-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TEP-0098] Workflows - Problem Statement #569
Conversation
/assign |
/kind tep |
teps/0096-workflows.md
Outdated
* Allow clear separation of concerns between platform developers and app teams | ||
* Allow for clear separation between run configuration and pipeline definition? | ||
|
||
### Non-Goals |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is deployment of all the necessary Tekton components a goal or non-goal? Thinking of a situation where a user starts with an empty cluster and needs (Pipelines
, Triggers
, Workflows
, Remote Resolution
) all deployed at versions that work together under the Workflows API. Is this something the Workflows project might provide or would we lean on the Operator project here instead maybe? Either way it might be worth calling out as in or out of scope here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Yeah I think I think we'd mention other projects as pre-requisites and installing them would be the user's job. They can use the operator project to simplify the installs.
/approve |
So would this be a glue layer above both Pipelines and Triggers? I mean, in part, 'cos it does seem to be more than just that. =) |
|
||
Most CI/CD workflows also require interactions with external systems such as GitHub. Tekton today does not provide a way to declare these in a standardized way making it harder to visualize and debug the entire end to end workflow in a single place e.g. it is hard to visualize all pipeline runs for a given repository. | ||
|
||
Standardizing all of the configuration in one place can also enable some enterprise use cases. For instance, platform users can control the Workflow resource fields such as service accounts, secret configuration for various third party integrations while the app developer teams can still manage the actual pipeline definition in code |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At present, the operator (for Openshift distribution) also provides a service account creation in every namespace with appropriate roles for triggers and pipelines. Will workflows deal with cluster-wide or namespaced scope changes? If latter, then there's no potential conflict in Operator and Workflow. If former, we will need to delegate some operator responsibilities to the latter or vice-versa.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, there is an SA per namespace and this SA is supposed to be used by the user in their pipelineruns/triggers etc?
Workflows will still allow users to set the SA to be used for the run, so if I'm understanding your question correctly, I think the operator SA will still work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.
Note: The SA setup in the operator is just a "different" SA than the default
one to be able to run by default some of our shipped Tasks in OpenShift Pipelines. It is not required to run all Pipeline/Task, we are just setting it and using it as default SA instead of the default
SA provided by k8s.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. It still sounds like this SA can be set as the default (perhaps by a mutating webhook) while the users can override it in their spec if they want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. It still sounds like this SA can be set as the default (perhaps by a mutating webhook) while the users can override it in their spec if they want.
We are using the config-defaults
configmap provided by the tekton components for the most cases 😉
To start with, yes. Besides Pipelines and Triggers, we are also exploring adding other bits that are useful for CI workloads e.g. a concept of git repos, notifications etc. |
API WG: will be discussed in Workflows WG |
know that this has succeeded? | ||
--> | ||
|
||
* Provide a way to describe entire CI/CD configuration (not just pipeline definition) in a single place |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for starting this,
One other things we may want to specify is if Workflow have only one pipeline definition attached with configuration assets or if we can have multiple pipelines.
If we can have multiple pipelines, I wonder if the Workfows can be a solution for Pipeline in Pipeline https://github.com/tektoncd/experimental/blob/main/pipelines-in-pipelines/README.md, where Workflow can compose multiple Pipeline together.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chmouel do you mean multiple pipeline that run at the same time or multiple pipeline that run in different conditions (branches, tags, pull_request, …) or both ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed this a bit at the WG last week - Notes
I think the use case was more like a pipeline in pipeline use case e.g a common security pipeline that is added to any user defined pipeline etc.
|
||
Most CI/CD workflows also require interactions with external systems such as GitHub. Tekton today does not provide a way to declare these in a standardized way making it harder to visualize and debug the entire end to end workflow in a single place e.g. it is hard to visualize all pipeline runs for a given repository. | ||
|
||
Standardizing all of the configuration in one place can also enable some enterprise use cases. For instance, platform users can control the Workflow resource fields such as service accounts, secret configuration for various third party integrations while the app developer teams can still manage the actual pipeline definition in code |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.
Note: The SA setup in the operator is just a "different" SA than the default
one to be able to run by default some of our shipped Tasks in OpenShift Pipelines. It is not required to run all Pipeline/Task, we are just setting it and using it as default SA instead of the default
SA provided by k8s.
know that this has succeeded? | ||
--> | ||
|
||
* Provide a way to describe entire CI/CD configuration (not just pipeline definition) in a single place |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chmouel do you mean multiple pipeline that run at the same time or multiple pipeline that run in different conditions (branches, tags, pull_request, …) or both ?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: khrm, sbwsg, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm approved at API WG (@dibyom to respond to nonblocking comments) |
/lgtm 🍺 |
Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
/lgtm it was already approved in API WG last week but needed rebasing before merging - rebasing removed the lgtm label so reapplying it |
Adds a problem statement for the experimental workflows API. The goal is to start a discussion around the use cases we should target for Workflows. The approach I'm planning to take is to design and work on this in an experimental project once we have the use cases.
Moving from an experimental API to a full Tekton API is out of scope for now and can be considered depending on how the experimental project goes.
/cc @sbwsg @chmouel @khrm