feat: Replace patch pod with create workflowtaskresult. Fixes #3961…

… (#8000)

Signed-off-by: Alex Collins <alex_collins@intuit.com>

api/jsonschema/schema.json

@@ -6157,6 +6157,9 @@
         },
         "phase": {
           "type": "string"
+        },
+        "progress": {
+          "type": "string"
         }
       },
       "type": "object"

api/openapi-spec/swagger.json

@@ -10420,6 +10420,9 @@
         },
         "phase": {
           "type": "string"
+        },
+        "progress": {
+          "type": "string"
         }
       }
     },

cmd/argoexec/commands/root.go

@@ -10,12 +10,14 @@ import (
 	kubecli "github.com/argoproj/pkg/kube/cli"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/argoproj/argo-workflows/v3"
 	wfv1 "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow/v1alpha1"
+	"github.com/argoproj/argo-workflows/v3/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-workflows/v3/util"
 	"github.com/argoproj/argo-workflows/v3/util/cmd"
 	"github.com/argoproj/argo-workflows/v3/util/logs"
@@ -125,7 +127,22 @@ func initExecutor() *executor.WorkflowExecutor {
 	}
 	checkErr(err)
 
-	wfExecutor := executor.NewExecutor(clientset, restClient, podName, namespace, cre, *tmpl, includeScriptOutput, deadline, annotationPatchTickDuration, progressFileTickDuration)
+	wfExecutor := executor.NewExecutor(
+		clientset,
+		versioned.NewForConfigOrDie(config).ArgoprojV1alpha1().WorkflowTaskResults(namespace),
+		restClient,
+		podName,
+		os.Getenv(common.EnvVarWorkflowName),
+		os.Getenv(common.EnvVarNodeID),
+		namespace,
+		types.UID(os.Getenv(common.EnvVarWorkflowUID)),
+		cre,
+		*tmpl,
+		includeScriptOutput,
+		deadline,
+		annotationPatchTickDuration,
+		progressFileTickDuration,
+	)
 
 	log.
 		WithField("version", version.String()).

cmd/argoexec/commands/wait.go

@@ -62,7 +62,7 @@ func waitContainer(ctx context.Context) error {
 		wfExecutor.AddError(err)
 	}
 	// Annotating pod with output
-	err = wfExecutor.AnnotateOutputs(ctx, logArt)
+	err = wfExecutor.ReportOutputs(ctx, logArt)
 	if err != nil {
 		wfExecutor.AddError(err)
 	}

docs/workflow-rbac.md

@@ -10,6 +10,25 @@ permissions added to it you do not want. Instead, create a service account only
 
 The minimum for the executor to function:
 
+For >= v3.4:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: executor
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresult
+    verbs:
+      - create
+      - patch
+```
+
+For <= v3.3 use.
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -25,6 +44,8 @@ rules:
       - patch
 ```
 
+Warning: For many organisations, it may not be acceptable to give a workflow the `pod patch` permission, see [#3961](https://github.com/argoproj/argo-workflows/issues/3961)
+
 If you are not using the emissary, you'll need additional permissions.
 See [executor](https://github.com/argoproj/argo-workflows/tree/master/manifests/quick-start/base/executor) for suitable
 permissions.

hack/crds.go

@@ -35,12 +35,6 @@ func cleanCRD(filename string) {
 		properties := schema["properties"].(obj)["spec"].(obj)["properties"].(obj)["templates"].(obj)["items"].(obj)["properties"]
 		properties.(obj)["container"].(obj)["required"] = []string{"image"}
 		properties.(obj)["script"].(obj)["required"] = []string{"image", "source"}
-	case "workfloweventbindings.argoproj.io":
-		// noop
-	case "workflowtasksets.argoproj.io":
-		// noop
-	default:
-		panic(name)
 	}
 	data, err = yaml.Marshal(crd)
 	if err != nil {