feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding (#2676)

remove unnecessary if statements Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Co-authored-by: Aikawa <yu.croco@gmail.com>
2024-05-01 06:37:24 -07:00 · 2024-05-01 06:37:24 -07:00 · 966b745e7b
commit 966b745e7b
parent 6c08745136
5 changed files with 24 additions and 6 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.5.6
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.41.3
+version: 0.41.4
 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -16,5 +16,5 @@ annotations:
    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
-    - kind: changed
-      description: Fix hyphen typo in values.yaml comments
+    - kind: added
+      description: Added option to add service accounts to RoleBindings
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -134,6 +134,7 @@ Fields to note:
 |-----|------|---------|-------------|
 | workflow.namespace | string | `nil` | Deprecated; use controller.workflowNamespaces instead. |
 | workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) |
+| workflow.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
 | workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
 | workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account |
@ -146,6 +147,7 @@ Fields to note:
 |-----|------|---------|-------------|
 | controller.affinity | object | `{}` | Assign custom [affinity] rules |
 | controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. |
+| controller.clusterWorkflowTemplates.serviceAccounts | list | `[]` | Extra service accounts to be added to the ClusterRoleBinding |
 | controller.columns | list | `[]` | Configure Argo Server to show custom [columns] |
 | controller.configMap.create | bool | `true` | Create a ConfigMap for the controller |
 | controller.configMap.name | string | `""` | ConfigMap name |
--- a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml
@ -41,5 +41,10 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
    namespace: {{ include "argo-workflows.namespace" . | quote }}
+{{- range .Values.controller.clusterWorkflowTemplates.serviceAccounts }}
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ .namespace | quote }}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-rb.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml
@ -17,8 +17,11 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ $.Values.workflow.serviceAccount.name }}
-    {{- with $namespace }}
-    namespace: {{ . }}
-    {{- end }}
+    namespace: {{ $namespace }}
+  {{- range $.Values.workflow.rbac.serviceAccounts }}
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ .namespace | quote }}
+  {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -69,6 +69,10 @@ workflow:
    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
    create: true
+    # -- Extra service accounts to be added to the RoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace

 controller:
  image:
@ -361,6 +365,10 @@ controller:
  clusterWorkflowTemplates:
    # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
    enabled: true
+    # -- Extra service accounts to be added to the ClusterRoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
  # -- Extra containers to be added to the controller deployment
  extraContainers: []