feat: add support for namespaced install (#263)

.gitignore

@@ -1,4 +1,5 @@
 output
 .vscode
 .DS_Store
+.idea
 **/*.tgz

charts/argo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "v2.7.6"
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.8.4
+version: 0.8.5
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:

charts/argo/templates/server-cluster-role.yaml

@@ -1,8 +1,14 @@
 {{- if .Values.server.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name }}-role
+{{ else }}
 kind: ClusterRole
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role
+  name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role
+{{- end }}
 rules:
 - apiGroups:
   - ""

charts/argo/templates/server-crb.yaml

@@ -1,12 +1,23 @@
 {{- if .Values.server.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-rb
+{{ else }}
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-{{ .Values.server.name}}-crb
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.singleNamespace }}
+  kind: Role
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-role
+  {{ else }}
   kind: ClusterRole
   name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role
+  {{- end }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.server.serviceAccount }}

charts/argo/templates/server-deployment.yaml

@@ -1,5 +1,5 @@
-
-{{- if .Values.server.enabled -}}apiVersion: apps/v1
+{{- if .Values.server.enabled -}}
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Release.Name }}-{{ .Values.server.name}}
@@ -13,7 +13,6 @@ spec:
     matchLabels:
       app: {{ .Release.Name }}-{{ .Values.server.name}}
       release: {{ .Release.Name }}
-      app: {{ .Release.Name }}-{{ .Values.server.name}}
   template:
     metadata:
       labels:
@@ -35,26 +34,24 @@ spec:
           {{- if .Values.server.extraArgs }}
           {{- toYaml .Values.server.extraArgs | nindent 10 }}
           {{- end }}
+          {{- if .Values.singleNamespace }}
+          - "--namespaced"
+          {{- end }}
           image: "{{ .Values.images.namespace }}/{{ .Values.images.server }}:{{ default .Values.images.tag .Values.server.image.tag }}"
           imagePullPolicy: {{ .Values.images.pullPolicy }}
           {{- if .Values.server.podPortName }}
           ports:
           - name: {{ .Values.server.podPortName }}
-            ports:
             containerPort: 2746
-            readinessProbe:
-              httpGet:
-                path: /
-                port: 2746
-                scheme: HTTP
-              initialDelaySeconds: 10
-              periodSeconds: 20
           {{- end }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 2746
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 20
           env:
-          {{- if .Values.server.forceNamespaceIsolation }}
-          - name: FORCE_NAMESPACE_ISOLATION
-            value: "true"
-          {{- end }}
           - name: IN_CLUSTER
             value: "true"
           - name: ARGO_NAMESPACE

charts/argo/templates/server-sa.yaml

@@ -3,4 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.server.serviceAccount }}
+  annotations:
+{{ toYaml .Values.server.serviceAccountAnnotations | indent 4 }}
 {{- end -}}

charts/argo/templates/workflow-controller-clusterrole.yaml

@@ -1,7 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
+{{ else }}
 kind: ClusterRole
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.controller.name}}-cluster-role
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
+{{- end }}
 rules:
 - apiGroups:
   - ""

charts/argo/templates/workflow-controller-config-map.yaml

@@ -16,6 +16,11 @@ data:
     {{- end }}
     {{- end }}
     containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }}
+    {{- with .Values.executor.resources }}
+    executor:
+      resources:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     artifactRepository:
       {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }}
       {{- if .Values.artifactRepository.archiveLogs }}

charts/argo/templates/workflow-controller-crb.yaml

@@ -1,11 +1,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: RoleBinding
+{{ else }}
 kind: ClusterRoleBinding
+{{- end }}
 metadata:
-  name: {{ .Release.Name }}-{{ .Values.controller.name}}-binding
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.singleNamespace }}
+  kind: Role
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
+  {{ else }}
   kind: ClusterRole
-  name: {{ .Release.Name }}-{{ .Values.controller.name}}-cluster-role
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
+  {{- end }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.controller.serviceAccount }}

charts/argo/templates/workflow-controller-deployment.yaml

@@ -40,6 +40,9 @@ spec:
           - "{{ .Values.controller.logging.level }}"
           - "--gloglevel"
           - "{{ .Values.controller.logging.globallevel }}"
+          {{- if .Values.singleNamespace }}
+          - "--namespaced"
+          {{- end }}
           env:
           - name: ARGO_NAMESPACE
             valueFrom:

charts/argo/templates/workflow-controller-sa.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.controller.serviceAccount }}
+  annotations:
+{{ toYaml .Values.controller.serviceAccountAnnotations | indent 4 }}

charts/argo/values.yaml

@@ -16,6 +16,10 @@ init:
 
 createAggregateRoles: true
 
+# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
+# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
+singleNamespace: false
+
 controller:
   image:
     # Overrides .images.tag if defined.
@@ -59,6 +63,8 @@ controller:
     enabled: false
     additionalLabels: {}
   serviceAccount: argo
+  # Service account annotations
+  serviceAccountAnnotations: {}
   name: workflow-controller
   workflowNamespaces:
     - default
@@ -99,15 +105,15 @@ controller:
   tolerations: []
   affinity: {}
 
+# executor controls how the init and wait container should be customized
 executor:
   image:
     # Overrides .images.tag if defined.
     tag: ""
+  resources: {}
 
 server:
   enabled: true
-  # only show workflows where UI installed
-  forceNamespaceIsolation: false
   # only updates base url of resources on client side,
   # it's expected that a proxy server rewrites the request URL and gets rid of this prefix
   # https://github.com/argoproj/argo/issues/716#issuecomment-433213190
@@ -124,6 +130,8 @@ server:
   servicePort: 2746
   # servicePortName: http
   serviceAccount: argo-server
+  # Service account annotations
+  serviceAccountAnnotations: {}
   # Annotations to be applied to the UI Service
   serviceAnnotations: {}
   # Optional labels to add to the UI Service