fix: ClusterWorkflowTemplate access (#352)

2020-05-15 14:32:23 -07:00 · 2020-05-15 14:32:23 -07:00 · 370ec9f6c4
commit 370ec9f6c4
parent 859d769c12
6 changed files with 72 additions and 33 deletions
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.8.0
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.9.1
+version: 0.9.2
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@ -1,14 +1,8 @@
 {{- if .Values.server.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
-{{- if .Values.singleNamespace }}
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-{{ .Values.server.name }}-role
-{{ else }}
 kind: ClusterRole
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role
-{{- end }}
+  name: {{ .Release.Name }}-{{ .Values.server.name }}
 rules:
 - apiGroups:
  - ""
@ -58,7 +52,6 @@ rules:
  - workflows
  - workflowtemplates
  - cronworkflows
-  - clusterworkflowtemplates
  verbs:
  - create
  - get
@ -67,4 +60,24 @@ rules:
  - update
  - patch
  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - clusterworkflowtemplates
+  verbs:
+  - get
+  - list
+  - watch
+  {{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
+  - create
+  - update
+  - patch
+  - delete
+  {{- end }}
 {{- end }}
--- a/charts/argo/templates/server-crb.yaml
+++ b/charts/argo/templates/server-crb.yaml
@ -3,21 +3,29 @@ apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: RoleBinding
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.server.name}}-rb
+  name: {{ .Release.Name }}-{{ .Values.server.name}}
 {{ else }}
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.server.name}}-crb
+  name: {{ .Release.Name }}-{{ .Values.server.name}}
 {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  {{- if .Values.singleNamespace }}
-  kind: Role
-  name: {{ .Release.Name }}-{{ .Values.server.name}}-role
-  {{ else }}
  kind: ClusterRole
-  name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role
-  {{- end }}
+  name: {{ .Release.Name }}-{{ .Values.server.name}}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.server.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template
 subjects:
 - kind: ServiceAccount
  name: {{ .Values.server.serviceAccount }}
--- a/charts/argo/templates/workflow-controller-cluster-roles.yaml
+++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml
@ -1,13 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-{{- if .Values.singleNamespace }}
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
-{{ else }}
 kind: ClusterRole
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
-{{- end }}
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}
 rules:
 - apiGroups:
  - ""
@ -103,5 +97,18 @@ rules:
  verbs:
  - get
 {{- end}}
-
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - clusterworkflowtemplates
+  - clusterworkflowtemplates/finalizers
+  verbs:
+  - get
+  - list
+  - watch
--- a/charts/argo/templates/workflow-controller-crb.yaml
+++ b/charts/argo/templates/workflow-controller-crb.yaml
@ -5,16 +5,11 @@ kind: RoleBinding
 kind: ClusterRoleBinding
 {{- end }}
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  {{- if .Values.singleNamespace }}
-  kind: Role
-  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
-  {{ else }}
  kind: ClusterRole
-  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
-  {{- end }}
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}
 subjects:
  - kind: ServiceAccount
    name: {{ .Values.controller.serviceAccount }}
@ -30,3 +25,16 @@ subjects:
  {{- end }}
 {{- end }}
 {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.controller.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@ -190,6 +190,9 @@ server:
    #   - secretName: argo-ui-tls
    #     hosts:
    #       - argo.domain.com
+  clusterWorkflowTemplates:
+    # Give the server permissions to edit ClusterWorkflowTemplates.
+    enableEditing: true

 # Influences the creation of the ConfigMap for the workflow-controller itself.
 useDefaultArtifactRepo: false