agrare
commented
1 year ago Met with @Fryguy and @bdunne to discuss this
Running these from a generic worker is not an option due to the need to isolate what can communicate with the k8s API. Running from the orchestrator is not an option because while it would not require a new worker or service account any errors hit during runtime could take down the orchestrator and thus the entire app.
We settled on a new worker that would be able to create and delete pods and secrets and act as a general worker for executing external operations like workflows or ansible playbooks. While executing a workflow if a task step was encountered the process of running the container would be handled by this new worker.
Fryguy
Executing workflows on K8s will require credentials in order to create the resources necessary to run the workflows. Currently only the orchestrator has credentials to run pods.
Options:
In either case if this is a singleton worker we'll need to start running workflows "async" sooner rather than later.
https://github.com/ManageIQ/manageiq/issues/22311