diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index fd9bc5a1..60d71bf1 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.4.3 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.20.8 +version: 0.20.9 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: @@ -13,4 +13,4 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Fixed]: add missing attribute for sso" + - "[Fixed]: allow users to optionally whitelist secrets" diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index b02fcc11..3f60f868 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -107,6 +107,7 @@ Fields to note: | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods | | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. | | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. | +| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets | | controller.replicas | int | `1` | The number of controller pods to run | | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. | | controller.resources | object | `{}` | Resource limits and requests for the controller | diff --git a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml index 4b0f389a..34f91c0d 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml @@ -164,6 +164,17 @@ rules: resourceNames: {{/* for HTTP templates */}} - argo-workflows-agent-ca-certificates +{{- with .Values.controller.rbac.secretWhitelist }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + resourceNames: {{- toYaml . | nindent 4 }} +{{- end }} {{- if .Values.controller.clusterWorkflowTemplates.enabled }} --- diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index c8a68bcf..3a371a8f 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -70,6 +70,8 @@ controller: rbac: # -- Adds Role and RoleBinding for the controller. create: true + # -- Allows controller to get, list, and watch certain k8s secrets + secretWhitelist: [] # -- Limits the maximum number of incomplete workflows in a namespace namespaceParallelism: