Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argo Project Graduation Proposal #604

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Argo Project Graduation Proposal #604

wants to merge 2 commits into from

Conversation

@edlee2121
Copy link
Contributor

@edlee2121 edlee2121 commented Feb 9, 2021

This is a proposal for graduating the CNCF Argo Project.

Kind Regards

@edlee2121 edlee2121 changed the title Argo2 Argo Project Graduation Proposal Feb 9, 2021
@edlee2121 edlee2121 force-pushed the argo2 branch 5 times, most recently from e30d32c to e198c6b Feb 9, 2021
@amye amye added this to Needs TOC Triage & Public Comment Kickoff in Graduating Projects Backlog Feb 9, 2021
@amye amye added the graduation label Feb 9, 2021
Base automatically changed from master to main Feb 10, 2021
@resouer
Copy link
Contributor

@resouer resouer commented Feb 11, 2021

I'd like to sponsor.

@chris-short
Copy link

@chris-short chris-short commented Feb 12, 2021

Yay!

@justincormack
Copy link
Contributor

@justincormack justincormack commented Feb 15, 2021

Given that the Security audit and the CII badges are marked as not completed, this project is not currently eligible for Graduation. The wording for CII is "Have achieved and maintained a Core Infrastructure Initiative badge", so it is clearly intended that they be completed before, not at the moment of graduation. Can we close this and re-apply after the criteria are met?

@alexec
Copy link

@alexec alexec commented Feb 15, 2021

@justincormack - where are you looking for the badges please?

Argo Workflow has its badge: https://github.com/argoproj/argo-workflows
Argo Events also has its badge: https://github.com/argoproj/argo-events

I'm not sure about CD/rollouts.

@justincormack
Copy link
Contributor

@justincormack justincormack commented Feb 15, 2021

The text of the proposal says "Core Infrastructure Initiative Best Practices Badges have been completed for Argo Workflows and Events and are in progress for Argo CD and Rollouts."

Due to renames, its pretty confusing as the badge project does not seem to list workflows ona search for argo, and shows another (failing) entry as https://bestpractices.coreinfrastructure.org/en/projects/1446 so it needs cleaning up.

https://bestpractices.coreinfrastructure.org/en/projects?q=argo

@alexec
Copy link

@alexec alexec commented Feb 15, 2021

Thanks for the heads-up. I'll fix the broken link.

@alexec
Copy link

@alexec alexec commented Feb 15, 2021

1446 should be ignored, I don't know the person who completed that.

@alexec
Copy link

@alexec alexec commented Feb 15, 2021

@alexec
Copy link

@alexec alexec commented Feb 15, 2021

@edlee2121
Copy link
Contributor Author

@edlee2121 edlee2121 commented Feb 16, 2021

@justincormack Thanks for your comments and attention.
Would you be interested in co-sponsoring this proposal?

@jessesuen
Copy link

@jessesuen jessesuen commented Feb 17, 2021

All four of the projects have passing badges now:

Project Badge
CD CII Best Practices
Rollouts CII Best Practices
Workflows CII Best Practices
Events CII Best Practices

@edlee2121 edlee2121 force-pushed the argo2 branch 2 times, most recently from 5286e5b to ba175c1 Feb 18, 2021
Signed-off-by: Edward Lee <edward_lee@intuit.com>
@amye
Copy link
Contributor

@amye amye commented Mar 17, 2021

Adding SIG App Delivery for review, can easily be changed if there's a better fit for a different SIG.

@dims
Copy link
Contributor

@dims dims commented Mar 31, 2021

@amye @resouer i am happy to pick up from @michelleN to help with the process side of graduation here. thanks @michelleN !

@resouer
Copy link
Contributor

@resouer resouer commented Mar 31, 2021

@dims More than welcome! The current stage is DD doc is under drafting and we are trying to schedule interview meetings with end users from Argo, let's follow up in the slack channel.

@edlee2121
Copy link
Contributor Author

@edlee2121 edlee2121 commented Mar 31, 2021

Thank you, @dims! It will be great to have you. Will add you to the argo-graduation slack channel.
And thank you @michelleN for all your help thus far.

@amye amye moved this from Needs TOC Triage & Public Comment Kickoff to In Public Comment Period in Graduating Projects Backlog Apr 27, 2021
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Apr 27, 2021

update from TOC + DD:

https://lists.cncf.io/g/cncf-toc/message/5823

Hello everyone,

Argo project is applying for graduation status:
PR: #604
DD: https://docs.google.com/document/d/1R4WjMG9s9JX8onZvOzEFSjBBFAInurN8tSiAFLqj-FE/edit#heading=h.kd4eg2uz3lt0

DD has been reviewed by myself and SIG App Delivery. We've also conducted interviews with end users. We are supportive of Argo going into graduation. We are now calling for the 2 week public comment period prior to the vote.

@saad-ali
Copy link
Contributor

@saad-ali saad-ali commented Apr 28, 2021

I think the question I'm most interested in is understanding the positioning with respect to Flux. What is the intended messaging to CNCF End Users in terms of which solution to pick?

@edlee2121
Copy link
Contributor Author

@edlee2121 edlee2121 commented Apr 28, 2021

My understanding is that CNCF does not pick winners/losers, but instead lets multiple flowers bloom and lets the users decide. If so, CNCF does not need to make any specific recommendation.

@edlee2121
Copy link
Contributor Author

@edlee2121 edlee2121 commented Apr 28, 2021

@goern
Copy link

@goern goern commented May 17, 2021

+1 on this!

https://github.com/thoth-station/ is heavily using Argo Workflows. We have two usage patterns: 1. very short life (kind of) batch processing, depending on the season its >20k workflows a week, and 2. long-running (which is still <20min) workflows based on user/bot requests, generating responses to API calls.

We would love to see the project go fwd, and our experience over the past close to two years is pretty good: responsiveness and openness of the community is good!

@nakfour
Copy link

@nakfour nakfour commented May 19, 2021

+1 for Argo, we have been using Argo Workflows with Open Data Hub (https://github.com/opendatahub-io) and Kubeflow Pipelines (https://github.com/kubeflow) for a while. The community has always been very helpful and would love to see this project graduate.

@hblixt hblixt mentioned this pull request Jul 21, 2021
16 tasks
@lizrice
Copy link
Contributor

@lizrice lizrice commented Nov 9, 2021

[Writing on behalf of the TOC]. We are seeing lots of usage of Argo by end users which is a very good sign, but remain concerned about the security posture of the project. We would like to see increased focus on security before graduation, including the assessment that has started, and engagement with the Security Buddy program with TAG Security.

In the interest of not leaving the PR open indefinitely, we recommend closing this one and re-opening when the security posture is clearer and issues from the previous audit have been addressed. (CNCF could instigate a follow-up audit to clarify that the security position has been improved.)

@hblixt
Copy link

@hblixt hblixt commented Nov 11, 2021

Thanks for the update @lizrice.
Can the TOC please give some more guidance on your security concerns? We have addressed the long and short term issues and recommendations from the external audit and have engaged with our security pal as well as kicking off a review with the Security TAG.

From the Argo community vantage point, we have some concerns over the process changes and the resultant delays. When we reached out at the start of the graduation process in February 2021, we were told to not do a STAG review and the guidance was that the external audit is more comprehensive. After we completed the external audit and addressed the issues identified, the STAG review and security pal were added as requirements in July, adding 3-4 mo of waiting in the review queue. Up until now, there has not been a mention of a second external review, which will be another 3-4 month wait to get started, given the backlog of the external auditor. This is a huge surprise and the community feels like the goal posts keep getting moved!

The project is fully committed to security and we always have, and will, work diligently on any recommendations from external and internal audits, but as these audits take a very long time to schedule, a clear understanding of this process would greatly help with scheduling and planning.

With the ask to close the PR and abandon the graduation process, we’d also like to understand what that would entail moving forward. e.g. do we need to start from the very beginning, and find new sponsors, complete the external security audit, redo the user interview etc. or is there an abridged process given all that has already been done so far? It would greatly help if we can get clear guidance on the graduation process, next steps, requirements, owners and expected timelines before we restart the process.

@lizrice
Copy link
Contributor

@lizrice lizrice commented Nov 17, 2021

As I understand it the Trail of Bits review recommended a further assessment after the identified issues had been addressed, so that's not a new suggestion. The TOC has a broader concern, that (as indicated by the audit) security needs to be more closely considered as part of the "culture" of the project. It's not just a question of fixing the issues that have been identified, it's also about making sure that the project carefully considers the security implications going forward. This is especially crucial for a project like Argo that's so intertwined with the software supply chain. The recommendation to work with TAG Security and get a Security Buddy is intended to help address this.

The recommendation to close this PR doesn't mean that you have to throw away the work so far and start again, although the sponsor might want to do some "refresh" e.g. speak to some more end users. It's really so that we are all clear that the TOC isn't ready to pass a graduation vote at this time. I don't see any reason why this same PR couldn't be re-opened to indicate when you think the security culture of the project is more mature and deserves another look from the TOC.

@lumjjb
Copy link
Contributor

@lumjjb lumjjb commented Nov 19, 2021

TAG-Security is working with Argo now on a security joint review - that is being kicked off now. This will help educate us in how the security pals effort can be directed to benefit the Argo project. Review leads: @jlk @IAXES.

Ref: cncf/tag-security#739

@todaywasawesome
Copy link

@todaywasawesome todaywasawesome commented Nov 19, 2021

@lizrice after reviewing with the rest of the project I think there's a lot happening on security that is simply not as visible as it should be so we'd like to help make sure all of that is visible and I think it will go a long way to show how security is embedded into the culture of the project.

Before we close the PR, I think we can update on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Graduating Projects Backlog
  
In Public Comment Period
Linked issues

Successfully merging this pull request may close these issues.

None yet