feat(argo-workflows): Multiple workflow namespaces (argoproj#824)

* allow workflow to be run in multiple namespaces, bump chart version

Signed-off-by: reinvantveer <[email protected]>

* update helm install instructions

Signed-off-by: reinvantveer <[email protected]>

* fix indents

Signed-off-by: reinvantveer <[email protected]>

* add newlines

Signed-off-by: reinvantveer <[email protected]>

* bump chart version

Signed-off-by: reinvantveer <[email protected]>

* default to "argo" namespace for workflow service account

Signed-off-by: reinvantveer <[email protected]>

* simplify setting service account, fix syntactical error in defaulting to "argo" namespace

Signed-off-by: reinvantveer <[email protected]>

* Bump only the chart version, revert bumping the controller version: 3.0.8 does not exist yet as a workflow-controller image version

Signed-off-by: reinvantveer <[email protected]>

* don't set a namespace if there isn't one provided

Signed-off-by: reinvantveer <[email protected]>

* bump version

Signed-off-by: reinvantveer <[email protected]>

* re-use controller.workflowNamespaces instead of introducing workflow.namespaces

Signed-off-by: reinvantveer <[email protected]>

* re-use controller.workflowNamespaces instead of introducing workflow.namespaces

Signed-off-by: reinvantveer <[email protected]>

* re-use controller.workflowNamespaces instead of introducing workflow.namespaces

Signed-off-by: reinvantveer <[email protected]>

* re-use controller.workflowNamespaces instead of introducing workflow.namespaces, add additional inline comments on rbac.create effect

Signed-off-by: reinvantveer <[email protected]>

* compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration

Signed-off-by: reinvantveer <[email protected]>

* compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration

Signed-off-by: reinvantveer <[email protected]>

* compress namespaces from controller.workflowNamespaces and workflow.namespace into single loop iteration

Signed-off-by: reinvantveer <[email protected]>

* dro now-redundant branch for controller.workflowNamespaces

Signed-off-by: reinvantveer <[email protected]>

* use template helper "argo-workflows.fullname" instead of release name in order to be able to override the service account name

Signed-off-by: reinvantveer <[email protected]>

* add missing "template" keyword

Signed-off-by: reinvantveer <[email protected]>

* drop redundant $namespace assignment that was already moved inside the "range" function

Signed-off-by: reinvantveer <[email protected]>

* replace "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration

Signed-off-by: reinvantveer <[email protected]>

* drop redundant $namespace assignment that was already moved inside the "range" function

Signed-off-by: reinvantveer <[email protected]>

* inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration

Signed-off-by: reinvantveer <[email protected]>

* inline "define" templates with simple values now that controller.workflowNamespaces and workflow.namespace are unified into a single "range" iteration

Signed-off-by: reinvantveer <[email protected]>

* add missing "$" to denote target for templating the workflows fullname helper

Signed-off-by: reinvantveer <[email protected]>

* restore `with` blocks for service account name and service account annotations

Signed-off-by: reinvantveer <[email protected]>

* drop validations: considering cases of `workflowNamespaces`, `namespace` and `singleNamespace`

Signed-off-by: reinvantveer <[email protected]>

* include case for single namespaces with default ("") namespace, otherwise (ternary) combine the workflow namespace and workflowNamespaces from the controller settings into a list to iterate over

Signed-off-by: reinvantveer <[email protected]>

* wrap namespace configuration in `with` block to prevent setting it to ""

Signed-off-by: reinvantveer <[email protected]>

* fix append vs. concat bug: append workflowNamespace to (possibly 0-lenght) list of controller.workflowNamespaces

Signed-off-by: reinvantveer <[email protected]>

* fix namespace range with additional check for either single namespace being false, or append to the workflow namespaces: the first non-null (coalesce) from the workflow namespace or the namespace Argo is being deployed to.

Signed-off-by: reinvantveer <[email protected]>

* add changelog entries

Signed-off-by: reinvantveer <[email protected]>

* unwrap (inline) with-block for service account name

Signed-off-by: reinvantveer <[email protected]>

Co-authored-by: Vlad Losev <[email protected]>

CONTRIBUTING.md

@@ -55,7 +55,7 @@ annotations:
 Minimally:
 
 ```
-helm install charts/argo -n argo
+helm install charts/argo-workflows -n argo
 argo version
 ```
 

charts/argo-workflows/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.2.8
+version: 0.2.9
 appVersion: "v3.0.7"
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
@@ -15,4 +15,6 @@ maintainers:
   - name: benjaminws
 annotations:
   artifacthub.io/changes: |
-    - "[Fixed]: Controller Role/ClusterRole to work with InstanceID"
+    - "[Changed]: Service accounts, roles and role bindings can now be auto-created for each workflow controller namespace"
+    - "[Fixed]: The contributer testing guidelines were updated to reflect the chart name change from 'argo' to
+    'argo-workflows'"

charts/argo-workflows/templates/controller/workflow-rb.yaml

@@ -1,19 +1,20 @@
 {{- if .Values.workflow.rbac.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }} 
-  {{- end }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+  namespace: {{ $namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "argo-workflows.fullname" . }}-workflow
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
 subjects:
-- kind: ServiceAccount
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }}
+  - kind: ServiceAccount
+    name: {{ $.Values.workflow.serviceAccount.name }}
+    {{- with $namespace }}
+    namespace: {{ . }}
+    {{- end }}
   {{- end }}
 {{- end }}

charts/argo-workflows/templates/controller/workflow-role.yaml

@@ -1,25 +1,29 @@
 {{- if .Values.workflow.rbac.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+    {{- with $namespace }}
   namespace: {{ . }}
-  {{- end }}
+    {{- end }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - watch
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+  {{- end }}
+
 {{- end }}

charts/argo-workflows/templates/controller/workflow-sa.yaml

@@ -1,13 +1,16 @@
 {{- if .Values.workflow.serviceAccount.create -}}
+  {{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
+  name: {{ $.Values.workflow.serviceAccount.name }}
+    {{- with $namespace }}
   namespace: {{ . }}
-  {{- end }}
-  {{- with .Values.workflow.serviceAccount.annotations }}
+    {{- end }}
+    {{- with $.Values.workflow.serviceAccount.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end }}

charts/argo-workflows/values.yaml

@@ -29,13 +29,15 @@ kubeVersionOverride: ""
 singleNamespace: false
 
 workflow:
-  namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
+  namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in
   serviceAccount:
     create: false # Specifies whether a service account should be created
     annotations: {}
     name: "argo-workflow" # Service account which is used to run workflows
   rbac:
-    create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
+    # Adds Role and RoleBinding for the above specified service account to be able to run workflows
+    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
+    create: true
 
 controller:
   image:
@@ -109,6 +111,8 @@ controller:
     # Annotations applied to created service account
     annotations: {}
   name: workflow-controller
+  # Specify all namespaces to run worksflows need to be able to run in. This controls where the service
+  # account and RBAC resources will be created. If unspecified, will run in the default namespace.
   workflowNamespaces:
     - default
   containerRuntimeExecutor: docker