Skip to content

Commit

Permalink
fix: Only get executor plugins in workflow namespace. Fixes #12708
Browse files Browse the repository at this point in the history
Signed-off-by: oninowang <[email protected]>
  • Loading branch information
jswxstw authored and oninowang committed Oct 31, 2024
1 parent 283c3fd commit a2a72a1
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 28 deletions.
7 changes: 1 addition & 6 deletions docs/executor_plugins.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,12 +204,7 @@ You'll see the workflow complete successfully.

### Discovery

When a workflow is run, plugins are loaded from:

* The workflow's namespace.
* The Argo installation namespace (typically `argo`).

If two plugins have the same name, only the one in the workflow's namespace is loaded.
When a workflow is run, plugins are only loaded from the workflow's namespace.

### Secrets

Expand Down
39 changes: 17 additions & 22 deletions workflow/controller/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -271,30 +271,25 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
func (woc *wfOperationCtx) getExecutorPlugins(ctx context.Context) ([]apiv1.Container, []apiv1.Volume, error) {
var sidecars []apiv1.Container
var volumes []apiv1.Volume
namespaces := map[string]bool{} // de-dupes executorPlugins when their namespaces are the same
namespaces[woc.controller.namespace] = true
namespaces[woc.wf.Namespace] = true
for namespace := range namespaces {
for _, plug := range woc.controller.executorPlugins[namespace] {
s := plug.Spec.Sidecar
c := s.Container.DeepCopy()
c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{
Name: volumeMountVarArgo.Name,
MountPath: volumeMountVarArgo.MountPath,
ReadOnly: true,
// only mount the token for this plugin, not others
SubPath: c.Name,
})
if s.AutomountServiceAccountToken {
volume, volumeMount, err := woc.getServiceAccountTokenVolume(ctx, plug.Name+"-executor-plugin")
if err != nil {
return nil, nil, err
}
volumes = append(volumes, *volume)
c.VolumeMounts = append(c.VolumeMounts, *volumeMount)
for _, plug := range woc.controller.executorPlugins[woc.wf.Namespace] {
s := plug.Spec.Sidecar
c := s.Container.DeepCopy()
c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{
Name: volumeMountVarArgo.Name,
MountPath: volumeMountVarArgo.MountPath,
ReadOnly: true,
// only mount the token for this plugin, not others
SubPath: c.Name,
})
if s.AutomountServiceAccountToken {
volume, volumeMount, err := woc.getServiceAccountTokenVolume(ctx, plug.Name+"-executor-plugin")
if err != nil {
return nil, nil, err
}
sidecars = append(sidecars, *c)
volumes = append(volumes, *volume)
c.VolumeMounts = append(c.VolumeMounts, *volumeMount)
}
sidecars = append(sidecars, *c)
}
return sidecars, volumes, nil
}
Expand Down

0 comments on commit a2a72a1

Please sign in to comment.