Merge pull request #1178 from rackerlabs/more-workflows

cardoe · web-flow · commit 66c3c019e731 · 2025-08-25T17:52:54.000Z
fix(argo-workflows): partially revert 8f5726d
diff --git a/components/argo/argo-server-role.yaml b/components/argo/argo-server-role.yaml
@@ -0,0 +1,30 @@
+# This is a role and rolebinding to provide the argo-server with permissions
+# it needs to run in its own namespace.
+# - to read the configmap for its configuration
+# - read the SSO secret
+# - create and read other secrets for auth tokens
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-server-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+    resourceNames:
+      - workflow-controller-configmap
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+    resourceNames:
+      - argo-sso
+      - sso
diff --git a/components/argo/argo-server-rolebinding.yaml b/components/argo/argo-server-rolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-server-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
diff --git a/components/argo/kustomization.yaml b/components/argo/kustomization.yaml
@@ -11,6 +11,10 @@ resources:
   # to the ClusterRole for just the namespaces we want.
   - https://github.com/argoproj/argo-workflows/manifests/cluster-install/?ref=v3.6.10
 
+  # adds argo-server role so the argo-server has enough permissions to run
+  - argo-server-role.yaml
+  - argo-server-rolebinding.yaml
+
   # ingress for workflows.${DNS_ZONE} to the argo server for the UI
   - ingress.yaml
 
@@ -41,6 +45,13 @@ patches:
     name: argo-server-binding
   path: delete-argo-server-crb.yaml
 
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: Role
+    name: argo-role
+  path: workflow-controller-role.yaml
+
 # see the patch for details on the change
 - target:
     group: apps
diff --git a/components/argo/workflow-controller-role.yaml b/components/argo/workflow-controller-role.yaml
@@ -0,0 +1,8 @@
+---
+- op: add
+  path: /rules/-
+  value:
+    apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "watch"]
+    resourceNames: ["workflow-controller-configmap"]
