templating the workflows fullname helper Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * restore `with` blocks for service account name and service account annotations Signed-off-by: reinvantveer <reinvantveer@gmail.com> * drop validations: considering cases of `workflowNamespaces`, `namespace` and `singleNamespace` Signed-off-by: reinvantveer <reinvantveer@gmail.com> * include case for single namespaces with default ("") namespace, otherwise (ternary) combine the workflow namespace and workflowNamespaces from the controller settings into a list to iterate over Signed-off-by: reinvantveer <reinvantveer@gmail.com> * wrap namespace configuration in `with` block to prevent setting it to "" Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * fix append vs. concat bug: append workflowNamespace to (possibly 0-lenght) list of controller.workflowNamespaces Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl> * fix namespace range with additional check for either single namespace being false, or append to the workflow namespaces: the first non-null (coalesce) from the workflow namespace or the namespace Argo is being deployed to. Signed-off-by: reinvantveer <reinvantveer@gmail.com> * add changelog entries Signed-off-by: reinvantveer <reinvantveer@gmail.com> * unwrap (inline) with-block for service account name Signed-off-by: reinvantveer <reinvantveer@gmail.com> Co-authored-by: Vlad Losev <vladlosev@users.noreply.github.com>
2021-07-20 20:18:26 +02:00 · 2021-07-20 20:18:26 +02:00 · 37277315ce
parent 186fe34b87
commit 37277315ce
6 changed files with 51 additions and 37 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -55,7 +55,7 @@ annotations:
 Minimally:

 ```
-helm install charts/argo -n argo
+helm install charts/argo-workflows -n argo
 argo version
 ```

--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.2.8
+version: 0.2.9
 appVersion: "v3.0.7"
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
@ -15,4 +15,6 @@ maintainers:
  - name: benjaminws
 annotations:
  artifacthub.io/changes: |
-    - "[Fixed]: Controller Role/ClusterRole to work with InstanceID"
+    - "[Changed]: Service accounts, roles and role bindings can now be auto-created for each workflow controller namespace"
+    - "[Fixed]: The contributer testing guidelines were updated to reflect the chart name change from 'argo' to
+    'argo-workflows'"
--- a/charts/argo-workflows/templates/controller/workflow-rb.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml
@ -1,19 +1,20 @@
 {{- if .Values.workflow.rbac.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }} 
-  {{- end }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+  namespace: {{ $namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: {{ template "argo-workflows.fullname" . }}-workflow
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
 subjects:
- kind: ServiceAccount
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }}
+  - kind: ServiceAccount
+    name: {{ $.Values.workflow.serviceAccount.name }}
+    {{- with $namespace }}
+    namespace: {{ . }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-role.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-role.yaml
@ -1,25 +1,29 @@
 {{- if .Values.workflow.rbac.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+    {{- with $namespace }}
  namespace: {{ . }}
-  {{- end }}
+    {{- end }}
 rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - watch
-  - patch
- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+  {{- end }}
+
 {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-sa.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml
@ -1,13 +1,16 @@
 {{- if .Values.workflow.serviceAccount.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
+  name: {{ $.Values.workflow.serviceAccount.name }}
+    {{- with $namespace }}
  namespace: {{ . }}
-  {{- end }}
-  {{- with .Values.workflow.serviceAccount.annotations }}
+    {{- end }}
+    {{- with $.Values.workflow.serviceAccount.annotations }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -29,13 +29,15 @@ kubeVersionOverride: ""
 singleNamespace: false

 workflow:
-  namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
+  namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in
  serviceAccount:
    create: false # Specifies whether a service account should be created
    annotations: {}
    name: "argo-workflow" # Service account which is used to run workflows
  rbac:
-    create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
+    # Adds Role and RoleBinding for the above specified service account to be able to run workflows
+    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
+    create: true

 controller:
  image:
@ -109,6 +111,8 @@ controller:
    # Annotations applied to created service account
    annotations: {}
  name: workflow-controller
+  # Specify all namespaces to run worksflows need to be able to run in. This controls where the service
+  # account and RBAC resources will be created. If unspecified, will run in the default namespace.
  workflowNamespaces:
    - default
  containerRuntimeExecutor: docker