diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 896f6606..e75cbce5 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.5.7 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.41.7 +version: 0.41.8 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -16,5 +16,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: changed - description: Bump argo-workflows to v3.5.7 + - kind: added + description: Added option to add service accounts to server and controller RoleBindings and ClusterRoleBindings diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index 662b63fd..f8433a53 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -202,6 +202,7 @@ Fields to note: | controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. | | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. | | controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets | +| controller.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding | | controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature | | controller.replicas | int | `1` | The number of controller pods to run | | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. | @@ -282,6 +283,7 @@ Fields to note: | server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. | | server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. | | server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. | +| server.clusterWorkflowTemplates.serviceAccounts | list | `[]` | Extra service accounts to be added to the ClusterRoleBinding | | server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment | | server.enabled | bool | `true` | Deploy the Argo Server | | server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. | @@ -314,6 +316,7 @@ Fields to note: | server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods | | server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages | | server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. | +| server.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding | | server.replicas | int | `1` | The number of server pods to run | | server.resources | object | `{}` | Resource limits and requests for the server | | server.revisionHistoryLimit | int | `10` | The number of revisions to keep. | diff --git a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml index 93e0557b..57606ca3 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml @@ -24,6 +24,11 @@ subjects: - kind: ServiceAccount name: {{ template "argo-workflows.controllerServiceAccountName" . }} namespace: {{ include "argo-workflows.namespace" . | quote }} +{{- range .Values.controller.rbac.serviceAccounts }} + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} +{{- end }} {{- if .Values.controller.clusterWorkflowTemplates.enabled }} --- diff --git a/charts/argo-workflows/templates/server/server-crb.yaml b/charts/argo-workflows/templates/server/server-crb.yaml index 4ffb9107..4393aa66 100644 --- a/charts/argo-workflows/templates/server/server-crb.yaml +++ b/charts/argo-workflows/templates/server/server-crb.yaml @@ -24,7 +24,11 @@ subjects: - kind: ServiceAccount name: {{ template "argo-workflows.serverServiceAccountName" . }} namespace: {{ include "argo-workflows.namespace" . | quote }} - +{{- range .Values.server.rbac.serviceAccounts }} +- kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} +{{- end }} {{- if .Values.server.clusterWorkflowTemplates.enabled }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -41,5 +45,10 @@ subjects: - kind: ServiceAccount name: {{ template "argo-workflows.serverServiceAccountName" . }} namespace: {{ include "argo-workflows.namespace" . | quote }} +{{- range .Values.server.clusterWorkflowTemplates.serviceAccounts }} +- kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} +{{- end }} {{- end -}} {{- end -}} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 15a42ec4..3a1e0a0a 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -100,6 +100,10 @@ controller: accessAllSecrets: false # -- Allows controller to create and update ConfigMaps. Enables memoization feature writeConfigMaps: false + # -- Extra service accounts to be added to the RoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace configMap: # -- Create a ConfigMap for the controller @@ -467,6 +471,10 @@ server: rbac: # -- Adds Role and RoleBinding for the server. create: true + # -- Extra service accounts to be added to the RoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace # -- Servers container-level security context securityContext: readOnlyRootFilesystem: false @@ -691,6 +699,10 @@ server: enabled: true # -- Give the server permissions to edit ClusterWorkflowTemplates. enableEditing: true + # -- Extra service accounts to be added to the ClusterRoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace # SSO configuration when SSO is specified as a server auth mode. sso: