Skip to content

Commit

Permalink
fix(argo-workflows): Server only needs get Secrets (#2211)
Browse files Browse the repository at this point in the history 
- as of argoproj/argo-workflows@aa366db, the Server no longer needs `list` or `watch` and only uses `get`
  - this was released as part of [v3.4.0](https://github.com/argoproj/argo-workflows/blob/master/CHANGELOG.md#v340-rc1-2022-08-09), and the current version of the chart uses v3.4.9 (per `Chart.yaml#appVersion`)

- `update` is not needed either for SSO secret
  - manifests RBAC: https://github.com/argoproj/argo-workflows/blob/a68ea0feabc87c09d5e13d12e6f0d1a61adc5b16/manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml#L18
  - SSO source code only uses [`create`](https://github.com/argoproj/argo-workflows/blob/20d0923611f1df6b7147c3547aeeff6b6bfecf18/server/auth/sso/sso.go#L140) and [`get`](https://github.com/argoproj/argo-workflows/blob/20d0923611f1df6b7147c3547aeeff6b6bfecf18/server/auth/sso/sso.go#L151)
    - (also some `get`s above that for [`clientID`](https://github.com/argoproj/argo-workflows/blob/20d0923611f1df6b7147c3547aeeff6b6bfecf18/server/auth/sso/sso.go#L127) and [`clientSecret`](https://github.com/argoproj/argo-workflows/blob/20d0923611f1df6b7147c3547aeeff6b6bfecf18/server/auth/sso/sso.go#L106) as well)

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
Co-authored-by: Aikawa <yu.croco@gmail.com>
Co-authored-by: Jason Meridth <jmeridth@gmail.com>
  • Loading branch information
@yu-croco @jmeridth
3 people authored Aug 11, 2023
1 parent 23708c6 commit a646154
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 6 deletions.
6 changes: 3 additions & 3 deletions charts/argo-workflows/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: v3.4.9
name: argo-workflows
description: A Helm chart for Argo Workflows
type: application
version: 0.32.1
version: 0.32.2
icon: https://argoproj.github.io/argo-workflows/assets/logo.png
home: https://github.com/argoproj/argo-helm
sources:
Expand All @@ -16,5 +16,5 @@ annotations:
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: |
- kind: added
description: Add support for executor args
- kind: fixed
description: Removed Secrets list and watch from Server RBAC
3 changes: 0 additions & 3 deletions charts/argo-workflows/templates/server/server-cluster-roles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ rules:
- sso
verbs:
- get
- update
- apiGroups:
- ""
resources:
Expand All @@ -71,8 +70,6 @@ rules:
- secrets
verbs:
- get
- list
- watch
{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }}
{{- with .Values.server.sso.rbac.secretWhitelist }}
resourceNames: {{- toYaml . | nindent 4 }}
Expand Down

0 comments on commit a646154

Please sign in to comment.