Add support for adding additional ServiceAccounts for CRs and CRBs

Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com>

charts/argo-workflows/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v3.5.7
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.41.7
+version: 0.41.8
 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -16,5 +16,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump argo-workflows to v3.5.7
+    - kind: added
+      description: Added option to add service accounts to server and controller RoleBindings and ClusterRoleBindings

charts/argo-workflows/README.md

@@ -202,6 +202,7 @@ Fields to note:
 | controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. |
 | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
 | controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
+| controller.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
 | controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature |
 | controller.replicas | int | `1` | The number of controller pods to run |
 | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
@@ -282,6 +283,7 @@ Fields to note:
 | server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. |
 | server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. |
 | server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. |
+| server.clusterWorkflowTemplates.serviceAccounts | list | `[]` | Extra service accounts to be added to the ClusterRoleBinding |
 | server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment |
 | server.enabled | bool | `true` | Deploy the Argo Server |
 | server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. |
@@ -314,6 +316,7 @@ Fields to note:
 | server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods |
 | server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages |
 | server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. |
+| server.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
 | server.replicas | int | `1` | The number of server pods to run |
 | server.resources | object | `{}` | Resource limits and requests for the server |
 | server.revisionHistoryLimit | int | `10` | The number of revisions to keep. |

charts/argo-workflows/templates/controller/workflow-controller-crb.yaml

@@ -24,6 +24,11 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "argo-workflows.controllerServiceAccountName" . }}
     namespace: {{ include "argo-workflows.namespace" . | quote }}
+{{- range .Values.controller.rbac.serviceAccounts }}
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ .namespace | quote }}
+{{- end }}
 
 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---

charts/argo-workflows/templates/server/server-crb.yaml

@@ -24,7 +24,11 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "argo-workflows.serverServiceAccountName" . }}
   namespace: {{ include "argo-workflows.namespace" . | quote }}
-
+{{- range .Values.server.rbac.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ .name }}
+  namespace: {{ .namespace | quote }}
+{{- end }}
 {{- if .Values.server.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -41,5 +45,10 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "argo-workflows.serverServiceAccountName" . }}
   namespace: {{ include "argo-workflows.namespace" . | quote }}
+{{- range .Values.server.clusterWorkflowTemplates.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ .name }}
+  namespace: {{ .namespace | quote }}
+{{- end }}
 {{- end -}}
 {{- end -}}

charts/argo-workflows/values.yaml

@@ -100,6 +100,10 @@ controller:
     accessAllSecrets: false
     # -- Allows controller to create and update ConfigMaps. Enables memoization feature
     writeConfigMaps: false
+    # -- Extra service accounts to be added to the RoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
 
   configMap:
     # -- Create a ConfigMap for the controller
@@ -467,6 +471,10 @@ server:
   rbac:
     # -- Adds Role and RoleBinding for the server.
     create: true
+    # -- Extra service accounts to be added to the RoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
   # -- Servers container-level security context
   securityContext:
     readOnlyRootFilesystem: false
@@ -691,6 +699,10 @@ server:
     enabled: true
     # -- Give the server permissions to edit ClusterWorkflowTemplates.
     enableEditing: true
+    # -- Extra service accounts to be added to the ClusterRoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
 
   # SSO configuration when SSO is specified as a server auth mode.
   sso: