Moves ClusterWorkflowTemplate permissions into separate roles.

2020-05-15 13:10:41 -07:00 · 2020-05-15 13:10:41 -07:00 · 8439694208
commit 8439694208
parent cbb27bbfc8
5 changed files with 64 additions and 1 deletions
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@ -52,7 +52,6 @@ rules:
  - workflows
  - workflowtemplates
  - cronworkflows
-  - clusterworkflowtemplates
  verbs:
  - create
  - get
@ -61,4 +60,24 @@ rules:
  - update
  - patch
  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template-cluster-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - clusterworkflowtemplates
+  verbs:
+  - get
+  - list
+  - watch
+  {{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
+  - create
+  - update
+  - patch
+  - delete
+  {{- end }}
 {{- end }}
--- a/charts/argo/templates/server-crb.yaml
+++ b/charts/argo/templates/server-crb.yaml
@ -19,4 +19,17 @@ subjects:
  {{- if not .Values.singleNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.server.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
 {{- end -}}
--- a/charts/argo/templates/workflow-controller-cluster-roles.yaml
+++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml
@ -97,3 +97,18 @@ rules:
  verbs:
  - get
 {{- end}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - clusterworkflowtemplates
+  - clusterworkflowtemplates/finalizers
+  verbs:
+  - get
+  - list
+  - watch
--- a/charts/argo/templates/workflow-controller-crb.yaml
+++ b/charts/argo/templates/workflow-controller-crb.yaml
@ -27,3 +27,16 @@ subjects:
  {{- end }}
 {{- end }}
 {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.controller.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@ -190,6 +190,9 @@ server:
    #   - secretName: argo-ui-tls
    #     hosts:
    #       - argo.domain.com
+  clusterWorkflowTemplates:
+    # Give the server permissions to edit ClusterWorkflowTemplates.
+    enableEditing: true

 # Influences the creation of the ConfigMap for the workflow-controller itself.
 useDefaultArtifactRepo: false