trigger a templateRef from diffrent namespace then the workflow-template

[bengoldenberg]

i am running a workflow template in a specific namespace, and inside it i am trying to call templateRef that exists different namespace.
it cant find the workflow template in the different namespace.
is there any solution for it?

[wesleyscholl]

@bengoldenberg

Yes, it's possible to trigger a workflow template in a different namespace. Although, Argo Workflows requires configuration for cross-namespace resource manipulation. A service account, role, and role binding must be created in the target namespace to allow the triggering of workflows from another namespace. Service account permissions are typically restricted to the namespace where they are created.

1. First, create the other namespace:

kubectl create namespace other-namespace # Replace with the target namespace

2. Create a ServiceAccount in the other namespace:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo 
  namespace: other-namespace # Replace with the target namespace

3. Create a Role in the other namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: other-namespace # Replace with the target namespace
  name: argo-role # Name of the role
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtemplates # The service account requires workflowtemplates permissions 
    verbs:
      - get
      - list
      - create # Additional permissions for workflow template creation
  - apiGroups:
      - ""
    resources:
      - pods # Additional permissions for pod manipulation
    verbs:
      - get
      - list
      - create
      - update
      - delete
      - watch
      - patch # Important for patching pods status

4. Create a RoleBinding in the other namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-role-binding # Name of the role binding
  namespace: other-namespace 
subjects:
  - kind: ServiceAccount
    name: argo
    namespace: other-namespace # Replace with the target namespace
roleRef:
  kind: Role
  name: argo-role # Matches the role name
  apiGroup: rbac.authorization.k8s.io

5. Example WorkflowTemplate in the argo namespace that triggers a WorkflowTemplate in the other-namespace namespace:

apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: cross-namespace-trigger
  namespace: argo
spec:
  templates:
    - name: submit-template
      inputs: {}
      outputs: {}
      metadata: {}
      resource:
        action: create # Action to perform on the resource
        manifest: |
          apiVersion: argoproj.io/v1alpha1
          kind: Workflow # Resource type to create
          metadata:
            generateName: workflow-template-in-other-namespace-
            namespace: other-namespace # Target namespace
          spec:
            entrypoint: whalesay # Entrypoint of the WorkflowTemplate in the target namespace
            workflowTemplateRef: # Reference to the WorkflowTemplate in the target namespace
              name: workflow-template-in-other-namespace # Name of the WorkflowTemplate in the target namespace
  entrypoint: submit-template
  arguments: {}
  serviceAccountName: argo # Service account in the target namespace

6. Example WorkflowTemplate in the other-namespace namespace that will be triggered:

apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: workflow-template-in-other-namespace 
  namespace: other-namespace # Target namespace
spec:
  templates:
    - name: whalesay
      inputs: {}
      outputs: {}
      metadata: {}
      container:
        name: ''
        image: docker/whalesay
        command:
          - cowsay
        args:
          - Hello from another namespace!
        resources: {}
  entrypoint: whalesay
  arguments: {}

Resources

• Argo Workflows Service Accounts
• Argo Workflows RBAC Configuration
• Argo Workflows Kubernetes Resources
• Kubernetes Documentation - Using RBAC Authorization
• Kubernetes Documentation - Service Accounts
• Kubernetes Documentation - Namespaces