Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

athena.toml

athena.toml describes where the binary and artifacts live and a few pod defaults. It is required by cargo athena and is never read in-pod (everything it controls is baked into the emitted YAML).

It is resolved in order: cargo athena -c FILE …, then the ATHENA_CONFIG env var, then the nearest athena.toml walking up from the cwd (like Cargo.toml), then a global ~/.config/cargo-athena/athena.toml (honoring $XDG_CONFIG_HOME). The global fallback is for consumers of an already-published workflow: submit / emit / ls / describe work from anywhere without a per-repo config. First match wins (no merging); a repo-local athena.toml always shadows the global one.

A complete example (the one the kind e2e uses):

[artifact_repository.s3]
endpoint = "minio.argo.svc.cluster.local:9000"
bucket = "athena-artifacts"
region = "us-east-1"
insecure = true                                    # plain HTTP (e.g. MinIO)
access_key_secret = { name = "athena-s3", key = "accessKey" }
secret_key_secret = { name = "athena-s3", key = "secretKey" }

[bootstrap]
targets = ["x86_64-unknown-linux-musl", "aarch64-unknown-linux-musl"]

[defaults]
service_account = "default"
# package   = "my-workflows" # so `cargo athena` needs no --package/-p
# bin       = "app"          # …or --bin, in a multi-bin crate
# namespace = "argo"         # default namespace for `cargo athena submit`

[artifact_repository.s3]

The S3-compatible bucket holding both the binary tarball and every load_artifact! / save_artifact! object. Emitted into each container template as an Argo s3{} artifact source.

KeyMeaning
endpointS3 endpoint (host:port).
bucketBucket name.
regionS3 region.
insecuretrue for plain HTTP (e.g. local MinIO).
access_key_secret / secret_key_secretKubernetes { name, key } secret selectors for credentials.

The binary tarball’s object key is {crate}/<tag>/{bin}.tar.gz, where <tag> is the build-time version tag - the kebab of your crate’s semver on a clean release build (1.2.3 -> 1-2-3), or dev-<slot> for a dev build. So a new release (or a new dev slot) lands under its own key and never clobbers another version’s binary.

[bootstrap]

KeyMeaning
targetsThe static-musl target triples to cross-compile. Each becomes app-<triple> in the tarball; in-pod the bootstrap picks the one matching uname.
default_image(optional) Default image when a #[container] doesn’t set its own image. Needs only POSIX sh and uname (distroless works).

[defaults]

KeyMeaning
service_accountPod ServiceAccount for every container, unless overridden by #[container(service_account = "…")].
package(optional) Default cargo package the cargo athena subcommands drive, so you don’t repeat -p/--package. The flag wins.
bin(optional) Default cargo bin within it (multi-bin crates need this). The --bin flag wins.
namespace(optional) Default Kubernetes namespace for cargo athena submit. Precedence: -n/--namespace$ARGO_NAMESPACE → this → default.

The artifact bucket is the only coupling between an artifact’s producer and consumer (see #[container] → macro calls): they share a key, not a DAG edge.