search

Azure / orkestra

Orkestra is a cloud-native release orchestration and lifecycle management (LCM) platform for the fine-grained orchestration of inter-dependent helm charts and their dependencies
https://azure.github.io/orkestra
Other
104 stars 16 forks source link

Orkestra should use the ApplicationGroup namespace as the namespace for Argo workflows #231

Open jonathan-innis opened 3 years ago

jonathan-innis commented 3 years ago

Is your feature request related to a problem? Please describe. Currently, we use always use the orkestra namespace to run the argo workflows. Instead of using this always, we should use the ApplicaitonGroup namespace and generate the workflows in that namespace. This will allow teams that have security models that separate their logic into different namespaces to use multiple application groups in different namespaces.

jonathan-innis commented 3 years ago

This will cause us to create a service account and assign this service account the ClusterRole binding that allows the executor to do any of the actions that it needs to do to provision the resources

nitishm commented 3 years ago

@jonathan-innis Can we close this as a "will not fix" ?

jonathan-innis commented 3 years ago

This one wasn't the "won't fix" one, I think we said we might take this at a later date

nitishm commented 3 years ago

oops

jonathan-innis commented 3 years ago

Also, these workflows not being in separate namespaces prevents us from parallelizing the tests which will be critical as the full reconciliation loop takes quite a while if we run these in serial

nitishm commented 3 years ago

So, we do have an env variable for specifying the workflow namespace WORKFLOW_NAMESPACE being set through the values.yaml in the deployment.yaml

          env:
          - name: WORKFLOW_NAMESPACE 
            value: {{ .Release.Namespace }} 
          - name: WORKFLOW_SERVICEACCOUNT_NAME 
            value: {{ include "orkestra.serviceAccountName" . }}

Can you give this a try since I haven't really tried it outside of the orkestra namespace. I am guessing the ServiceAccounts are going to be an issue that must be addressed in a different namespace.

jonathan-innis commented 3 years ago

I still think that a user's expectation would be that an applicationGroup would deploy the workflow in the namespace specified in the AppGroup .metadata.namespace, deploying the service account as well

nitishm commented 3 years ago

Since ApplicationGroup is cluster-scoped do you want to just add a targetNamespace field to the .spec?

jonathan-innis commented 3 years ago

Is there a specific reason why we chose to have an application group be cluster-scoped? I'm curious the logic here because we could run everything within the namespace

nitishm commented 3 years ago

I suppose not. A previous version needed to be when we started out but not anymore.