Remove hard requirement of cluster-wide secret list/watch privileges

[jessesuen]

Argo Events, when installed in a cluster-scoped mode, currently require cluster-wide list/watch/get on Secrets. The controller will simply not start if the RBAC is removed and the controller can't start the watch. This issue is to remove this hard requirement for cluster-wide secret list/watch/get.

Describe the solution you'd like

The reason argo-events watches secrets, is because it re-queues the parent EventBus object for whenever its child Secret changes. But since the child secret is controlled by the controller (not by admins), this is largely unnecessary. Also, it will eventually be recreated/updated during normal resync periods of EventBus objects.

I think Argo Events can improve its security by removing this watch requirement, and allowing administrators to allow list/get Secret calls at a namespace granularity.

This is how both Argo Workflows and Argo Rollouts are implemented. See:

• Server with SSO enabled should not require List on all Secrets argo-workflows#8534
• Limit namespaces for SSO serviceaccounts (Cluster-Install) argo-workflows#9572
• fix!: remove list and watch on secrets. Fixes #8534 argo-workflows#8555
• fix: (controller boot) Do not cache all cluster Secrets - fetch them on demand. Fixes #798 argo-rollouts#829

Describe alternatives you've considered

Tried patching the RBAC manually but the way the code is implemented is impossible. Currently, the only way to run argo-events in a locked-down cluster is to run multiple instances of it. But this is an expensive and heavy-handed workaround which also does not allow config reuse.

Additional context

Chatted with @whynowy about this and he agrees this is something that can be accomplished.

---

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.