diff --git a/charts/argo/requirements.lock b/charts/argo/Chart.lock similarity index 77% rename from charts/argo/requirements.lock rename to charts/argo/Chart.lock index 37a55e66..4b57ae05 100644 --- a/charts/argo/requirements.lock +++ b/charts/argo/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://helm.min.io/ version: 8.0.9 digest: sha256:0f43ad0a4b4e9af47615ef3da85054712eb28f154418d96b7b974a095cc19260 -generated: "2021-01-11T15:01:01.169105-08:00" +generated: "2021-01-13T15:31:40.823086-08:00" diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index 504be025..44c812c7 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v2.12.3 description: A Helm chart for Argo Workflows name: argo -version: 0.15.0 +version: 0.15.2 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: @@ -10,3 +10,8 @@ maintainers: - name: alexmt - name: jessesuen - name: benjaminws +dependencies: +- name: minio + version: 8.0.9 + repository: https://helm.min.io/ + condition: minio.install diff --git a/charts/argo/requirements.yaml b/charts/argo/requirements.yaml deleted file mode 100644 index bd643139..00000000 --- a/charts/argo/requirements.yaml +++ /dev/null @@ -1,5 +0,0 @@ -dependencies: -- name: minio - version: 8.0.9 - repository: https://helm.min.io/ - condition: minio.install diff --git a/charts/argo/templates/server-cluster-roles.yaml b/charts/argo/templates/server-cluster-roles.yaml index e946dcc7..10c730c1 100644 --- a/charts/argo/templates/server-cluster-roles.yaml +++ b/charts/argo/templates/server-cluster-roles.yaml @@ -41,7 +41,8 @@ rules: verbs: - create {{- end}} -{{- if .Values.server.rbac }} +{{- if .Values.server.sso }} + {{- if .Values.server.sso.rbac }} - apiGroups: - "" resources: @@ -49,6 +50,7 @@ rules: verbs: - get - list + {{- end }} {{- end }} - apiGroups: - "" @@ -56,8 +58,12 @@ rules: - secrets verbs: - get -{{- with .Values.server.rbac.secretWhitelist }} +{{- if .Values.server.sso }} + {{- if .Values.server.sso.rbac }} + {{- with .Values.server.sso.rbac.secretWhitelist }} resourceNames: {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- end }} - apiGroups: - "" diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 084e92c4..b1491b14 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -167,9 +167,6 @@ server: serviceType: ClusterIP servicePort: 2746 # servicePortName: http - rbac: - # When present, restricts secrets the server can read to a given list. - secretWhitelist: [] serviceAccount: argo-server # Whether to create the service account with the name specified in # server.serviceAccount and bind it to the server role. @@ -267,6 +264,18 @@ server: # key: client-secret ## The OIDC redirect URL. Should be in the form /oauth2/callback. # redirectUrl: https://argo/oauth2/callback + # rbac: + # enabled: true + ## When present, restricts secrets the server can read to a given list. + ## You can use it to restrict the server to only be able to access the + ## service account token secrets that are associated with service accounts + ## used for authorization. + # secretWhitelist: [] + ## Scopes requested from the SSO ID provider. The 'groups' scope requests + ## group membership information, which is usually used for authorization + ## decisions. + # scopes: + # - groups # Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false