What are the mandatory environment parameters of hera.config ?

[EricBoix]

The hera.config.tmpl configuration file defines many parameters (that can also be provided through environment variables). Are they all required ?

Let us set aside both k8s_configmap_name and k8s_volume_claim_name that are not mandatory. They illustrate another aspect of the configuration file (for workflows having to use volumes that must be provided by k8s). The next version of hera_utils will remove them.

The four other parameters that is

• k8s_config_file
• argo_server
• argo_namespace
• argo_service_account

are mandatory.

Why are they required ?

Well hera_utils is a (very) shallow convenient means for feeding Hera with the configuration parameters that it requires in order to submit the workflow. Those configuration parameters are handled over in `argo_server::define_argo_server_part_of_environment(self) method that boils down to:

GlobalConfig.host = self.server                                                # that is the argo_server parameter of hera.config
GlobalConfig.service_account_name = self.service_account # that is the argo_service_account parameter of hera.config
GlobalConfig.namespace = self.k8s_cluster.namespace         # that is the argo_namespace parameter of hera.config

# The last item is derived from both `k8s_config_file` and `argo_service_account`
# by the retrieve_access_token() that depends on `k8s_config_file` provided to the
# the `argo_server.__init__(self, k8s_cluster, args)` constructor.
GlobalConfig.token = self.__retrieve_access_token()

Removing (commenting out) any of those four lines with make Hera fail. For examples when submitting python examples/hera_coinflip.py here is what happens:

• when commenting out the GlobalConfig.host = self.server parameter, one gets (at submission stage)

   [...]hera_utils/venv/lib/python3.10/site-packages/hera/workflows/service.py", line 60, in valid_host_scheme
   return host.startswith("http://") or host.startswith("https://")
   AttributeError: 'NoneType' object has no attribute 'startswith'``bash

• when commenting out the GlobalConfig.service_account_name = self.service_account parameter, one gets (at run time)

  Error (exit code 1): pods "coinflip-c887c-flip-2304511982" is forbidden: User "system:serviceaccount:argo:default" 
  cannot patch resource "pods" in API group "" in the namespace "argo"

• when commenting out the GlobalConfig.token = self.__retrieve_access_token() parameter, one gets (at submission stage)

  [...]/hera/workflows/service.py", line 858, in create_workflow
   raise exception_from_server_response(resp)
   hera.exceptions.Unauthorized: Server returned status code 401 with message: `Unauthorized`

• when commenting out the GlobalConfig.namespace = self.k8s_cluster.namespace parameter, one gets (at submission stage)

  /hera/workflows/workflow.py", line 361, in create
  assert self.namespace, "workflow namespace not defined" 
  AssertionError: workflow namespace not defined

Hera submits through the argo server API

As seen above with the content of the variables transmitted to Hera, Hera uses the Argo Server for its submission.

This is also recalled by flaviuvadan in this first hera issue post and detailed in this second post:

Hera talks to the Argo Server, which is able to perform authentication checks itself.

[EricBoix]

All this is now nicely documented in Hera documentation
https://hera.readthedocs.io/en/stable/walk-through/authentication/
Closing.