-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dropping of k8sapi executor makes upgrade from 3.2.6 to 3.4.8 not feasible with private images and script
templates
#11159
Comments
This comment was marked as resolved.
This comment was marked as resolved.
One possible solution here is that for "script" actions, the emissary executor synthesises its own "command" setting. That would probably solve 98% of our incompatibility issues, and for sure the specific thing being executed is 100% within the control of the executor, so it should be relatively straight-forward. |
From #8345, this line should be using your existing
To clarify, this issue is entirely with Based on your analysis in #12787 (comment), it seemed lke your suggested solution could be possible; we might be able to skip the lookup for Upon further inspection though, it does seem to append the Docker So I'm not so sure this is a bug with emissary; you could specify a |
I guess it's more a "missing feature" than a bug. Even so, with your typical script action, it seems as if the source gets dropped into a shell script and that ends up being set as the entrypoint (further experimentation lead to #12787 for fixing an issue with script permissions, once a static configuration has been made, the in-house build images have now been stable for long enough that I felt it was OK to do that). |
it's in As I wrote above though, the image's As such, It needs to know the image's Emissary is a bit hacky, but it's the least hacky and most secure of the executors so far, as I understand it. |
maybe this could be closed as EOL |
It's logged against 3.4, which is still supported and is when all other executors were dropped. It was also opened over a year ago, pre-dating 3.5.0-rc1. Since #12787 was merged though, the script issue has a workaround now, but the bug should ideally be fixed. |
script
templates
Ok I root caused this in #12787 (comment) and there is indeed a bug, but the fix might very well be a breaking change that might not be worthwhile 😕 |
Pre-requisites
:latest
What happened/what you expected to happen?
I expected an ugrade from 3.2.6 to 3.4.8 to be (mostly) "specify new images". It also required a small amount of tweaking RBAC roles.
I did not expect it to require reconfiguring every workflow (many of our workflows use custom, private, images; using the
script
functionality). With the upgrade primarily being motivated by "we want the fresh ssh_known_host file" (as opposed to having to useinsecureIgnoreHostKey
), the amount of work needed to switch from the k8sapi to the emissary executor was completely unexpected and disappointing, as for thescript
-type nodes, it really should be possible for Argo/emissary to figure out what the right command is (and bordering on hard for a human to do).We do not want the Argo workflow controller to have access to our private registries (it should not need that access, the kubernetes cluster has the required image pull capabilities), but it is not obvious what the auto-generated command for a "script" will be (so the entrypoint cannot be specified neither as a
command
nor statically in a configuration file).Version
v3.4.8
Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.
n/a (this is all private images)
Logs from the workflow controller
Logs from in your workflow's wait container
The text was updated successfully, but these errors were encountered: