DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: ClusterWorkflowTemplate access (#352)

Browse source
This commit is contained in:
Vlad Losev 2020-05-15 14:32:23 -07:00 committed by GitHub
parent 859d769c12
commit 370ec9f6c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 72 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/argo/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
appVersion: v2.8.0 appVersion: v2.8.0
description: A Helm chart for Argo Workflows description: A Helm chart for Argo Workflows
name: argo name: argo
version: 0.9.1 version: 0.9.2
icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
maintainers: maintainers:

29
charts/argo/templates/server-cluster-role.yaml → charts/argo/templates/server-cluster-roles.yaml
View file

@ -1,14 +1,8 @@
{{- if .Values.server.enabled }} {{- if .Values.server.enabled }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
metadata:
name: {{ .Release.Name }}-{{ .Values.server.name }}-role
{{ else }}
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role name: {{ .Release.Name }}-{{ .Values.server.name }}
{{- end }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@ -58,7 +52,6 @@ rules:
- workflows - workflows
- workflowtemplates - workflowtemplates
- cronworkflows - cronworkflows
- clusterworkflowtemplates
verbs: verbs:
- create - create
- get - get
@ -67,4 +60,24 @@ rules:
- update - update
- patch - patch
- delete - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
verbs:
- get
- list
- watch
{{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
- create
- update
- patch
- delete
{{- end }}
{{- end }} {{- end }}

24
charts/argo/templates/server-crb.yaml
View file

@ -3,21 +3,29 @@ apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }} {{- if .Values.singleNamespace }}
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ .Release.Name }}-{{ .Values.server.name}}-rb name: {{ .Release.Name }}-{{ .Values.server.name}}
{{ else }} {{ else }}
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ .Release.Name }}-{{ .Values.server.name}}-crb name: {{ .Release.Name }}-{{ .Values.server.name}}
{{- end }} {{- end }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
name: {{ .Release.Name }}-{{ .Values.server.name}}-role
{{ else }}
kind: ClusterRole kind: ClusterRole
name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role name: {{ .Release.Name }}-{{ .Values.server.name}}
{{- end }} subjects:
- kind: ServiceAccount
name: {{ .Values.server.serviceAccount }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ .Values.server.serviceAccount }} name: {{ .Values.server.serviceAccount }}

25
charts/argo/templates/workflow-controller-clusterrole.yaml → charts/argo/templates/workflow-controller-cluster-roles.yaml
View file

@ -1,13 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
metadata:
name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
{{ else }}
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role name: {{ .Release.Name }}-{{ .Values.controller.name }}
{{- end }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@ -103,5 +97,18 @@ rules:
verbs: verbs:
- get - get
{{- end}} {{- end}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch

22
charts/argo/templates/workflow-controller-crb.yaml
View file

@ -5,16 +5,11 @@ kind: RoleBinding
kind: ClusterRoleBinding kind: ClusterRoleBinding
{{- end }} {{- end }}
metadata: metadata:
name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding name: {{ .Release.Name }}-{{ .Values.controller.name }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
{{ else }}
kind: ClusterRole kind: ClusterRole
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role name: {{ .Release.Name }}-{{ .Values.controller.name }}
{{- end }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ .Values.controller.serviceAccount }} name: {{ .Values.controller.serviceAccount }}
@ -30,3 +25,16 @@ subjects:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount }}
namespace: {{ .Release.Namespace }}

3
charts/argo/values.yaml
View file

@ -190,6 +190,9 @@ server:
# - secretName: argo-ui-tls # - secretName: argo-ui-tls
# hosts: # hosts:
# - argo.domain.com # - argo.domain.com
clusterWorkflowTemplates:
# Give the server permissions to edit ClusterWorkflowTemplates.
enableEditing: true
# Influences the creation of the ConfigMap for the workflow-controller itself. # Influences the creation of the ConfigMap for the workflow-controller itself.
useDefaultArtifactRepo: false useDefaultArtifactRepo: false