Argo-Workflows: Helm chart do not seem to cleanly support "managed namespace" installation

[hyacin75]

Describe the bug

The "managed namespace" docs say -

You can install Argo in either cluster scoped or namespace scope configurations. This dictates if you must
set-up cluster roles or normal roles.

In namespace scope configuration, you must run both the Workflow Controller and Argo Server using
--namespaced. If you would like to have the workflows running in a separate namespace, add
--managed-namespace as well. (In cluster scope installation, don't include --namespaced or
--managed-namespace.)

So that implies no cluster roles should be needed, or created in a managed namespace installation.

The chart values support no explicit definition of 'managed namespace' mode though, simply this -

  # -- Specify all namespaces where this workflow controller instance will manage
  # workflows. This controls where the service account and RBAC resources will
  # be created. Only valid when singleNamespace is false.
  workflowNamespaces:
    - default

but, when singleNamespace is false, even with every other cluster related setting disabled, we still get CRs and CRBs -

me@here:~/argo-helm/charts/argo-workflows$ helm template argo-workflows . | grep -i clusterrole | wc -l
15
me@here:~/argo-helm/charts/argo-workflows$ helm template argo-workflows . --set createAggregateRoles=false --set controller.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enableEditing=false | grep -i clusterrole | wc -l
6
me@here:~/argo-helm/charts/argo-workflows$ helm template argo-workflows . --set createAggregateRoles=false --set controller.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enableEditing=false | grep -i clusterrolebinding | wc -l
2
me@here:~/argo-helm/charts/argo-workflows$

and setting singleNamespace to true would mean roles and rolebindings wouldn't be created for the additional namespace(s) listed in controller.workflowNamespaces as it explicitly says it is ignored if that is set.

Related helm chart

argo-workflows

Helm chart version

0.17.1

To Reproduce

helm template argo-workflows . --set createAggregateRoles=false --set controller.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enabled=false --set server.clusterWorkflowTemplates.enableEditing=false

Expected behavior

No CRs or CRBs since, as the docs say, they should only be created in cluster scoped installations, or if the opposite of "singleNamespace" is automatically assumed to be a cluster install, then a means of declaring one wants a "managed namespace" install.

Screenshots

No response

Additional context

No response

[hyacin75]

In case something is unclear, as the 'confused' emote above leads me to believe -

If singleNamespace is false and workflowNamespaces has a value, logically you're looking for a "Managed Namespace" install, as, if you're doing a cluster install, there is no need or point to specifying any additional namespaces, as it gets access to ALL the namespaces via the CRs anyway.

In surely many organizations, any tool having access to ALL the namespaces is probably not ideal, but the "Managed Namespace" model is, where the workflows themselves, and the controller and server, can be separated. As-is, the helm chart does not seem to support that.

[ju187]

For the current helm for role, etc if singleNamespace is set to false, tole, and sa are not created in the managed namespaces, I assuming they should be

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[vitalyrychkov]

The managed-namespace seems to be still not implemented in v3.4.7

[jcogilvie]

I agree this does not seem to work correctly. There's no mention in the chart of the --managed-namespace flag indicated in that documentation blurb.

[pchar]

Hi someone has found a solution to this topic ?

[hyacin75]

Hi someone has found a solution to this topic ?

I spent a couple days modifying the chart myself for my purposes. It wasn't clean enough to submit a PR though sadly, just a quick and dirty 'get it working'. It's likely horribly out of date now too and missing important stuff from recent updates.

[pchar]

Every help is welcome if you don't mind can you paste you quick and dirty ?
it will give me some hits to fix ;)

[hyacin75]

Every help is welcome if you don't mind can you paste you quick and dirty ? it will give me some hits to fix ;)

Copy/paste 100% no as it's got a lot of proprietary work stuff in it now. When I get back to the office next week I can check my Confluence pages though to see if I have anything of use. I know I was trying to work on a diff at one point so we could easily apply the changes to future chart versions ... I just don't think I ever finished :-/

[pchar]

Thanks ! any help is appreciated ;)
have a nice we