feat(Argo): Add secret access whitelist for server. (#499)

Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
2020-11-18 11:59:17 -08:00 · 2020-11-18 11:59:17 -08:00 · af9a14a1ec
parent d265f7dd75
commit af9a14a1ec
3 changed files with 25 additions and 14 deletions
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.11.7
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.13.6
+version: 0.13.7
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@ -13,12 +13,6 @@ rules:
  - get
  - watch
  - list
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
  - ""
  resources:
@ -30,6 +24,21 @@ rules:
  - list
  - watch
  - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+{{- with .Values.server.rbac.secretWhitelist }}
+  resourceNames: {{- toYaml . | nindent 4 }}
+{{- end }}
 - apiGroups:
  - ""
  resources:
@ -41,15 +50,14 @@ rules:
  - ""
  resources:
  - secrets
-  - serviceaccounts
  resourceNames:
-  {{- if .Values.controller.persistence.postgresql }}
-  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.postgresql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
-  {{- if .Values.controller.persistence.mysql }}
-  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.mysql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
  verbs:
  - get
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@ -164,6 +164,9 @@ server:
  serviceType: ClusterIP
  servicePort: 2746
  # servicePortName: http
+  rbac:
+    # When present, restricts secrets the server can read to a given list.
+    secretWhitelist: []
  serviceAccount: argo-server
  # Whether to create the service account with the name specified in
  # server.serviceAccount and bind it to the server role.