feat(argo-workflows): add value to avoid creating RBAC related to ClusterWorkflowTemplates (#657)

* Argo Workflows: avoid creating ClusterRoles and CRBs if singleNamespace is true

Signed-off-by: g-linville <53102776+g-linville@users.noreply.github.com>

* Argo Workflows: bumped chart version

Signed-off-by: g-linville <53102776+g-linville@users.noreply.github.com>

* Argo: remove clusterworkflowtemplates from WorkflowController role

Signed-off-by: g-linville <53102776+g-linville@users.noreply.github.com>

* feat(argo-workflows): add value to disable creation of RBAC relating to ClusterWorkflowTemplates

Signed-off-by: g-linville <53102776+g-linville@users.noreply.github.com>

* Bumped chart version

Signed-off-by: g-linville <53102776+g-linville@users.noreply.github.com>

charts/argo-workflows/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.1.2
+version: 0.1.3
 appVersion: "v3.0.2"
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm

charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml

@@ -55,8 +55,6 @@ rules:
   resources:
   - workflowtemplates
   - workflowtemplates/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
   verbs:
   - get
   - list
@@ -131,6 +129,8 @@ rules:
   - update
   - patch
   - delete
+
+{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -146,3 +146,4 @@ rules:
   - get
   - list
   - watch
+{{- end }}

charts/argo-workflows/templates/controller/workflow-controller-crb.yaml

@@ -31,6 +31,8 @@ subjects:
   {{- end }}
 {{- end }}
 {{- end }}
+
+{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -46,3 +48,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "argo-workflows.controllerServiceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+{{- end }}

charts/argo-workflows/templates/server/server-cluster-roles.yaml

@@ -111,6 +111,8 @@ rules:
     - update
     - patch
     - delete
+
+{{- if .Values.server.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -134,3 +136,4 @@ rules:
   - delete
   {{- end }}
 {{- end }}
+{{- end }}

charts/argo-workflows/templates/server/server-crb.yaml

@@ -21,6 +21,8 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "argo-workflows.serverServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+
+{{- if .Values.server.clusterWorkflowTemplates.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -37,3 +39,4 @@ subjects:
   name: {{ template "argo-workflows.serverServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{- end -}}
+{{- end -}}

charts/argo-workflows/values.yaml

@@ -143,6 +143,9 @@ controller:
   priorityClassName: ""
   # https://argoproj.github.io/argo-workflows/links/
   links: []
+  clusterWorkflowTemplates:
+    # Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
+    enabled: true
 
 # executor controls how the init and wait container should be customized
 executor:
@@ -262,6 +265,8 @@ server:
     https: false
 
   clusterWorkflowTemplates:
+    # Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
+    enabled: true
     # Give the server permissions to edit ClusterWorkflowTemplates.
     enableEditing: true
   sso: