From 1135b1ef18cbc6e4b29f2d91a40c6d2292b97c8d Mon Sep 17 00:00:00 2001
From: Pablo Osinaga <paguos@gmail.com>
Date: Wed, 29 Apr 2020 22:36:58 +0200
Subject: [PATCH] fix: Argo Server Secrets Permissions (#307)

Grant permissions to workflow-controller and server roles to read database secrets
---
 charts/argo/Chart.yaml                         |  2 +-
 charts/argo/templates/server-cluster-role.yaml | 11 +++++++++++
 .../workflow-controller-clusterrole.yaml       | 18 ++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml
index 46e747a5..a7e383f2 100644
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "v2.7.6"
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.8.0
+version: 0.8.1
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
diff --git a/charts/argo/templates/server-cluster-role.yaml b/charts/argo/templates/server-cluster-role.yaml
index fbf8d044..0d8103f2 100644
--- a/charts/argo/templates/server-cluster-role.yaml
+++ b/charts/argo/templates/server-cluster-role.yaml
@@ -28,12 +28,23 @@ rules:
   - get
   - list
   - watch
+{{- if .Values.controller.persistence }}
 - apiGroups:
   - ""
   resources:
   - secrets
+  resourceNames:
+  {{- if .Values.controller.persistence.postgresql }}
+  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- end}}
+  {{- if .Values.controller.persistence.mysql }}
+  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- end}}
   verbs:
   - get
+{{- end}}
 - apiGroups:
   - argoproj.io
   resources:
diff --git a/charts/argo/templates/workflow-controller-clusterrole.yaml b/charts/argo/templates/workflow-controller-clusterrole.yaml
index 8df46229..2511c1a3 100644
--- a/charts/argo/templates/workflow-controller-clusterrole.yaml
+++ b/charts/argo/templates/workflow-controller-clusterrole.yaml
@@ -78,4 +78,22 @@ rules:
   verbs:
   - get
   - list
+{{- if .Values.controller.persistence }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  {{- if .Values.controller.persistence.postgresql }}
+  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- end}}
+  {{- if .Values.controller.persistence.mysql }}
+  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- end}}
+  verbs:
+  - get
+{{- end}}
+