search

argoproj / argo-helm

ArgoProj Helm Charts
https://argoproj.github.io/argo-helm/
Apache License 2.0
1.76k stars 1.88k forks source link

Argo Workflows in "Namespaced Mode" still creates a ClusterRole and Name Clashes With Multiple Installs #2939

Closed bensoer closed 1 month ago

bensoer commented 1 month ago

Describe the bug

See Helm Template: https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml#L204

The role here does not contain the singleNamespace check as done here: https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml#L3

This causes a clashing when deploying 2 Argo Workflows in the same cluster, with singleNamespace enabled, and in seperate namespaces

When deploying in Terraform the error comes out as:

14:39:09  Error: Unable to continue with install: ClusterRole "argo-workflows-workflow-controller-cluster-template" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "argoworkflows-prod": current value is "argoworkflows-non-prod"
14:39:09  
14:39:09    with helm_release.argo_workflows,
14:39:09    on main.tf line 88, in resource "helm_release" "argo_workflows":
14:39:09    88: resource "helm_release" "argo_workflows" {

Related helm chart

argo-workflows

Helm chart version

Found in 0.42.1 . Can see issue also Helm in 0.42.3

To Reproduce

See Helm Template: https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml#L204

Reproduction can be done by deploying argo workflows helm twice onto the same cluster:

Note: This setup assumes the argo helm repo is already setup in your helm under the alias of argo

  1. Deploy the first one:

    helm upgrade --install argoworkflows argo/argo-workflows --atomic --create-namespace --namespace argoworkflows1 --wait --set clusterInstall=false --set createClusterAggregateRoles=false --set crds.install=true --set singeNamespace=true

    Note: crds.install=true is explicite, the second install has it set to false. This avoids CRD conflicts

  2. Deploy the second one:

    helm upgrade --install argoworkflows argo/argo-workflows --atomic --create-namespace --namespace argoworkflows1 --wait --set clusterInstall=false --set createClusterAggregateRoles=false --set crds.install=false --set singeNamespace=true

The second deployment will fail with a clash on the ClusteRole name conflict - eventhough were in namespaced mode

Expected behavior

General behavior is that when deploying Argo Workflows in namespaced mode, it should only be creating Role objects, not ClusterRole objects - https://argo-workflows.readthedocs.io/en/latest/managed-namespace/

Screenshots

No response

Additional context

No response

bensoer commented 1 month ago

The quick-fix around, to be able to unblock deploying multiple is to deploy each Argo Workflow with a unique release name. This then causes the ClusterRole name to be generated containing those unique release names and thus not name clashing

But, from my understanding, running with singleNamespace=true should be creating Roles, not ClusterRoles ?