-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example fails with minikube #58
Comments
Hi @KukumavMozolo! Thanks for submitting the issue 🙂 I believe Couler works because it uses your k8s config on local. In the case you presented, the k8s config file is likely pointed to the minikube cluster, so couler is able to create your workflow. The kube config file is loaded here and the workflow is not submitted through the Argo Server. Rather, it is created as a namespaced custom object directly in the cluster (minikube in this case). You can see that here. So, the auth part is set because of the k8s config file, and the workflow is created as a K8S object that's picked up by the Workflow Controller and run. By comparison, Hera talks to the Argo Server, which is able to perform authentication checks itself. So, you might actually need to obtain a service account token first, as illustrated in this example. Any chance you have a moment to try that one and, perhaps, respond to this thread with the results? Would love to help get you going! |
Hi @flaviuvadan, thank you for your quick response. Error message: "status":"Failure","message":"workflows "argo" is forbidden: User "system:serviceaccount:argo:argo-server" cannot create resource "workflows" in API group "" at the cluster scope","reason":"Forbidden","details":{"name":"argo","kind":"workflows"},"code":403}"Ahh, sorry I put the URL from the k8s config, but after I exchanged it to https://localhost:2746 it worked!!! As a side node, does hera allow to manipulate Docker image pull policy like https://github.com/couler-proj/couler/blob/cd10d33fc587cf405275635afabf4eb7a8ee9e00/couler/core/constants.py#L37 |
Oh, perfect! I am so happy to hear this works for you! 🙂 I actually encourage you, if you'd like to do this and have the time of course, to add a mini tutorial on how to run Hera + Minikube! I think it would be a phenomenal addition! 🚀
Not yet, but it sure can! The |
If I arrive at a stage where I feel like I understand what is going on, I could do that. The service account used here is called 'argo-server', it works but its not the one I created, and I can't seem to find any documentation about this. Do you know where it's coming from? Or how do I create one because the one created in the quick-start guide does not work. |
That is an example service account named SynopsisThere are several K8S objects at play:
Each of these objects is used in a very specific context:
When a client submits a workflow through Hera, Hera talks to the Argo server. The Argo server is a deployment, which has an SA associated with it, which has specific roles, constructed through RBs. When the server, or the workflow controller, talks to the K8S API to create some specific K8S objects, such as a I hope this short synopsis helps solidify understanding of some K8S concepts at play here! 🙂 |
@KukumavMozolo, circling back to this - did the above help? Should we add some docs on runnings Hera + MiniKube? Could we close this issue? 🙂 |
Closing this for now. Feel free to reopen if there's more to discuss! 🙂 |
Hello @flaviuvadan and sorry for the bother again, v1.read_namespaced_service_account(self.service_account, self.namespace).secrets[0]... But (by default) if you
then neither of the available service accounts ( Is there some Hera on minikube installation guide (even sketchy) or examples documenting how to install argo + Hera on minikube and then get the tutorial examples to run ? |
I tried the following example with minikube as the backend. Everything is set up according to this guide:
https://argoproj.github.io/argo-workflows/quick-start/
`from hera.task import Task
from hera.workflow import Workflow
from hera.workflow_service import WorkflowService
def say(message: str):
"""
This can be anything as long as the Docker image satisfies the dependencies. You can import anything Python
that is in your container e.g torch, tensorflow, scipy, biopython, etc - just provide an image to the task!
"""
print(message)
token = "sometoken"
ws = WorkflowService(host='https://localhost:2746', verify_ssl=False, token=token,namespace="argo")
w = Workflow('my-workflow', ws)
t = Task('say', say, [{'message': 'Hello, world!'}])
w.add_task(t)
w.submit(namespace='argo')`
I am getting the following error message:
argo.workflows.client.exceptions.ApiException: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'Trailer': 'Grpc-Trailer-Content-Type', 'Date': 'Mon, 17 Jan 2022 12:01:05 GMT', 'Transfer-Encoding': 'chunked'}) HTTP response body: {"code":16,"message":"Unauthorized"}
I am able to execute the basic examples with couler.
The text was updated successfully, but these errors were encountered: