diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 3cfb791b..43dc0644 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.8.0 -appVersion: "v3.2.0" +version: 0.8.1 +appVersion: v3.2.0 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: @@ -15,4 +15,4 @@ maintainers: - name: benjaminws annotations: artifacthub.io/changes: | - - "[Added]: Workflow Controller ConfigMap Executor ImagePullPolicy" + - "[Changed]: Restore RBAC permissions and clarify namespace settings." diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index e25a3840..d580d9f3 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -25,7 +25,11 @@ Fields to note: - `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute - `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name - `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor -- `controller.workflowNamespaces`: This is a list of namespaces where workflows will be ran +- `singleNamespace`: When true, restricts the workflow controller to operate + in just the single namespace (that one of the Helm release). +- `controller.workflowNamespaces`: This is a list of namespaces where the + workflow controller will manage workflows. Only valid when `singleNamespace` + is false. ## Breaking changes from the deprecated `argo` chart diff --git a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml index 1235e325..acb7e514 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml @@ -20,17 +20,6 @@ subjects: - kind: ServiceAccount name: {{ template "argo-workflows.controllerServiceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- if .Values.controller.workflowNamespaces }} -{{- $uiServiceAccount := (include "argo-workflows.controllerServiceAccountName" .) }} -{{- $namespace := .Release.Namespace }} -{{- range $key := .Values.controller.workflowNamespaces }} - {{- if not (eq $key $namespace) }} - - kind: ServiceAccount - name: {{ $uiServiceAccount }} - namespace: {{ $key }} - {{- end }} -{{- end }} -{{- end }} {{- if .Values.controller.clusterWorkflowTemplates.enabled }} --- diff --git a/charts/argo-workflows/templates/controller/workflow-rb.yaml b/charts/argo-workflows/templates/controller/workflow-rb.yaml index 24223ce6..67f22504 100644 --- a/charts/argo-workflows/templates/controller/workflow-rb.yaml +++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml @@ -1,5 +1,5 @@ {{- if .Values.workflow.rbac.create -}} - {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml index 7e826261..66ad9328 100644 --- a/charts/argo-workflows/templates/controller/workflow-role.yaml +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -1,5 +1,5 @@ {{- if .Values.workflow.rbac.create -}} - {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml index 952c2dc7..7c76585a 100644 --- a/charts/argo-workflows/templates/controller/workflow-sa.yaml +++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -1,5 +1,5 @@ {{- if .Values.workflow.serviceAccount.create -}} - {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }} --- apiVersion: v1 kind: ServiceAccount diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 98a7fda6..625961f4 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -19,12 +19,14 @@ fullnameOverride: ## kubeVersionOverride: "" -# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents, -# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy. +# Restrict Argo to operate only in a single namespace (the namespace of the +# Helm release) by apply Roles and RoleBindings instead of the Cluster +# equivalents, and start workflow-controller with the --namespaced flag. Use it +# in clusters with strict access policy. singleNamespace: false workflow: - namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in + namespace: # Deprecated; use controller.workflowNamespaces instead. serviceAccount: create: false # Specifies whether a service account should be created annotations: {} @@ -111,8 +113,9 @@ controller: # Annotations applied to created service account annotations: {} name: workflow-controller - # Specify all namespaces to run worksflows need to be able to run in. This controls where the service - # account and RBAC resources will be created. If unspecified, will run in the default namespace. + # Specify all namespaces where this workflow controller instance will manage + # workflows. This controls where the service account and RBAC resources will + # be created. Only valid when singleNamespace is false. workflowNamespaces: - default containerRuntimeExecutor: docker