Create service account for scheduler web service to enable workflow creation

opencloud/templates/argo.yaml

@@ -70,18 +70,4 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: custom-argo-clusterrole
----
-apiVersion: argoproj.io/v1alpha1
-kind: Workflow
-metadata:
-  name: hello-world
-  namespace: {{ .Release.Namespace }}
-spec:
-  entrypoint: whalesay
-  templates:
-    - name: whalesay
-      container:
-        image: docker/whalesay
-        command: [ cowsay ]
-        args: [ "hello world" ]
 {{- end }}

opencloud/templates/oc-scheduler/deployment.yaml

@@ -15,6 +15,7 @@ spec:
       labels:
         app: oc-scheduler
     spec:
+      serviceAccountName: scheduler-sa
       containers:
       - image: "{{ .Values.ocScheduler.image }}"
         name: oc-scheduler

opencloud/templates/oc-scheduler/sa.yaml

@@ -0,0 +1,41 @@
+{{- if index .Values.ocScheduler.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: scheduler-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scheduler-sa-clusterrole
+rules:
+  # Permissions for Argo Workflow resources
+  - apiGroups: ["argoproj.io"]
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: scheduler-sa-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: scheduler-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: scheduler-sa-clusterrole
+{{- end }}