From 93d8b226d135388bc719e68c9593f5b790ad1f73 Mon Sep 17 00:00:00 2001 From: Vlad Losev Date: Tue, 12 Jan 2021 10:27:30 -0800 Subject: [PATCH] fix(argo): Add RBAC permissions for v2.12. (#541) Signed-off-by: Vlad Losev fix(argo): create roles instead of rolebindings when singleNamespace is true Signed-off-by: Alex Sears fix(argo-cd): correct repo for stable helm charts Signed-off-by: Alex Sears --- charts/argo-cd/values.yaml | 2 +- charts/argo/templates/server-cluster-roles.yaml | 8 ++++++++ charts/argo/templates/server-crb.yaml | 16 +++++++++++++--- .../argo/templates/workflow-aggregate-roles.yaml | 12 ++++++++++++ .../workflow-controller-cluster-roles.yaml | 8 ++++++++ .../argo/templates/workflow-controller-crb.yaml | 12 ++++++++++++ 6 files changed, 54 insertions(+), 4 deletions(-) diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 5331d96b..cca30b7f 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -544,7 +544,7 @@ server: # name: secret-name # key: sshPrivateKey # - type: helm - # url: https://kubernetes-charts.storage.googleapis.com + # url: https://charts.helm.sh/stable # name: stable # - type: helm # url: https://argoproj.github.io/argo-helm diff --git a/charts/argo/templates/server-cluster-roles.yaml b/charts/argo/templates/server-cluster-roles.yaml index e946dcc7..1d2ee5fe 100644 --- a/charts/argo/templates/server-cluster-roles.yaml +++ b/charts/argo/templates/server-cluster-roles.yaml @@ -1,6 +1,10 @@ {{- if .Values.server.enabled }} apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} kind: ClusterRole +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.server.name }} rules: @@ -101,7 +105,11 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} kind: ClusterRole +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-template rules: diff --git a/charts/argo/templates/server-crb.yaml b/charts/argo/templates/server-crb.yaml index d1ad5ea4..44467c7c 100644 --- a/charts/argo/templates/server-crb.yaml +++ b/charts/argo/templates/server-crb.yaml @@ -2,16 +2,18 @@ apiVersion: rbac.authorization.k8s.io/v1 {{- if .Values.singleNamespace }} kind: RoleBinding -metadata: - name: {{ .Release.Name }}-{{ .Values.server.name}} {{ else }} kind: ClusterRoleBinding +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.server.name}} -{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} kind: ClusterRole + {{- end }} name: {{ .Release.Name }}-{{ .Values.server.name}} subjects: - kind: ServiceAccount @@ -19,12 +21,20 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} kind: ClusterRoleBinding +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} kind: ClusterRole + {{- end }} name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-template subjects: - kind: ServiceAccount diff --git a/charts/argo/templates/workflow-aggregate-roles.yaml b/charts/argo/templates/workflow-aggregate-roles.yaml index b89e7b13..168dd862 100644 --- a/charts/argo/templates/workflow-aggregate-roles.yaml +++ b/charts/argo/templates/workflow-aggregate-roles.yaml @@ -1,6 +1,10 @@ {{- if .Values.createAggregateRoles }} apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{ else }} kind: ClusterRole +{{- end }} metadata: annotations: helm.sh/hook: pre-install @@ -26,7 +30,11 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{ else }} kind: ClusterRole +{{- end }} metadata: annotations: helm.sh/hook: pre-install @@ -57,7 +65,11 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{ else }} kind: ClusterRole +{{- end }} metadata: annotations: helm.sh/hook: pre-install diff --git a/charts/argo/templates/workflow-controller-cluster-roles.yaml b/charts/argo/templates/workflow-controller-cluster-roles.yaml index e51f5f4b..e5590060 100644 --- a/charts/argo/templates/workflow-controller-cluster-roles.yaml +++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml @@ -1,5 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} kind: ClusterRole +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.controller.name }} rules: @@ -127,7 +131,11 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} kind: ClusterRole +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template rules: diff --git a/charts/argo/templates/workflow-controller-crb.yaml b/charts/argo/templates/workflow-controller-crb.yaml index 459a3c67..5e171155 100644 --- a/charts/argo/templates/workflow-controller-crb.yaml +++ b/charts/argo/templates/workflow-controller-crb.yaml @@ -8,7 +8,11 @@ metadata: name: {{ .Release.Name }}-{{ .Values.controller.name }} roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} kind: ClusterRole + {{- end }} name: {{ .Release.Name }}-{{ .Values.controller.name }} subjects: - kind: ServiceAccount @@ -27,12 +31,20 @@ subjects: {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} kind: ClusterRoleBinding +{{- end }} metadata: name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} kind: ClusterRole + {{- end }} name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template subjects: - kind: ServiceAccount