Skip to content

feat(argo-workflows): Allow controller to whitelist secrets #1646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yu-croco merged 4 commits into from
Nov 23, 2022
Merged

feat(argo-workflows): Allow controller to whitelist secrets #1646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
251477b
allow users to whitelist secrets
yolu-kxs Nov 22, 2022
09c30e6
remove unnecessary if-statement
emmayylu Nov 22, 2022
a82ab8b
use square bracket for array
emmayylu Nov 23, 2022
bc976c2
fix typo and update readme
emmayylu Nov 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/argo-workflows/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: v3.4.3
name: argo-workflows
description: A Helm chart for Argo Workflows
type: application
version: 0.20.8
version: 0.20.9
icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
home: https://github.com/argoproj/argo-helm
sources:
Expand All @@ -13,4 +13,4 @@ maintainers:
url: https://argoproj.github.io/
annotations:
artifacthub.io/changes: |
- "[Fixed]: add missing attribute for sso"
- "[Fixed]: allow users to optionally whitelist secrets"
1 change: 1 addition & 0 deletions charts/argo-workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ Fields to note:
| controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
| controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
| controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
| controller.replicas | int | `1` | The number of controller pods to run |
| controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
| controller.resources | object | `{}` | Resource limits and requests for the controller |
Expand Down
11 changes: 11 additions & 0 deletions charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,17 @@ rules:
resourceNames:
{{/* for HTTP templates */}}
- argo-workflows-agent-ca-certificates
{{- with .Values.controller.rbac.secretWhitelist }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
resourceNames: {{- toYaml . | nindent 4 }}
{{- end }}

{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
---
Expand Down
2 changes: 2 additions & 0 deletions charts/argo-workflows/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ controller:
rbac:
# -- Adds Role and RoleBinding for the controller.
create: true
# -- Allows controller to get, list, and watch certain k8s secrets
secretWhitelist: []

# -- Limits the maximum number of incomplete workflows in a namespace
namespaceParallelism:
Expand Down