Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TEP-0098] Workflows - Problem Statement #569

Merged
merged 1 commit into from
Jan 31, 2022

Conversation

dibyom
Copy link
Member

@dibyom dibyom commented Dec 7, 2021

Adds a problem statement for the experimental workflows API. The goal is to start a discussion around the use cases we should target for Workflows. The approach I'm planning to take is to design and work on this in an experimental project once we have the use cases.
Moving from an experimental API to a full Tekton API is out of scope for now and can be considered depending on how the experimental project goes.

/cc @sbwsg @chmouel @khrm

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 7, 2021
@tekton-robot tekton-robot requested review from dibbles and khrm December 7, 2021 15:00
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Dec 7, 2021
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 7, 2021
@ghost
Copy link

ghost commented Dec 7, 2021

/assign

@tekton-robot tekton-robot assigned ghost Dec 7, 2021
@dibyom dibyom marked this pull request as ready for review December 7, 2021 18:00
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 7, 2021
@pritidesai
Copy link
Member

/kind tep

@tekton-robot tekton-robot added the kind/tep Categorizes issue or PR as related to a TEP (or needs a TEP). label Dec 7, 2021
teps/0096-workflows.md Outdated Show resolved Hide resolved
teps/0096-workflows.md Outdated Show resolved Hide resolved
* Allow clear separation of concerns between platform developers and app teams
* Allow for clear separation between run configuration and pipeline definition?

### Non-Goals
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is deployment of all the necessary Tekton components a goal or non-goal? Thinking of a situation where a user starts with an empty cluster and needs (Pipelines, Triggers, Workflows, Remote Resolution) all deployed at versions that work together under the Workflows API. Is this something the Workflows project might provide or would we lean on the Operator project here instead maybe? Either way it might be worth calling out as in or out of scope here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Yeah I think I think we'd mention other projects as pre-requisites and installing them would be the user's job. They can use the operator project to simplify the installs.

@ghost
Copy link

ghost commented Dec 9, 2021

/approve

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 10, 2021
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 13, 2021
@dibyom dibyom changed the title [Problem Statement] TEP-0096 Workflows [TEP-0098] Workflows - Problem Statement Dec 13, 2021
@abayer
Copy link
Contributor

abayer commented Dec 15, 2021

So would this be a glue layer above both Pipelines and Triggers? I mean, in part, 'cos it does seem to be more than just that. =)


Most CI/CD workflows also require interactions with external systems such as GitHub. Tekton today does not provide a way to declare these in a standardized way making it harder to visualize and debug the entire end to end workflow in a single place e.g. it is hard to visualize all pipeline runs for a given repository.

Standardizing all of the configuration in one place can also enable some enterprise use cases. For instance, platform users can control the Workflow resource fields such as service accounts, secret configuration for various third party integrations while the app developer teams can still manage the actual pipeline definition in code
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At present, the operator (for Openshift distribution) also provides a service account creation in every namespace with appropriate roles for triggers and pipelines. Will workflows deal with cluster-wide or namespaced scope changes? If latter, then there's no potential conflict in Operator and Workflow. If former, we will need to delegate some operator responsibilities to the latter or vice-versa.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, there is an SA per namespace and this SA is supposed to be used by the user in their pipelineruns/triggers etc?

Workflows will still allow users to set the SA to be used for the run, so if I'm understanding your question correctly, I think the operator SA will still work.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.

Note: The SA setup in the operator is just a "different" SA than the default one to be able to run by default some of our shipped Tasks in OpenShift Pipelines. It is not required to run all Pipeline/Task, we are just setting it and using it as default SA instead of the default SA provided by k8s.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. It still sounds like this SA can be set as the default (perhaps by a mutating webhook) while the users can override it in their spec if they want.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. It still sounds like this SA can be set as the default (perhaps by a mutating webhook) while the users can override it in their spec if they want.

We are using the config-defaults configmap provided by the tekton components for the most cases 😉

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 16, 2021
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2021
@dibyom
Copy link
Member Author

dibyom commented Jan 10, 2022

So would this be a glue layer above both Pipelines and Triggers? I mean, in part, 'cos it does seem to be more than just that. =)

To start with, yes. Besides Pipelines and Triggers, we are also exploring adding other bits that are useful for CI workloads e.g. a concept of git repos, notifications etc.

@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 10, 2022
@jerop
Copy link
Member

jerop commented Jan 10, 2022

API WG: will be discussed in Workflows WG

know that this has succeeded?
-->

* Provide a way to describe entire CI/CD configuration (not just pipeline definition) in a single place
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for starting this,

One other things we may want to specify is if Workflow have only one pipeline definition attached with configuration assets or if we can have multiple pipelines.

If we can have multiple pipelines, I wonder if the Workfows can be a solution for Pipeline in Pipeline https://github.com/tektoncd/experimental/blob/main/pipelines-in-pipelines/README.md, where Workflow can compose multiple Pipeline together.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chmouel do you mean multiple pipeline that run at the same time or multiple pipeline that run in different conditions (branches, tags, pull_request, …) or both ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this a bit at the WG last week - Notes

I think the use case was more like a pipeline in pipeline use case e.g a common security pipeline that is added to any user defined pipeline etc.


Most CI/CD workflows also require interactions with external systems such as GitHub. Tekton today does not provide a way to declare these in a standardized way making it harder to visualize and debug the entire end to end workflow in a single place e.g. it is hard to visualize all pipeline runs for a given repository.

Standardizing all of the configuration in one place can also enable some enterprise use cases. For instance, platform users can control the Workflow resource fields such as service accounts, secret configuration for various third party integrations while the app developer teams can still manage the actual pipeline definition in code
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed this in the WG today - Operator installs a SA that contains the right roles/bindings/secrets needed to run triggers/pipelines. We can default to this SA optionally, but users can override the SA in the workflow spec.

Note: The SA setup in the operator is just a "different" SA than the default one to be able to run by default some of our shipped Tasks in OpenShift Pipelines. It is not required to run all Pipeline/Task, we are just setting it and using it as default SA instead of the default SA provided by k8s.

know that this has succeeded?
-->

* Provide a way to describe entire CI/CD configuration (not just pipeline definition) in a single place
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chmouel do you mean multiple pipeline that run at the same time or multiple pipeline that run in different conditions (branches, tags, pull_request, …) or both ?

@tekton-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khrm, sbwsg, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jerop
Copy link
Member

jerop commented Jan 24, 2022

/lgtm

approved at API WG

(@dibyom to respond to nonblocking comments)

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 24, 2022
@chmouel
Copy link
Member

chmouel commented Jan 26, 2022

/lgtm

🍺

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
@tekton-robot tekton-robot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 31, 2022
@jerop
Copy link
Member

jerop commented Jan 31, 2022

/lgtm

it was already approved in API WG last week but needed rebasing before merging - rebasing removed the lgtm label so reapplying it

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2022
@tekton-robot tekton-robot merged commit d3b2856 into tektoncd:main Jan 31, 2022
@dibyom dibyom deleted the workflows branch February 1, 2022 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/tep Categorizes issue or PR as related to a TEP (or needs a TEP). lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Status: Opened
Development

Successfully merging this pull request may close these issues.

8 participants