New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(docs): add RBAC and user to executor plugins example #13019
base: main
Are you sure you want to change the base?
Conversation
…n, patch example and correct user ID. Signed-off-by: Dejan Golja <dejan@golja.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A small copy-edit below and also a suggestion to unify Agent permissions docs
docs/executor_plugins.md
Outdated
@@ -202,6 +211,30 @@ spec: | |||
|
|||
You'll see the workflow complete successfully. | |||
|
|||
**Note**: The service account running the workflow needs at least the following permissions. If <= v3.2 you must replace `workflowtasksets/status` with `workflowtasksets`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this block should go in the ## Configuration
section above a subsection ### Permissions
. It's more important than a "Note" -- this is required
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Argo "agent" is mentioned in the HTTP template docs as well. Ideally we'd unify them and have a page on the Agent that both link to with regard to permissions / more information. The Agent is poorly documented; I didn't even know much about it until a few months ago
Potentially a section in the existing Workflow RBAC page might make sense, which is what the quick-start manifest already links to
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also leave the "If <= v3.2" out of this and leave it in the Workflow description annotation like the quick start manifest. Let's keep the two identical.
Even better would be to make that an in-line comment on the workflowtasksets/status
line in both
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me know what you think about the latest change. I added the ### Permissions
section with some relevant links and removed the Role
definition. Not every user may experience permission issues, because it depends on how they installed WF. I think this new section letting them know they may need to adjust the permissions are adequate for now.
I agree that the documentation for the agent and permissions, in general, could be better. Let me think about it a bit more, and for now, I'll provide this as a stopgap. I may create a follow-up PR to improve the permissions documentation, but first, I need to dig more into the code to fully understand it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this new section letting them know they may need to adjust the permissions are adequate for now.
Yea we'd still leave this section or something similar if we move the actual Agent docs to its own page; this section would just link to that, something like "Plugins use the Argo Agent, ensure you have appropriate RBAC for your Workflow".
Let me know what you think about the latest change.
It looks like the current text is mostly just a copy of the HTTP Template doc? That section causes confusion as-is the way it is written so if we're going to add it, I'd prefer to unify in the Workflow RBAC page. We can just have a short description there and show the RBAC. Can improve that in later PRs
I can help guide that if you're ok relying on my knowledge.
Signed-off-by: Dejan Golja <dejan@golja.org>
Fixes #13015
Motivation
Having a working example from the documentation.
Modifications
The main practical modification involves updating the user ID. Other changes, especially the RBAC role is to provide some guidance what permissions you need for the example to work (see).
Verification
Example provided in the documentation now works as expected.