diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index cd3e1cb0..19d7745e 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: v2.8.0 description: A Helm chart for Argo Workflows name: argo -version: 0.9.1 +version: 0.9.2 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/templates/server-cluster-role.yaml b/charts/argo/templates/server-cluster-roles.yaml similarity index 74% rename from charts/argo/templates/server-cluster-role.yaml rename to charts/argo/templates/server-cluster-roles.yaml index 082e4915..8da10df2 100644 --- a/charts/argo/templates/server-cluster-role.yaml +++ b/charts/argo/templates/server-cluster-roles.yaml @@ -1,14 +1,8 @@ {{- if .Values.server.enabled }} apiVersion: rbac.authorization.k8s.io/v1 -{{- if .Values.singleNamespace }} -kind: Role -metadata: - name: {{ .Release.Name }}-{{ .Values.server.name }}-role -{{ else }} kind: ClusterRole metadata: - name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role -{{- end }} + name: {{ .Release.Name }}-{{ .Values.server.name }} rules: - apiGroups: - "" @@ -58,7 +52,6 @@ rules: - workflows - workflowtemplates - cronworkflows - - clusterworkflowtemplates verbs: - create - get @@ -67,4 +60,24 @@ rules: - update - patch - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + verbs: + - get + - list + - watch + {{- if .Values.server.clusterWorkflowTemplates.enableEditing }} + - create + - update + - patch + - delete + {{- end }} {{- end }} diff --git a/charts/argo/templates/server-crb.yaml b/charts/argo/templates/server-crb.yaml index ed7d7982..a919e573 100644 --- a/charts/argo/templates/server-crb.yaml +++ b/charts/argo/templates/server-crb.yaml @@ -3,21 +3,29 @@ apiVersion: rbac.authorization.k8s.io/v1 {{- if .Values.singleNamespace }} kind: RoleBinding metadata: - name: {{ .Release.Name }}-{{ .Values.server.name}}-rb + name: {{ .Release.Name }}-{{ .Values.server.name}} {{ else }} kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }}-{{ .Values.server.name}}-crb + name: {{ .Release.Name }}-{{ .Values.server.name}} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io - {{- if .Values.singleNamespace }} - kind: Role - name: {{ .Release.Name }}-{{ .Values.server.name}}-role - {{ else }} kind: ClusterRole - name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role - {{- end }} + name: {{ .Release.Name }}-{{ .Values.server.name}} +subjects: +- kind: ServiceAccount + name: {{ .Values.server.serviceAccount }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template subjects: - kind: ServiceAccount name: {{ .Values.server.serviceAccount }} diff --git a/charts/argo/templates/workflow-controller-clusterrole.yaml b/charts/argo/templates/workflow-controller-cluster-roles.yaml similarity index 85% rename from charts/argo/templates/workflow-controller-clusterrole.yaml rename to charts/argo/templates/workflow-controller-cluster-roles.yaml index 43d1a8a7..1bee0b17 100644 --- a/charts/argo/templates/workflow-controller-clusterrole.yaml +++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml @@ -1,13 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 -{{- if .Values.singleNamespace }} -kind: Role -metadata: - name: {{ .Release.Name }}-{{ .Values.controller.name }}-role -{{ else }} kind: ClusterRole metadata: - name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role -{{- end }} + name: {{ .Release.Name }}-{{ .Values.controller.name }} rules: - apiGroups: - "" @@ -103,5 +97,18 @@ rules: verbs: - get {{- end}} - - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch diff --git a/charts/argo/templates/workflow-controller-crb.yaml b/charts/argo/templates/workflow-controller-crb.yaml index 3eba3cf2..459a3c67 100644 --- a/charts/argo/templates/workflow-controller-crb.yaml +++ b/charts/argo/templates/workflow-controller-crb.yaml @@ -5,16 +5,11 @@ kind: RoleBinding kind: ClusterRoleBinding {{- end }} metadata: - name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding + name: {{ .Release.Name }}-{{ .Values.controller.name }} roleRef: apiGroup: rbac.authorization.k8s.io - {{- if .Values.singleNamespace }} - kind: Role - name: {{ .Release.Name }}-{{ .Values.controller.name }}-role - {{ else }} kind: ClusterRole - name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role - {{- end }} + name: {{ .Release.Name }}-{{ .Values.controller.name }} subjects: - kind: ServiceAccount name: {{ .Values.controller.serviceAccount }} @@ -30,3 +25,16 @@ subjects: {{- end }} {{- end }} {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template +subjects: + - kind: ServiceAccount + name: {{ .Values.controller.serviceAccount }} + namespace: {{ .Release.Namespace }} diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 7ab0aae5..7f0eead3 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -190,6 +190,9 @@ server: # - secretName: argo-ui-tls # hosts: # - argo.domain.com + clusterWorkflowTemplates: + # Give the server permissions to edit ClusterWorkflowTemplates. + enableEditing: true # Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false