search

argoproj / argo-workflows

Workflow Engine for Kubernetes
https://argo-workflows.readthedocs.io/
Apache License 2.0
14.98k stars 3.19k forks source link

Enrich workflow submit REST API #12354

Open nicolas-vivot opened 10 months ago

nicolas-vivot commented 10 months ago

Summary

Argo workflow offers some REST API to submit workflows based on existing workflow templates. Unfortunately, several workflow configuration options are missing, making it impossible to customize it at the time we request it through this REST API.

The REST API to submit a workflow based on an existing workflow template: image

The current request body contract (from the documentation) for that API:

{
  "namespace": "string",
  "resourceKind": "string",
  "resourceName": "string",
  "submitOptions": {
    "annotations": "string",
    "dryRun": true,
    "entryPoint": "string",
    "generateName": "string",
    "labels": "string",
    "name": "string",
    "ownerReference": {
      "apiVersion": "string",
      "blockOwnerDeletion": true,
      "controller": true,
      "kind": "string",
      "name": "string",
      "uid": "string"
    },
    "parameters": [
      "string"
    ],
    "podPriorityClassName": "string",
    "priority": 0,
    "serverDryRun": true,
    "serviceAccount": "string"
  }
}

Along the serviceAccount, podDisruptionBudget is missing for example. If you want to check which ones are missing, comparing with the list available here might be a good start.

Use Cases

In my company, my team is a platform team responsible for Argo Workflow. We have other teams that create/maintain/publish and distribute to us some workflow templates. As a platform team, we provide the execution platform, and configurations like service account, pdb or security context must be enforced on our side when submitting the workflows with their templates.

Currently we have to ask then to do it inside their templates, which violate this responsibility principle and prevent us to enforce the execution context of workflows. (again, service account is fine, but pdb and security context is not)

We would like to have the workflow submit REST API to be updated to allow to pass additional missing configuration. The critical configuration for us are: podDisruptionBudget and securityContext

Unless you provide a way to configure it globally directly in Argo Workflow configuration ? (could not find documentation about it)

Message from the maintainers:

Love this enhancement proposal? Give it a πŸ‘. We prioritise the proposals with the most πŸ‘.

Beyond this issue:

I unfortunately do not have time to investigate this myself, especially i am not a Go developer.

nicolas-vivot commented 10 months ago

Just found out that we can also provide it in the controller configuration map, using workflowDefaults

Example:

workflowDefaults: |
    spec:
      podDisruptionBudget:
        # Set an arbitrary high value to avoid pod being evicted during events like node drain
        minAvailable: 9999

This allow to avoid to have it in the templates for now at least. We maintain our enhancement request to have the ability to change those settings dynamically at runtime / workflow submission time based on external factors.