feat(argo-workflows): Add option for controller to read all secrets (#1967)

2023-04-14 14:53:40 +01:00 · 2023-04-14 14:53:40 +01:00 · 22356c77af
commit 22356c77af
parent dfe36fbde9
4 changed files with 16 additions and 3 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.4.7
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.24.0
+version: 0.24.1
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -13,5 +13,5 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - kind: fixed
-      description: Add namespace field to all namespace scoped resources because `helm template` doesn't add the namespace filed automatically.
+    - kind: added
+      description: Add option for workflow controller to read all secrets.
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -174,6 +174,7 @@ Fields to note:
 | controller.podLabels | object | `{}` | Optional labels to add to the controller pods |
 | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
 | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
+| controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. |
 | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
 | controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
 | controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature |
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@ -187,6 +187,16 @@ rules:
  - watch
  resourceNames: {{- toYaml . | nindent 4 }}
 {{- end }}
+{{- if and (not .Values.controller.rbac.secretWhitelist) (.Values.controller.rbac.accessAllSecrets) }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}

 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -74,6 +74,8 @@ controller:
    create: true
    # -- Allows controller to get, list, and watch certain k8s secrets
    secretWhitelist: []
+    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
+    accessAllSecrets: false
    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
    writeConfigMaps: false