fix(argo-workflows): Restore RBAC permission and clarify namespace settings. (#989)

Signed-off-by: Vlad Losev <vladimir.losev@sage.com>

charts/argo-workflows/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.8.0
-appVersion: "v3.2.0"
+version: 0.8.1
+appVersion: v3.2.0
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -15,4 +15,4 @@ maintainers:
   - name: benjaminws
 annotations:
   artifacthub.io/changes: |
-    - "[Added]: Workflow Controller ConfigMap Executor ImagePullPolicy"
+    - "[Changed]: Restore RBAC permissions and clarify namespace settings."

charts/argo-workflows/README.md

@@ -25,7 +25,11 @@ Fields to note:
 - `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute
 - `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name
 - `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor
-- `controller.workflowNamespaces`: This is a list of namespaces where workflows will be ran
+- `singleNamespace`:  When true, restricts the workflow controller to operate
+  in just the single namespace (that one of the Helm release).
+- `controller.workflowNamespaces`: This is a list of namespaces where the
+  workflow controller will manage workflows. Only valid when `singleNamespace`
+  is false.
 
 ## Breaking changes from the deprecated `argo` chart
 

charts/argo-workflows/templates/controller/workflow-controller-crb.yaml

@@ -20,17 +20,6 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "argo-workflows.controllerServiceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- if .Values.controller.workflowNamespaces }}
-{{- $uiServiceAccount := (include "argo-workflows.controllerServiceAccountName" .) }}
-{{- $namespace := .Release.Namespace }}
-{{- range $key := .Values.controller.workflowNamespaces }}
-  {{- if not (eq $key $namespace) }}
-  - kind: ServiceAccount
-    name: {{ $uiServiceAccount }}
-    namespace: {{ $key }}
-  {{- end }}
-{{- end }}
-{{- end }}
 
 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---

charts/argo-workflows/templates/controller/workflow-rb.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.workflow.rbac.create -}}
-  {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }}
+  {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/argo-workflows/templates/controller/workflow-role.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.workflow.rbac.create -}}
-  {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }}
+  {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

charts/argo-workflows/templates/controller/workflow-sa.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.workflow.serviceAccount.create -}}
-  {{- range $namespace := or .Values.singleNamespace false | ternary (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) (list "") }}
+  {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq)  }}
 ---
 apiVersion: v1
 kind: ServiceAccount

charts/argo-workflows/values.yaml

@@ -19,12 +19,14 @@ fullnameOverride:
 ##
 kubeVersionOverride: ""
 
-# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
-# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
+# Restrict Argo to operate only in a single namespace (the namespace of the
+# Helm release) by apply Roles and RoleBindings instead of the Cluster
+# equivalents, and start workflow-controller with the --namespaced flag. Use it
+# in clusters with strict access policy.
 singleNamespace: false
 
 workflow:
-  namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in
+  namespace: # Deprecated; use controller.workflowNamespaces instead.
   serviceAccount:
     create: false # Specifies whether a service account should be created
     annotations: {}
@@ -111,8 +113,9 @@ controller:
     # Annotations applied to created service account
     annotations: {}
   name: workflow-controller
-  # Specify all namespaces to run worksflows need to be able to run in. This controls where the service
-  # account and RBAC resources will be created. If unspecified, will run in the default namespace.
+  # Specify all namespaces where this workflow controller instance will manage
+  # workflows. This controls where the service account and RBAC resources will
+  # be created. Only valid when singleNamespace is false.
   workflowNamespaces:
     - default
   containerRuntimeExecutor: docker