feat: Allow to pass optional flags to resource template

[CermakM]

In some cases, it might be useful to have the option to pass optional flags to a resource template.

For example, to turn off kubectl default validation when submitting a resource manifest. OpenShift has some strict requirements (and in case of OpenShift 3.11 even discrepancies) in the oapi spec, which prevents resources from being submitted via kubectl

This patch introduces the Template.Spec.Resource.Flags parameter which allows to pass optional flags to a resource template.

Example:

resource:
  action: create
  flags: [
    "--validate=false"  # validation will be turned off
  ]
  manifest: |
    apiVersion: route.openshift.io/v1
    kind: Route
    metadata:
      name: host-route
    spec:
      to:
        kind: Service
        name: service-name

[sarabala1979]

Please add examples

[CermakM]

The example references openshift/origin#24060

[CermakM]

Could I ask for help with the CI check? I am kinda struggling to understand the reason it failed.

[simster7]

Looks like a network issue when running dep ensure. Doesn't seem like you changed any dependencies, so don't worry about it. @sarabala1979 will re-run the CI when he reviews your PR.

[simster7]

I think that this PR could become more generalized by allowing the user to pass arbitrary arguments to kubectl. If we merge this, other users could request a similar implementation for other flags, which could cause it to get cluttered.

Something like:

  - name: create-route-without-validation
    resource:
      action: create
      flags: ["--validate=false"]  # validation will be turned off

could work.

Will open this as a new issue. @CermakM do you want to own this?

(P.S. Not that this is slightly different from the open #1834 as that requires executor changes, so it still requires its own PR)

[CermakM]

@simster7 This looks reasonable to me and I'll be happy to extend the implementation :) I suppose we therefore want to have just flags, instead of both flags and validate, correct?

EDIT: Commented on the issue as well.

[CermakM]

Fixes: #1857

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@f3df966). Click here to learn what that means.
The diff coverage is 13.15%.

@@            Coverage Diff            @@
##             master    #1779   +/-   ##
=========================================
  Coverage          ?   11.39%           
=========================================
  Files             ?       74           
  Lines             ?    31163           
  Branches          ?        0           
=========================================
  Hits              ?     3550           
  Misses            ?    27134           
  Partials          ?      479

Impacted Files	Coverage Δ
pkg/apis/workflow/v1alpha1/workflow_types.go	11.54% <ø> (ø)
...kg/apis/workflow/v1alpha1/zz_generated.deepcopy.go	0% <0%> (ø)
pkg/apis/workflow/v1alpha1/generated.pb.go	0.45% <0%> (ø)
workflow/executor/resource.go	6.46% <28.57%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3df966...c182b3b. Read the comment docs.

[simster7]

This LGTM! Could you add some tests please?

[CermakM]

Uh, well, I hoped you wouldn't say that :D I'll see what I can do.

[maximmold]

Does this implementation require a manifest? I want to delete given a particular label in an argo work flow and I seem to only be able to do it with a specific manifest that requires a metadata.name

[CermakM]

@maximmold I am sorry, struggling to understand your use case a little bit. Could you please elaborate or provide an example of how would you imagine that being used other than in the ResourceTemplate?

[maximmold]

I simply want to be able to do a delete of resources given a particular label selector.

- name: delete-resources-without-validation
    resource:
      action: delete
      flags: ["seldondeployment -l github-branch={{workflow.parameters.github-branch}}"]

Providing a manifest requires you know the same of the resource.

[CermakM]

Ah, gotcha. Let me take a look at it. I think it shouldn't require many changes.

[simster7]

Will try to get some internal comments w.r.t this PR today

[alexec]

@CermakM is this still wanted please?

[CermakM]

@alexec Yes it is. I guess I have quite a lot of rebasing to do. :/

[alexec]

@simster7 do you want to continue as reviewer?

[CermakM]

Is the failure of Golang CI setup on my side? 🤔

[simster7]

@simster7 do you want to continue as reviewer?

Yes, sorry this got out of my radar. I'll give another review today

[simster7]

Two minor changes, otherwise LGTM.

I have reservations about security. With this PR we effectively give the workflow submitter full access to kubectl. I'm going to bring this up with @jessesuen, but feel free to chime in with your opinions.

[CermakM]

@simster7 you're right, but IMHO it is not Argo who should impose security restrictions, it is the cluster/namespace admin, I.e. if users have the rights to execute a certain command via kubectl, they should be able to do that in Argo as well, shouldn't they?

[simster7]

@simster7 you're right, but IMHO it is not Argo who should impose security restrictions, it is the cluster/namespace admin, I.e. if users have the rights to execute a certain command via kubectl, they should be able to do that in Argo as well, shouldn't they?

You're right, except that Argo its own ServiceAccount with kubectl – not the user's – so with this PR we give free reign to the submitter to use Argo's ServiceAccount. However, @jessesuen brought up a good point by saying that we effectively already do this since users can submit arbitrary containers... so it looks like we're going to go ahead with this.

[CermakM]

@simster7 I rebased it once again and pushed it without updated codegen, which causes the conflicts (which, in turn, I assume, have been blocking the merging the whole time). Please, if / when you decide to merge this, generate the codegen as well.

Cheers,
M

[sonarcloud]

SonarCloud Quality Gate failed.

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

51.4% Coverage
0.0% Duplication

Stale review

[simster7]

Thanks for your work @CermakM! Glad we finally got this merged

[CermakM]

Thanks @simster7 !

[m-yosefpor]

I'm new to Argo. Will this solve the issue with Openshift resources when used with ArgoCD as well? or will it only affect argo workflows?

[m-yosefpor]

I found this option in Application object:

syncPolicy:
  syncOptions:
    - Validate=false

However is it possible to disable it per resource (instead of the whole app)?