oc-k8s/opencloud/templates/argo.yaml

{{- if index .Values "argo-workflows" "enabled" }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-workflow
  namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: custom-argo-clusterrole
rules:
  # Default Argo permissions
  - apiGroups: [""]
    resources: ["configmaps", "pods", "pods/log", "secrets", "persistentvolumeclaims", "serviceaccounts"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["argoproj.io"]
    resources: ["workflows", "workflowtemplates", "cronworkflows", "workflowtasksets", "workfloweventbindings", "clusterworkflowtemplates"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create", "delete", "get", "list", "update"]
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["create", "get"]
  # Full power activated
  - apiGroups: [""]
    resources: ["bindings", "endpoints", "events", "limitranges", "namespaces", "nodes", "persistentvolumes", "replicationcontrollers", "resourcequotas"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["batch"]
    resources: ["cronjobs"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies", "ingresses"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses", "volumeattachments"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: ["argoproj.io"]
    resources: ["workflowtaskresults"]
    verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: custom-argo-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: argo-workflow
    namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: custom-argo-clusterrole
{{- end }}
Integrating argo 2025-01-16 13:11:31 +01:00			`{{- if index .Values "argo-workflows" "enabled" }}`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: argo-workflow`
			`namespace: {{ .Release.Namespace }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: custom-argo-clusterrole`
			`rules:`
			`# Default Argo permissions`
			`- apiGroups: [""]`
			`resources: ["configmaps", "pods", "pods/log", "secrets", "persistentvolumeclaims", "serviceaccounts"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: [""]`
			`resources: ["services"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["argoproj.io"]`
			`resources: ["workflows", "workflowtemplates", "cronworkflows", "workflowtasksets", "workfloweventbindings", "clusterworkflowtemplates"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["coordination.k8s.io"]`
			`resources: ["leases"]`
			`verbs: ["create", "delete", "get", "list", "update"]`
			`- apiGroups: ["batch"]`
			`resources: ["jobs"]`
			`verbs: ["create", "delete", "get", "list", "watch"]`
			`- apiGroups: ["apiextensions.k8s.io"]`
			`resources: ["customresourcedefinitions"]`
			`verbs: ["create", "get"]`
			`# Full power activated`
			`- apiGroups: [""]`
			`resources: ["bindings", "endpoints", "events", "limitranges", "namespaces", "nodes", "persistentvolumes", "replicationcontrollers", "resourcequotas"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["apps"]`
			`resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["autoscaling"]`
			`resources: ["horizontalpodautoscalers"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["batch"]`
			`resources: ["cronjobs"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["networking.k8s.io"]`
			`resources: ["networkpolicies", "ingresses"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["policy"]`
			`resources: ["poddisruptionbudgets"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["rbac.authorization.k8s.io"]`
			`resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["storage.k8s.io"]`
			`resources: ["storageclasses", "volumeattachments"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["argoproj.io"]`
			`resources: ["workflowtaskresults"]`
			`verbs: ["create", "patch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: custom-argo-clusterrolebinding`
			`subjects:`
			`- kind: ServiceAccount`
			`name: argo-workflow`
			`namespace: {{ .Release.Namespace }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: custom-argo-clusterrole`
			`{{- end }}`