feat(argo-workflows): Add parameter to enable or disable server and controller roles (#1166)

* optional role Signed-off-by: Carl Raiden Worley <carl.worley@10gen.com> * match existing setting Signed-off-by: Carl Raiden Worley <carl.worley@10gen.com> * fix lint Signed-off-by: Carl Raiden Worley <carl.worley@10gen.com>
2022-03-12 12:13:42 -05:00 · 2022-03-12 12:13:42 -05:00 · a647fbe123
parent ec6cd35fed
commit a647fbe123
7 changed files with 17 additions and 4 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.11.2
+version: 0.12.0
 appVersion: v3.2.9
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
@ -15,4 +15,4 @@ maintainers:
  - name: benjaminws
 annotations:
  artifacthub.io/changes: |
-    - "[Changed]: Update to app version v3.2.9"
+    - "[Added]: Add parameter for enabling roles."
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -99,6 +99,7 @@ Fields to note:
 | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
 | controller.podWorkers | string | `nil` | Number of pod workers |
 | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
+| controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
 | controller.replicas | int | `1` | The number of controller pods to run |
 | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
 | controller.resources | object | `{}` | Resource limits and requests for the controller |
@ -169,6 +170,7 @@ Fields to note:
 | server.podLabels | object | `{}` | Optional labels to add to the UI pods |
 | server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods |
 | server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages |
+| server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. |
 | server.replicas | int | `1` | The number of server pods to run |
 | server.resources | object | `{}` | Resource limits and requests for the server |
 | server.secure | bool | `false` | Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. |
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@ -1,3 +1,4 @@
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: Role
@ -159,3 +160,4 @@ rules:
  - list
  - watch
 {{- end }}
+{{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml
@ -1,3 +1,4 @@
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: RoleBinding
@ -38,3 +39,4 @@ subjects:
    name: {{ template "argo-workflows.controllerServiceAccountName" . }}
    namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
--- a/charts/argo-workflows/templates/server/server-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml
@ -1,4 +1,4 @@
-{{- if .Values.server.enabled }}
+{{- if and .Values.server.enabled .Values.server.rbac.create}}
 apiVersion: rbac.authorization.k8s.io/v1
  {{- if .Values.singleNamespace }}
 kind: Role
--- a/charts/argo-workflows/templates/server/server-crb.yaml
+++ b/charts/argo-workflows/templates/server/server-crb.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}}
+{{- if and .Values.server.enabled .Values.server.serviceAccount.create .Values.server.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.singleNamespace }}
 kind: RoleBinding
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -56,6 +56,10 @@ controller:
    # limit: 10
    # burst: 1

+  rbac:
+    # -- Adds Role and RoleBinding for the controller.
+    create: true
+
  # -- Limits the maximum number of incomplete workflows in a namespace
  namespaceParallelism:
  # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
@ -293,6 +297,9 @@ server:
  podLabels: {}
  # -- SecurityContext to set on the server pods
  podSecurityContext: {}
+  rbac:
+    # -- Adds Role and RoleBinding for the server.
+    create: true
  # -- Servers container-level security context
  securityContext:
    readOnlyRootFilesystem: false