feat(argo-workflows): Allow controller to whitelist secrets (#1646)

* allow users to whitelist secrets Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> * remove unnecessary if-statement Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> * use square bracket for array Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> * fix typo and update readme Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Co-authored-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>
2022-11-23 00:17:56 -07:00 · 2022-11-23 00:17:56 -07:00 · 16cf7af98b
parent 7105de193a
commit 16cf7af98b
4 changed files with 16 additions and 2 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.4.3
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.20.8
+version: 0.20.9
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -13,4 +13,4 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - "[Fixed]: add missing attribute for sso"
+    - "[Fixed]: allow users to optionally whitelist secrets"
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -107,6 +107,7 @@ Fields to note:
 | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
 | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
 | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
+| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
 | controller.replicas | int | `1` | The number of controller pods to run |
 | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
 | controller.resources | object | `{}` | Resource limits and requests for the controller |
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@ -164,6 +164,17 @@ rules:
  resourceNames:
  {{/* for HTTP templates */}}
  - argo-workflows-agent-ca-certificates
+{{- with .Values.controller.rbac.secretWhitelist }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  resourceNames: {{- toYaml . | nindent 4 }}
+{{- end }}

 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -70,6 +70,8 @@ controller:
  rbac:
    # -- Adds Role and RoleBinding for the controller.
    create: true
+    # -- Allows controller to get, list, and watch certain k8s secrets
+    secretWhitelist: []

  # -- Limits the maximum number of incomplete workflows in a namespace
  namespaceParallelism: