diff --git a/charts/argo/templates/apply-workflow-crd-job.yaml b/charts/argo/templates/apply-workflow-crd-job.yaml index f6eae231..eb656d4a 100644 --- a/charts/argo/templates/apply-workflow-crd-job.yaml +++ b/charts/argo/templates/apply-workflow-crd-job.yaml @@ -10,7 +10,7 @@ spec: activeDeadlineSeconds: 100 template: spec: - serviceAccountName: {{ .Values.init.serviceAccount }} + serviceAccountName: {{ .Values.init.serviceAccount | quote }} containers: - name: kubectl-apply image: lachlanevenson/k8s-kubectl diff --git a/charts/argo/templates/ui-deployment.yaml b/charts/argo/templates/ui-deployment.yaml index 008b4e2f..0ed78888 100644 --- a/charts/argo/templates/ui-deployment.yaml +++ b/charts/argo/templates/ui-deployment.yaml @@ -17,6 +17,7 @@ spec: annotations: {{ toYaml .Values.ui.podAnnotations | indent 8}}{{- end }} spec: + serviceAccountName: {{ .Values.ui.serviceAccount | quote }} containers: - name: ui image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ .Values.images.tag }}" diff --git a/charts/argo/templates/worfkflow-controller-secrets-access.yaml b/charts/argo/templates/worfkflow-controller-secrets-access.yaml new file mode 100644 index 00000000..f0d48519 --- /dev/null +++ b/charts/argo/templates/worfkflow-controller-secrets-access.yaml @@ -0,0 +1,18 @@ +{{ if .Values.minio.install }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-secret +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ .Values.artifactRepository.s3.accessKeySecret.name | default (printf "%s-%s" .Release.Name "minio") | quote }} + - {{ .Values.artifactRepository.s3.secretKeySecret.name | default (printf "%s-%s" .Release.Name "minio") | quote }} + verbs: + - get + - watch + - list +{{- end }} \ No newline at end of file diff --git a/charts/argo/templates/workflow-controller-deployment.yaml b/charts/argo/templates/workflow-controller-deployment.yaml index 2bbbdba5..9f5d8da0 100644 --- a/charts/argo/templates/workflow-controller-deployment.yaml +++ b/charts/argo/templates/workflow-controller-deployment.yaml @@ -18,7 +18,7 @@ spec: annotations: {{ toYaml .Values.controller.podAnnotations | indent 8}}{{- end }} spec: - serviceAccountName: {{ .Values.controller.serviceAccount }} + serviceAccountName: {{ .Values.controller.serviceAccount | quote }} containers: - name: controller image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ .Values.images.tag }}" diff --git a/charts/argo/templates/workflow-controller-minio-secret-crb.yaml b/charts/argo/templates/workflow-controller-minio-secret-crb.yaml new file mode 100644 index 00000000..722776a4 --- /dev/null +++ b/charts/argo/templates/workflow-controller-minio-secret-crb.yaml @@ -0,0 +1,25 @@ +{{ if .Values.minio.install }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-secret +subjects: + - kind: ServiceAccount + name: {{ .Values.controller.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if .Values.controller.workflowNamespaces }} +{{- $uiServiceAccount := .Values.controller.serviceAccount }} +{{- $namespace := .Release.Namespace }} +{{- range $key := .Values.controller.workflowNamespaces }} + {{- if not (eq $key $namespace) }} + - kind: ServiceAccount + name: {{ $uiServiceAccount }} + namespace: {{ $key }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file