chore(argo-workflows): Improve argo-workflow controller clusterrole policy (#3263)

* chore: improve argo-workflow controller clusterrole Signed-off-by: liyang <daviderli614@gmail.com> * update artifacthub.io/changes Signed-off-by: liyang <daviderli614@gmail.com> --------- Signed-off-by: liyang <daviderli614@gmail.com>
2025-05-02 22:49:06 +08:00 · 2025-05-02 22:49:06 +08:00 · 7008b5b76b
parent ef2a238af5
commit 7008b5b76b
2 changed files with 12 additions and 11 deletions
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.6.7
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.45.13
+version: 0.45.14
 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -17,4 +17,4 @@ annotations:
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
    - kind: changed
-      description: Bump argo-workflows to v3.6.7
+      description: Improve argo-workflow controller clusterrole policy
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@ -167,6 +167,16 @@ rules:
  - update
  - patch
  - delete
+{{- if .Values.controller.rbac.accessAllSecrets }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- else }}
 - apiGroups:
  - ""
  resources:
@ -187,15 +197,6 @@ rules:
  - watch
  resourceNames: {{- toYaml . | nindent 4 }}
 {{- end }}
-{{- if and (not .Values.controller.rbac.secretWhitelist) (.Values.controller.rbac.accessAllSecrets) }}
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
 {{- end }}

 {{- if and .Values.controller.clusterWorkflowTemplates.enabled (not .Values.singleNamespace) }}