allow workflow to be run in multiple namespaces, bump chart version

Signed-off-by: reinvantveer <rein.van.t.veer@geodan.nl>
2021-07-05 12:49:13 +02:00 · 2021-07-05 12:49:13 +02:00 · 8eb0e11a26
commit 8eb0e11a26
parent b78109c4f3
5 changed files with 148 additions and 42 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
 version: 0.2.6
-appVersion: "v3.0.7"
+appVersion: "v3.0.8"
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
--- a/charts/argo-workflows/templates/controller/workflow-rb.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml
@ -1,19 +1,56 @@
-{{- if .Values.workflow.rbac.create -}}
+{{- define "workflow-rb-base" }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }} 
-  {{- end }}
+{{- end }}
+
+{{- define "workflow-rb-roleref" }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-subjects:
- kind: ServiceAccount
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }}
-  {{- end }}
 {{- end }}
+
+{{- define "workflow-rb-subjects" }}
+subjects:
+  - kind: ServiceAccount
+{{- end }}
+
+{{- if .Values.workflow.rbac.create -}}
+
+  {{- if .Values.workflow.namespaces }}
+
+    {{- range .Values.workflow.namespaces }}
+      {{ $namespace := . }}
+
+      {{ include "workflow-rb-base" . }}
+  name: {{ $.Release.Name }}-workflow
+  namespace: {{ $namespace }}
+
+      {{- include "workflow-rb-roleref" . }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+
+      {{- include "workflow-rb-subjects" . }}
+    name: {{ $.Values.workflow.serviceAccount.name }}
+    namespace: {{ $namespace }}
+    {{- end }}
+
+  {{- else }}
+
+    {{ include "workflow-rb-base" . }}
+  name: {{ $.Release.Name }}-workflow
+    {{- if $.Values.workflow.namespace }}
+  namespace: {{ $.Values.workflow.namespace }}
+  {{- end }}
+
+    {{- include "workflow-rb-roleref" . }}
+  name: {{ template "argo-workflows.fullname" $ }}-workflow
+
+    {{- include "workflow-rb-subjects" . }}
+    name: {{ $.Values.workflow.serviceAccount.name }}
+    {{- if $.Values.workflow.namespace }}
+    namespace: {{ $.Values.workflow.namespace }}
+    {{- end }}
+
+  {{- end }}
+{{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-role.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-role.yaml
@ -1,25 +1,49 @@
-{{- if .Values.workflow.rbac.create -}}
+{{- define "workflow-role-base" }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-workflows.fullname" . }}-workflow
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }}
  {{- end }}
+
+  {{/* workflow-role-rules are defined separately so they can be inserted after templating the metadata */}}
+
+  {{- define "workflow-role-rules" }}
 rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - watch
-  - patch
- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - watch
-{{- end }}
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+      - watch
+        {{- end }}
+
+        {{- if .Values.workflow.rbac.create -}}
+
+        {{- if .Values.workflow.namespaces }}
+        {{- range .Values.workflow.namespaces}}
+        {{ $namespace := . }}
+    {{- include "workflow-role-base" . }}
+    name: {{ template "argo-workflows.fullname" $ }}-workflow
+    namespace: {{ $namespace }}
+    {{- include "workflow-role-rules" . }}
+    {{- end }}
+
+    {{- else }}
+    {{- include "workflow-role-base" . }}
+    name: {{ template "argo-workflows.fullname" $ }}-workflow
+    {{- if .Values.workflow.namespace }}
+    namespace: {{ .Values.workflow.namespace }}
+    {{- end }}
+    {{- include "workflow-role-rules" . }}
+  {{- end }}
+
+  {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-sa.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml
@ -1,13 +1,56 @@
-{{- if .Values.workflow.serviceAccount.create -}}
+{{- define "sa-base" }}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.workflow.serviceAccount.name }}
-  {{- with .Values.workflow.namespace }}
-  namespace: {{ . }}
  {{- end }}
-  {{- with .Values.workflow.serviceAccount.annotations }}
+
+  {{- if .Values.workflow.serviceAccount.create -}}
+
+  {{- /*
+      Cardinality-check the namespaces/namespace variables
+      This type check is done only once, here. It would be overkill to perform it for other RBAC resources as well.
+  */}}
+
+  {{- if and .Values.workflow.namespaces .Values.workflow.namespace }}
+  {{- fail "Please set either workflow.namespaces or workflow.namespace for the service account, not both" }}
+  {{- end }}
+
+  {{- if and ( not .Values.workflow.namespace ) ( not .Values.workflow.namespaces ) }}
+  {{- fail "Please set either workflow.namespaces or workflow.namespace" }}
+  {{- end }}
+
+  {{- if .Values.workflow.namespaces }}
+
+  {{- /*
+      Type-check the namespaces variable for being a list ("slice")
+      This type check is done only once, here. It would be overkill to perform it for other RBAC resources as well.
+    */}}
+  {{- if not ( kindIs "slice" .Values.workflow.namespaces ) }}
+  {{- fail ( printf "workflow.namespaces is a slice, got %s %s" ( kindOf .Values.workflow.namespaces ) .Values.workflow.namespaces ) }}
+  {{- end }}
+
+  {{ $namespaces := .Values.workflow.namespaces }}
+  {{- range $namespaces }}
+  {{ $namespace := . }}
+  {{ include "sa-base" . }}
+  name: {{ $.Values.workflow.serviceAccount.name }}
+  namespace: {{ $namespace }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+  {{- toYaml $.Values.workflow.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+
+  {{- else }}
+
+  {{- $namespaces := tuple .Values.workflow.namespace }}
+  {{- range $namespaces }}
+  {{- $namespace := . }}
+  {{ include "sa-base" . }}
+  name: {{ $.Values.workflow.serviceAccount.name }}
+  namespace: {{ $namespace }}
+  annotations:
+  {{- toYaml $.Values.workflow.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+  {{- end }}
+
  {{- end }}
-{{- end }}
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -29,13 +29,15 @@ kubeVersionOverride: ""
 singleNamespace: false

 workflow:
-  namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
+  namespaces: [] # Specify all namespaces to run worksflows need to be able to run in. This controls where the service
+  # account and RBAC resources will be created. If unspecified, will run in the same namespace as argo.
+  namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in
  serviceAccount:
    create: false # Specifies whether a service account should be created
    annotations: {}
    name: "argo-workflow" # Service account which is used to run workflows
  rbac:
-    create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
+    create: true # adds Role and RoleBinding for the above specified service account to be able to run workflows

 controller:
  image: