feat(Argo): Add secret access whitelist for server. (#499)

Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
2020-11-18 11:59:17 -08:00 · 2020-11-18 11:59:17 -08:00 · af9a14a1ec
commit af9a14a1ec
parent d265f7dd75
3 changed files with 25 additions and 14 deletions
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.11.7
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.13.6
+version: 0.13.7
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@ -13,12 +13,6 @@ rules:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
@ -30,6 +24,21 @@ rules:
  - list
  - watch
  - delete
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 {{- with .Values.server.rbac.secretWhitelist }}
  resourceNames: {{- toYaml . | nindent 4 }}
 {{- end }}
 - apiGroups:
  - ""
  resources:
@ -41,15 +50,14 @@ rules:
  - ""
  resources:
  - secrets
  - serviceaccounts
  resourceNames:
-  {{- if .Values.controller.persistence.postgresql }}
+  {{- with .Values.controller.persistence.postgresql }}
-  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
+  - {{ .userNameSecret.name }}
-  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
-  {{- if .Values.controller.persistence.mysql }}
+  {{- with .Values.controller.persistence.mysql }}
-  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
+  - {{ .userNameSecret.name }}
-  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
  verbs:
  - get
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@ -164,6 +164,9 @@ server:
  serviceType: ClusterIP
  servicePort: 2746
  # servicePortName: http
  rbac:
    # When present, restricts secrets the server can read to a given list.
    secretWhitelist: []
  serviceAccount: argo-server
  # Whether to create the service account with the name specified in
  # server.serviceAccount and bind it to the server role.