From 80cc736ca99e314f59ad927ca8e32fd7c57741a5 Mon Sep 17 00:00:00 2001 From: Pablo Osinaga Date: Sat, 21 Sep 2019 16:40:53 +0200 Subject: [PATCH 1/4] Update argo-cluster-role - Allow get secrets --- .../workflow-controller-clusterrole.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml index b7a642a34978..25213483af87 100644 --- a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml +++ b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml @@ -59,3 +59,9 @@ rules: verbs: - get - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get \ No newline at end of file From 04db6e224c1038bffc3b7e2ce4dcc13adf21702f Mon Sep 17 00:00:00 2001 From: Pablo Osinaga Date: Sat, 21 Sep 2019 16:41:22 +0200 Subject: [PATCH 2/4] Update workflow-controller-config-map - Add example config for persistance --- docs/workflow-controller-configmap.yaml | 33 +++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/workflow-controller-configmap.yaml b/docs/workflow-controller-configmap.yaml index ef4240f62618..055d31ea7b5f 100644 --- a/docs/workflow-controller-configmap.yaml +++ b/docs/workflow-controller-configmap.yaml @@ -122,3 +122,36 @@ data: enabled: true path: /telemetry port: 8080 + + # enable persistence using postgres + persistence: + connectionPool: + maxIdleConns: 100 + maxOpenConns: 0 + # save the entire workflow into etcd and DB + nodeStatusOffLoad: false + postgresql: + host: localhost + port: 5432 + database: postgres + tableName: argo_workflows + # the database secrets must be in the same namespace of the controller + userNameSecret: + name: argo-postgres-config + key: username + passwordSecret: + name: argo-postgres-config + key: password + + # Optional config for mysql: + # mysql: + # host: localhost + # port: 3306 + # database: argo + # tableName: argo_workflows + # userNameSecret: + # name: argo-mysql-config + # key: username + # passwordSecret: + # name: argo-mysql-config + # key: password From 8121278c1713c269452c505d1875f3bd3aa41bd0 Mon Sep 17 00:00:00 2001 From: Pablo Osinaga Date: Sun, 22 Sep 2019 14:15:40 +0200 Subject: [PATCH 3/4] Add workflow-controller-role for cluster-install - Add workflow-controller-role.yaml - Add workflow-controller-rolebinding.yaml - Remove secrets permissions from clusterrole - Update kustomization file --- .../workflow-controller-rbac/kustomization.yaml | 2 ++ .../workflow-controller-clusterrole.yaml | 8 +------- .../workflow-controller-role.yaml | 11 +++++++++++ .../workflow-controller-rolebinding.yaml | 11 +++++++++++ 4 files changed, 25 insertions(+), 7 deletions(-) create mode 100755 manifests/cluster-install/workflow-controller-rbac/workflow-controller-role.yaml create mode 100644 manifests/cluster-install/workflow-controller-rbac/workflow-controller-rolebinding.yaml diff --git a/manifests/cluster-install/workflow-controller-rbac/kustomization.yaml b/manifests/cluster-install/workflow-controller-rbac/kustomization.yaml index e941cf876ad0..0ce4eff69b53 100644 --- a/manifests/cluster-install/workflow-controller-rbac/kustomization.yaml +++ b/manifests/cluster-install/workflow-controller-rbac/kustomization.yaml @@ -5,3 +5,5 @@ resources: - workflow-aggregate-roles.yaml - workflow-controller-clusterrole.yaml - workflow-controller-clusterrolebinding.yaml +- workflow-controller-role.yaml +- workflow-controller-rolebinding.yaml diff --git a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml index 25213483af87..f8d333b6fab9 100644 --- a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml +++ b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml @@ -58,10 +58,4 @@ rules: - serviceaccounts verbs: - get - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get \ No newline at end of file + - list \ No newline at end of file diff --git a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-role.yaml b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-role.yaml new file mode 100755 index 000000000000..7ccf9e809eae --- /dev/null +++ b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get \ No newline at end of file diff --git a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-rolebinding.yaml b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-rolebinding.yaml new file mode 100644 index 000000000000..191f34d44cdb --- /dev/null +++ b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: + - kind: ServiceAccount + name: argo From 5a432598720fbc39bc9c172b0bd40edaa29d3f84 Mon Sep 17 00:00:00 2001 From: Pablo Osinaga Date: Sun, 22 Sep 2019 14:17:01 +0200 Subject: [PATCH 4/4] Update namespace-install - Add secret permission to argo-role --- .../workflow-controller-rbac/workflow-controller-role.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml b/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml index 2772ed5fcc87..8687a6109309 100644 --- a/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml +++ b/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml @@ -59,3 +59,9 @@ rules: verbs: - get - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get