diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml
index 7ac88c50..ccc7fa7f 100644
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.11.7
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.13.6
+version: 0.13.7
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
diff --git a/charts/argo/templates/server-cluster-roles.yaml b/charts/argo/templates/server-cluster-roles.yaml
index eb7b71a4..ac51e455 100644
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@@ -13,12 +13,6 @@ rules:
   - get
   - watch
   - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -30,6 +24,21 @@ rules:
   - list
   - watch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+{{- with .Values.server.rbac.secretWhitelist }}
+  resourceNames: {{- toYaml . | nindent 4 }}
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -41,15 +50,14 @@ rules:
   - ""
   resources:
   - secrets
-  - serviceaccounts
   resourceNames:
-  {{- if .Values.controller.persistence.postgresql }}
-  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.postgresql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
   {{- end}}
-  {{- if .Values.controller.persistence.mysql }}
-  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.mysql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
   {{- end}}
   verbs:
   - get
diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml
index 4fa4cd7a..5a9a452b 100644
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@@ -164,6 +164,9 @@ server:
   serviceType: ClusterIP
   servicePort: 2746
   # servicePortName: http
+  rbac:
+    # When present, restricts secrets the server can read to a given list.
+    secretWhitelist: []
   serviceAccount: argo-server
   # Whether to create the service account with the name specified in
   # server.serviceAccount and bind it to the server role.