diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index f3dd5219..5c723b2b 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ name: argo-workflows description: A Helm chart for Argo Workflows type: application version: 0.2.6 -appVersion: "v3.0.7" +appVersion: "v3.0.8" icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: diff --git a/charts/argo-workflows/templates/controller/workflow-rb.yaml b/charts/argo-workflows/templates/controller/workflow-rb.yaml index 9b27c045..c50a5d04 100644 --- a/charts/argo-workflows/templates/controller/workflow-rb.yaml +++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml @@ -1,19 +1,56 @@ -{{- if .Values.workflow.rbac.create -}} +{{- define "workflow-rb-base" }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-workflows.fullname" . }}-workflow - {{- with .Values.workflow.namespace }} - namespace: {{ . }} - {{- end }} +{{- end }} + +{{- define "workflow-rb-roleref" }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-workflows.fullname" . }}-workflow -subjects: -- kind: ServiceAccount - name: {{ .Values.workflow.serviceAccount.name }} - {{- with .Values.workflow.namespace }} - namespace: {{ . }} - {{- end }} {{- end }} + +{{- define "workflow-rb-subjects" }} +subjects: + - kind: ServiceAccount +{{- end }} + +{{- if .Values.workflow.rbac.create -}} + + {{- if .Values.workflow.namespaces }} + + {{- range .Values.workflow.namespaces }} + {{ $namespace := . }} + + {{ include "workflow-rb-base" . }} + name: {{ $.Release.Name }}-workflow + namespace: {{ $namespace }} + + {{- include "workflow-rb-roleref" . }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + + {{- include "workflow-rb-subjects" . }} + name: {{ $.Values.workflow.serviceAccount.name }} + namespace: {{ $namespace }} + {{- end }} + + {{- else }} + + {{ include "workflow-rb-base" . }} + name: {{ $.Release.Name }}-workflow + {{- if $.Values.workflow.namespace }} + namespace: {{ $.Values.workflow.namespace }} + {{- end }} + + {{- include "workflow-rb-roleref" . }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + + {{- include "workflow-rb-subjects" . }} + name: {{ $.Values.workflow.serviceAccount.name }} + {{- if $.Values.workflow.namespace }} + namespace: {{ $.Values.workflow.namespace }} + {{- end }} + + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml index bf8b3cff..5f84b38d 100644 --- a/charts/argo-workflows/templates/controller/workflow-role.yaml +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -1,25 +1,49 @@ -{{- if .Values.workflow.rbac.create -}} +{{- define "workflow-role-base" }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "argo-workflows.fullname" . }}-workflow - {{- with .Values.workflow.namespace }} - namespace: {{ . }} {{- end }} + + {{/* workflow-role-rules are defined separately so they can be inserted after templating the metadata */}} + + {{- define "workflow-role-rules" }} rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - watch -{{- end }} + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - patch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - watch + {{- end }} + + {{- if .Values.workflow.rbac.create -}} + + {{- if .Values.workflow.namespaces }} + {{- range .Values.workflow.namespaces}} + {{ $namespace := . }} + {{- include "workflow-role-base" . }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + namespace: {{ $namespace }} + {{- include "workflow-role-rules" . }} + {{- end }} + + {{- else }} + {{- include "workflow-role-base" . }} + name: {{ template "argo-workflows.fullname" $ }}-workflow + {{- if .Values.workflow.namespace }} + namespace: {{ .Values.workflow.namespace }} + {{- end }} + {{- include "workflow-role-rules" . }} + {{- end }} + + {{- end }} \ No newline at end of file diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml index dc84f2b1..613b73b2 100644 --- a/charts/argo-workflows/templates/controller/workflow-sa.yaml +++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -1,13 +1,56 @@ -{{- if .Values.workflow.serviceAccount.create -}} +{{- define "sa-base" }} +--- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.workflow.serviceAccount.name }} - {{- with .Values.workflow.namespace }} - namespace: {{ . }} {{- end }} - {{- with .Values.workflow.serviceAccount.annotations }} + + {{- if .Values.workflow.serviceAccount.create -}} + + {{- /* + Cardinality-check the namespaces/namespace variables + This type check is done only once, here. It would be overkill to perform it for other RBAC resources as well. + */}} + + {{- if and .Values.workflow.namespaces .Values.workflow.namespace }} + {{- fail "Please set either workflow.namespaces or workflow.namespace for the service account, not both" }} + {{- end }} + + {{- if and ( not .Values.workflow.namespace ) ( not .Values.workflow.namespaces ) }} + {{- fail "Please set either workflow.namespaces or workflow.namespace" }} + {{- end }} + + {{- if .Values.workflow.namespaces }} + + {{- /* + Type-check the namespaces variable for being a list ("slice") + This type check is done only once, here. It would be overkill to perform it for other RBAC resources as well. + */}} + {{- if not ( kindIs "slice" .Values.workflow.namespaces ) }} + {{- fail ( printf "workflow.namespaces is a slice, got %s %s" ( kindOf .Values.workflow.namespaces ) .Values.workflow.namespaces ) }} + {{- end }} + + {{ $namespaces := .Values.workflow.namespaces }} + {{- range $namespaces }} + {{ $namespace := . }} + {{ include "sa-base" . }} + name: {{ $.Values.workflow.serviceAccount.name }} + namespace: {{ $namespace }} annotations: - {{- toYaml . | nindent 4 }} + {{- toYaml $.Values.workflow.serviceAccount.annotations | nindent 4 }} + {{- end }} + + {{- else }} + + {{- $namespaces := tuple .Values.workflow.namespace }} + {{- range $namespaces }} + {{- $namespace := . }} + {{ include "sa-base" . }} + name: {{ $.Values.workflow.serviceAccount.name }} + namespace: {{ $namespace }} + annotations: + {{- toYaml $.Values.workflow.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} -{{- end }} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 864c9931..82c00087 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -29,13 +29,15 @@ kubeVersionOverride: "" singleNamespace: false workflow: - namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created. + namespaces: [] # Specify all namespaces to run worksflows need to be able to run in. This controls where the service + # account and RBAC resources will be created. If unspecified, will run in the same namespace as argo. + namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in serviceAccount: create: false # Specifies whether a service account should be created annotations: {} name: "argo-workflow" # Service account which is used to run workflows rbac: - create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows + create: true # adds Role and RoleBinding for the above specified service account to be able to run workflows controller: image: