Feature Request: Integrate a Dedicated Kubernetes-Aware Logging Facility
Summary
Argo Workflows’ built-in archiveLogs feature is explicitly described as “not recommended” and “naive” and the docs recommend integrating a dedicated, Kubernetes-aware logging facility instead. :contentReference[oaicite:0]{index=0}
This feature request proposes:
- Adding first-class integration with an open-source, Kubernetes-native logging stack that:
- Can run on premises
- Supports multi-tenant isolation
- Exposes query and visualization APIs consumable from a GitApp UI
- Providing opinionated defaults (e.g., Loki / OpenSearch) while keeping the logging backend pluggable
- Offering a consistent UX in the GitApp UI for viewing, filtering, and correlating workflow logs.
Motivation
From the Argo Workflows documentation:
“We do not recommend relying on Argo to archive logs as it is naive and not purpose-built for indexing, searching, and storing logs… we recommend you integrate a dedicated, Kubernetes-aware logging facility.” :contentReference[oaicite:1]{index=1}
Current archiveLogs behavior:
- Stores logs as artifacts in the configured artifact repository.
- Works as a convenience for viewing logs of garbage-collected Pods.
- Does not provide:
- Rich querying (labels, time ranges, regex)
- Long-term retention and lifecycle policies
- Efficient indexing across clusters/namespaces
- Multi-tenant log boundaries
- Security and audit features expected in a production logging stack.
For multi-tenant, GitOps-driven environments, we need:
- A standard logging backend (or set of supported backends).
- A clear library and API for pushing and querying logs.
- Direct integration into the GitApp UI, so users do not have to context-switch between multiple dashboards.
Goals
- Provide a Kubernetes-aware, open-source logging integration that can run fully on premises.
- Support at least one reference implementation, e.g.:
- Loki + Promtail + Grafana, or
- OpenSearch + Fluent Bit / Fluentd + dashboards.
- Expose logs to the GitApp UI with:
- Per-tenant scoping (based on namespace / labels)
- Workflow-level and step-level log views
- Time-range and label filters
- Keep the logging backend pluggable via configuration so sites can bring their own stack.
- Document migration guidance away from relying on
archiveLogs as the primary source of truth.
Non-Goals
- Re-implementing a full log indexer inside Argo or GitApp.
- Mandating a single logging vendor or SaaS solution.
- Solving organization-wide logging beyond the workflow / tenant scope.
Proposal
1. Pluggable Logging Backend Abstraction
Introduce a logging backend abstraction in configuration, e.g.:
logging:
enabled: true
backend: loki # one of: loki, opensearch, elasticsearch, custom
loki:
url: https://loki.example.org
queryRangePath: /loki/api/v1/query_range
writeEndpoint: https://loki.example.org/loki/api/v1/push
opensearch:
url: https://opensearch.example.org
indexPrefix: workflows-
authSecretRef: opensearch-credentials
# optionally custom:
custom:
queryUrl: https://logs.example.org/api/logs
Characteristics:
-
Configurable at cluster level (and optionally overridable per tenant / namespace).
-
Backends are required to expose:
- A write API (for log ingestion).
- A read API (for querying logs with label & time filters).
-
Support TLS, authentication headers, and token-based access via Secrets.
2. Kubernetes-Aware Log Collection
Leverage standard agents (Promtail, Fluent Bit, etc.) running as DaemonSets:
This follows the recommendation in the docs to use a Kubernetes-aware logging facility instead of artifact-based log storage. ([Argo Workflows][1])
3. GitApp UI Integration
Add a dedicated Logs tab to the GitApp UI, with:
-
Tenant view
- Filter by repository, branch, workflow name, label set, and time range.
-
Workflow detail view
-
Search
Implementation:
-
GitApp UI calls a Logs API in the backend (GitApp server), which proxies to the configured logging backend.
-
Backend enforces multi-tenant access control:
- A user can only query logs for tenants they have access to (reuse
writeUsers/readUsers mappings from RepoRegistration or similar).
4. Workflow Metadata Linking
To align with existing Argo concepts:
-
Ensure each workflow’s Pods carry stable, structured labels:
workflows.argoproj.io/workflow
workflows.argoproj.io/template
workflows.argoproj.io/node-id
-
Logging backend stores these labels in the log streams / indices.
-
GitApp queries logs using:
- Workflow name or UID
- Node ID / step ID
- Time window derived from workflow start/end timestamps
This enables direct click-through from a workflow node to associated logs.
5. Migration and Co-existence with archiveLogs
Given that archiveLogs is not recommended for full logging, but still convenient for quick artifact-style access, we propose:
Open-Source, On-Prem Requirements
The default reference stack must be:
-
Fully open source (e.g., Loki or OpenSearch ecosystem).
-
Self-hostable on-prem or within a private cloud.
-
Packaged as:
- Helm chart values (for the logging backend itself or integration with an existing cluster-wide deployment).
- Example Kubernetes manifests.
Operators should be able to choose:
- Managed / external logging endpoints if desired (by pointing config at an existing Loki/OpenSearch/Elastic deployment), or
- A fully in-cluster on-prem logging stack.
Risks and Considerations
- Additional operational complexity (managing & scaling the logging backend).
- Storage cost and retention policies for logs, especially in large clusters.
- Need to be careful about log access security in multi-tenant environments.
- Performance of UI when querying large log volumes; should include reasonable defaults and pagination.
Definition of Done
See [1]: https://argo-workflows.readthedocs.io/en/latest/configure-archive-logs/
"Configuring Archive Logs - Argo Workflows - The workflow engine for Kubernetes"
Feature Request: Integrate a Dedicated Kubernetes-Aware Logging Facility
Summary
Argo Workflows’ built-in
archiveLogsfeature is explicitly described as “not recommended” and “naive” and the docs recommend integrating a dedicated, Kubernetes-aware logging facility instead. :contentReference[oaicite:0]{index=0}This feature request proposes:
Motivation
From the Argo Workflows documentation:
Current
archiveLogsbehavior:For multi-tenant, GitOps-driven environments, we need:
Goals
archiveLogsas the primary source of truth.Non-Goals
Proposal
1. Pluggable Logging Backend Abstraction
Introduce a logging backend abstraction in configuration, e.g.:
Characteristics:
Configurable at cluster level (and optionally overridable per tenant / namespace).
Backends are required to expose:
Support TLS, authentication headers, and token-based access via Secrets.
2. Kubernetes-Aware Log Collection
Leverage standard agents (Promtail, Fluent Bit, etc.) running as DaemonSets:
Agents discover Pods using Kubernetes metadata:
namespacepodcontainerworkflows.argoproj.io/workflow,workflows.argoproj.io/step).Agents push logs to the configured backend with labels:
tenant(derived from namespace or RepoRegistration)repo/ownerworkflow,nodeId,phase.This follows the recommendation in the docs to use a Kubernetes-aware logging facility instead of artifact-based log storage. ([Argo Workflows][1])
3. GitApp UI Integration
Add a dedicated Logs tab to the GitApp UI, with:
Tenant view
Workflow detail view
Tabs:
Overview|Graph|Logs.Per-step log viewer with streaming and paging:
Search
Time range picker
Text/regex search in logs (implemented via backend query)
Filters for:
Implementation:
GitApp UI calls a Logs API in the backend (GitApp server), which proxies to the configured logging backend.
Backend enforces multi-tenant access control:
writeUsers/readUsersmappings from RepoRegistration or similar).4. Workflow Metadata Linking
To align with existing Argo concepts:
Ensure each workflow’s Pods carry stable, structured labels:
workflows.argoproj.io/workflowworkflows.argoproj.io/templateworkflows.argoproj.io/node-idLogging backend stores these labels in the log streams / indices.
GitApp queries logs using:
This enables direct click-through from a workflow node to associated logs.
5. Migration and Co-existence with
archiveLogsGiven that
archiveLogsis not recommended for full logging, but still convenient for quick artifact-style access, we propose:Keep
archiveLogsavailable for short-term convenience, but:Encourage operators to:
Provide a migration checklist:
Open-Source, On-Prem Requirements
The default reference stack must be:
Fully open source (e.g., Loki or OpenSearch ecosystem).
Self-hostable on-prem or within a private cloud.
Packaged as:
Operators should be able to choose:
Risks and Considerations
Definition of Done
Configuration schema for logging backend introduced and documented.
Reference implementation for at least one backend (e.g., Loki) with:
GitApp backend exposes a Logs API with tenant-aware access control.
GitApp UI has:
Documentation updated to:
archiveLogsand position it as secondary.At least one end-to-end scenario tested:
See [1]: https://argo-workflows.readthedocs.io/en/latest/configure-archive-logs/
"Configuring Archive Logs - Argo Workflows - The workflow engine for Kubernetes"