argocdargo-workflowsargo

Argo-workflows install and run in specific namespace

I am trying to solve a scenario where argo-cd is installed cluster-wide, and we have to install the argo-workflows application within a separate namespace.

Let's say team-1 has a namespace team-one, and team-2 has a namespace called team-two. These team need to have there own setup of argo-workflows in respective namespaces.

Setup that I have completed is:

  1. Installed minikube and argocd in argocd namespace
  2. Completed argocd setup by following apps in any namespace to configure team-one and team-two namespaces
  3. Created appproject team-one-apps in argocd namespace and provided with following config (incomplete)
metadata:
  name: team-one-apps
  namespace: team-one
spec:
  sourceRepo:
    - repolink
  sourceNamespaces:
    - "team-one"
  destination:
    - namespace: "team-one"
      server: <incluster k8's link>
clusterResourceWhitelist:
  - group: "*"
    kind: "*"
  1. Created an application with the following (I am using appofapps approach in argocd where I create a parent-app below config (incomplete) and then I create another app argo-workflows)
metadata:
  name: team-one-parent-app
  namespace: team-one
spec:
  destination:
    namespace: "team-one"
    server: <incluster k8's link>
  project: team-one-apps
  1. Now within the git repository I have created a helm project that contains argo-workflows chart which I manually copied into the helm directory. Directory looks something like below
|- templates
 |-- argo-workflows.yaml
|- argo-workflows
 |-- <the same chart folders from above link>
|- chart.yaml
|- values.yaml
  1. As per the readme.md, I changed controller.workflowNamespaces to team-one, so the workflow-controller will only manage workflows in this namespace team-one.
  2. team-one-parent-app and argo-workflows apps got created successfully and I am able to login into argoworkflows
  3. Created a clusterrole and also clusterrolebinding and assigned them to a service account (team-two-sa) which is created in team-two namespace
  4. Created a workflow with workflowServiceAccount: team-two-sa and namespace: team-two, and successfully submitted and ran the workflow.

My question is in #9, why was I able to submit the workflow successfully in team-two namespace, even when then controller.workflowNamespaces is set to team-one namespace.

Solution

  • I am unsure if I did something wrong, but in controller and server args I could not see --namespace or --managed-namespace. So, it was a clusterwide argowf managing. Hence I was able to submit workflows with team-two namespace also.

    I tried to disable Auto-Sync and then added --namespace and --managed-namespace then it worked fine. However, this is unable to achieve from Argoworkflows helm chart and values file option for controller.workflowNamespaces