feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding #2676

dbeilin · 2024-05-01T10:41:50Z

I added an option to add additional SAs to the RoleBinding and ClusterRoleBinding that is created by default under controller.clusterWorkflowTemplates and workflow.rbac. This way users can configure other Service Accounts to be bound to that default Role.

Example: by providing a list of ServiceAccounts:

    serviceAccounts:
      - name: my-service-account
        namespace: my-namespace

I got the following result (helm template -f values.yaml . --show-only templates/controller/workflow-rb.yaml):

---
# Source: argo-workflows/templates/controller/workflow-rb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-argo-workflows-workflow
  labels:
    helm.sh/chart: argo-workflows-0.41.4
    app.kubernetes.io/name: argo-workflows-workflow-controller
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: workflow-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argo-workflows
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-argo-workflows-workflow
subjects:
  - kind: ServiceAccount
    name: argo-workflow
    namespace: default
  - kind: ServiceAccount
    name: my-service-account
    namespace: "my-namespace"
---
# Source: argo-workflows/templates/controller/workflow-rb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-argo-workflows-workflow
  labels:
    helm.sh/chart: argo-workflows-0.41.4
    app.kubernetes.io/name: argo-workflows-workflow-controller
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: workflow-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argo-workflows
  namespace: argo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-argo-workflows-workflow
subjects:
  - kind: ServiceAccount
    name: argo-workflow
    namespace: argo
  - kind: ServiceAccount
    name: my-service-account
    namespace: "my-namespace"

And CRB (helm template -f values.yaml . --show-only templates/controller/workflow-controller-crb.yaml):

---
# Source: argo-workflows/templates/controller/workflow-controller-crb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-argo-workflows-workflow-controller
  labels:
    helm.sh/chart: argo-workflows-0.41.4
    app.kubernetes.io/name: argo-workflows-workflow-controller
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: workflow-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argo-workflows
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-argo-workflows-workflow-controller
subjects:
  - kind: ServiceAccount
    name: release-name-argo-workflows-workflow-controller
    namespace: "argo"
---
# Source: argo-workflows/templates/controller/workflow-controller-crb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-argo-workflows-workflow-controller-cluster-template
  labels:
    helm.sh/chart: argo-workflows-0.41.4
    app.kubernetes.io/name: argo-workflows-workflow-controller
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: workflow-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argo-workflows
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-argo-workflows-workflow-controller-cluster-template
subjects:
  - kind: ServiceAccount
    name: release-name-argo-workflows-workflow-controller
    namespace: "argo"
  - kind: ServiceAccount
    name: my-service-account
    namespace: "my-namespace"

Checklist:

I have bumped the chart version according to versioning
I have updated the documentation according to documentation
I have updated the chart changelog with all the changes that come with this pull request according to changelog.
Any new values are backwards compatible and/or have sensible default.
I have signed off all my commits as required by DCO.
My build is green (troubleshooting builds).

charts/argo-workflows/templates/controller/workflow-controller-crb.yaml

Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com>

yu-croco

Thank you for your contribution. LGTM.

…Binding (argoproj#2676) remove unnecessary if statements Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com>

* feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding (#2676) remove unnecessary if statements Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-cd): Support ability to set .Values.namespaceOverride Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typo Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * chore(deps): update actions/create-github-app-token action to v1.10.0 (#2677) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-rollouts): Add podLabels at the controller & dashboard level (#2678) Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-cd): Support ability to set .Values.namespaceOverride Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typo Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): autocorrection Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typos Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typos Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * removed auota Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * Update Chart.yaml Signed-off-by: Andres Vara <46708607+andres-vara@users.noreply.github.com> --------- Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> Signed-off-by: Andres Vara <46708607+andres-vara@users.noreply.github.com> Co-authored-by: Daniel Beilin <144586547+dbeilin@users.noreply.github.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Co-authored-by: Andres Vara Parsegov <andres.vara@chase.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: mitchell amihod <mitchell@amihod.com>

…proj#2679) * feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding (argoproj#2676) remove unnecessary if statements Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-cd): Support ability to set .Values.namespaceOverride Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typo Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * chore(deps): update actions/create-github-app-token action to v1.10.0 (argoproj#2677) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-rollouts): Add podLabels at the controller & dashboard level (argoproj#2678) Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * feat(argo-cd): Support ability to set .Values.namespaceOverride Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typo Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): autocorrection Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typos Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * fix(argo-cd): typos Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * removed auota Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> * Update Chart.yaml Signed-off-by: Andres Vara <46708607+andres-vara@users.noreply.github.com> --------- Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com> Signed-off-by: Andres Vara Parsegov <andres.vara@chase.com> Signed-off-by: Andres Vara <46708607+andres-vara@users.noreply.github.com> Co-authored-by: Daniel Beilin <144586547+dbeilin@users.noreply.github.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Co-authored-by: Andres Vara Parsegov <andres.vara@chase.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: mitchell amihod <mitchell@amihod.com> Signed-off-by: vitor.cassiano <vitor.cassiano@picpay.com>

dbeilin requested review from vladlosev, jmeridth, yu-croco and tico24 as code owners May 1, 2024 10:41

github-actions bot added size/M argo-workflows and removed size/M labels May 1, 2024

dbeilin changed the title ~~added(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding~~ feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding May 1, 2024

tico24 approved these changes May 1, 2024

View reviewed changes

yu-croco reviewed May 1, 2024

View reviewed changes

charts/argo-workflows/templates/controller/workflow-controller-crb.yaml Outdated Show resolved Hide resolved

github-actions bot added the size/M label May 1, 2024

dbeilin force-pushed the add_crb_subjects branch from c212249 to f0c5400 Compare May 1, 2024 13:21

remove unnecessary if statements

985fda5

Signed-off-by: Daniel Beilin <daniel.beilin@outlook.com>

dbeilin force-pushed the add_crb_subjects branch from f0c5400 to 985fda5 Compare May 1, 2024 13:26

Merge branch 'main' into add_crb_subjects

8c3a080

yu-croco approved these changes May 1, 2024

View reviewed changes

yu-croco merged commit 966b745 into argoproj:main May 1, 2024
6 checks passed

dbeilin deleted the add_crb_subjects branch May 1, 2024 14:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding #2676

feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding #2676

dbeilin commented May 1, 2024 •

edited

yu-croco left a comment

feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding #2676

feat(argo-workflows): Allow adding additional ServiceAccounts to RoleBinding #2676

Conversation

dbeilin commented May 1, 2024 • edited

yu-croco left a comment

Choose a reason for hiding this comment

dbeilin commented May 1, 2024 •

edited