Merge pull request #1177 from rackerlabs/workflows-update

cardoe · web-flow · commit 6d4e8deb40ff · 2025-08-25T15:03:35.000Z
feat(argo-workflows): support multiple namespaces / bump to 3.6.10
diff --git a/components/argo-events/argo-server-rb.yaml b/components/argo-events/argo-server-rb.yaml
diff --git a/components/argo-events/argo-server-rolebinding.yaml b/components/argo-events/argo-server-rolebinding.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-server-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: argo-server
+  namespace: argo
diff --git a/components/argo-events/controller-rb.yaml b/components/argo-events/controller-rb.yaml
diff --git a/components/argo-events/kustomization.yaml b/components/argo-events/kustomization.yaml
@@ -8,8 +8,9 @@ resources:
   - https://github.com/argoproj/argo-events/releases/download/v1.9.7/install-validating-webhook.yaml
 
   # grant the argo-workflows the ability to run workflows in this namespace
-  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/argo-server-rbac?ref=v3.5.10
-  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/workflow-controller-rbac?ref=v3.5.10
+  - workflow-controller-rolebinding.yaml
+  # grant the argo-server the ability to see workflows in this namespace
+  - argo-server-rolebinding.yaml
 
   ## configure webhook Sensor and associated role
   - sensor-workflow-role.yaml
@@ -19,14 +20,3 @@ resources:
 
   ## copy openstack/cinder-netapp-config to argo-events/netapp-config
   - secret-netapp.yaml
-
-patches:
-- target:
-    kind: RoleBinding
-    name: argo-binding
-  path: controller-rb.yaml
-
-- target:
-    kind: RoleBinding
-    name: argo-server-binding
-  path: argo-server-rb.yaml
diff --git a/components/argo-events/workflow-controller-rolebinding.yaml b/components/argo-events/workflow-controller-rolebinding.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: argo
+  namespace: argo
diff --git a/components/argo/argo-server-deployment.yaml b/components/argo/argo-server-deployment.yaml
@@ -13,8 +13,3 @@ spec:
         - --auth-mode=sso
         # all other auth via Kubernetes bearer tokens
         - --auth-mode=client
-        # running in namespaced mode and not cluster wide
-        - --namespaced
-        # configures the namespace where workflows actually run
-        - --managed-namespace
-        - argo-events
diff --git a/components/argo/argo-server-runtime.yaml b/components/argo/argo-server-runtime.yaml
diff --git a/components/argo/delete-argo-server-crb.yaml b/components/argo/delete-argo-server-crb.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-server-binding
+$patch: delete
diff --git a/components/argo/delete-workflow-controller-crb.yaml b/components/argo/delete-workflow-controller-crb.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-binding
+$patch: delete
diff --git a/components/argo/kustomization.yaml b/components/argo/kustomization.yaml
@@ -3,14 +3,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # We are doing upstream's namespace-install.yaml but since we
-  # want the actual workflows to run in a different namespace
-  # the roles are created there
-  - https://github.com/argoproj/argo-workflows/manifests/base?ref=v3.5.10
-  # give the workflow controller access it needs
-  - workflow-controller-runtime.yaml
-  # give the argo-server access it needs
-  - argo-server-runtime.yaml
+  # We are wanting to limit the scope and access down to
+  # just the namespaces we want to give access for workflows
+  # to run and the argo-server to be able to see workflows and
+  # argo events so we need to split up what we install. So
+  # we delete the ClusterRoleBinding and instead create RoleBindings
+  # to the ClusterRole for just the namespaces we want.
+  - https://github.com/argoproj/argo-workflows/manifests/cluster-install/?ref=v3.6.10
 
   # ingress for workflows.${DNS_ZONE} to the argo server for the UI
   - ingress.yaml
@@ -21,13 +20,27 @@ resources:
 # keep all the images consistent
 images:
   - name: quay.io/argoproj/workflow-controller
-    newTag: v3.5.10
+    newTag: v3.6.10
   - name: quay.io/argoproj/argoexec
-    newTag: v3.5.10
+    newTag: v3.6.10
   - name: quay.io/argoproj/argocli
-    newTag: v3.5.10
+    newTag: v3.6.10
 
 patches:
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRoleBinding
+    name: argo-binding
+  path: delete-workflow-controller-crb.yaml
+
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRoleBinding
+    name: argo-server-binding
+  path: delete-argo-server-crb.yaml
+
 # see the patch for details on the change
 - target:
     group: apps
diff --git a/components/argo/workflow-controller-runtime.yaml b/components/argo/workflow-controller-runtime.yaml
diff --git a/docs/design-guide/argo-workflows.md b/docs/design-guide/argo-workflows.md
@@ -13,28 +13,33 @@ and maintenance tasks.
 while the actual workflows run in another dedicated namespace (argo-events),
 to ensure proper security isolation and resource control. This separation
 is provided by [Argo Workflows][argo-wf] but poorly documented upstream which
-they call [Managed Namespace][argo-wf-managed-ns].
+they call [Managed Namespace][argo-wf-managed-ns]. Unfortunately the
+likely better approach at achieving this managed namespace installation
+would be to use the cluster based install which uses ClusterRoles but then
+binds the ClusterRole to a specific namespace instead of a ClusterRoleBinding.
+This is the approach we take.
 
 ### Argo Workflows Configuration
 
 We do not use the `namespace-install.yaml` provided by the project as it
-combines everything into one YAML and we need to split it out. It combines:
+combines everything into one YAML and focuses on running everything in
+one namespace while we want separation. What we ultimately need:
 
 * CRDs
 * Argo Server, which is the UI and the API for Argo Workflows and Argo Events
 * Argo Workflows Controller, which is the executor for the workflow and creates
 the pods
-* Server Role, which is the Role and RoleBinding for the Argo Server to access
+* Server RBAC, which is the ClusterRole and RoleBinding for the Argo Server to access
 the workflow, the pods, the logs, and inputs for user visibility
-* Workflow Controller Role, which is the Role and RoleBinding to give the controller
+* Workflow Controller RBAC, which is the ClusterRole and RoleBinding to give the controller
 access to run and manage the workflows.
 
 The CRDs, the Argo Server, and the Argo Workflow Controller will all be installed
-into the (argo) namespace while the 2 Roles and RoleBindings need to be installed
+into the (argo) namespace while the 2 RoleBindings need to be installed
 into the namespace where the workflow execute, which is (argo-events).
 
 The Argo Server and the Workflow Controller additionally need access to additional
-resources. The Argo Server needs access to the configmap, the SSO secret
+resources. The Argo Server needs access to the configmap, the SSO secret.
 
 ## Template-Only Execution Model
 
