{{- /* Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} {{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 {{- if .Values.rbac.singleNamespace }} kind: Role {{- else }} kind: ClusterRole {{- end }} metadata: name: {{ include "argo-workflows.controller.fullname.namespace" . }} {{- if .Values.rbac.singleNamespace }} namespace: {{ .Release.Namespace | quote }} {{- end }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/part-of: argo-workflows app.kubernetes.io/component: controller {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} rules: - apiGroups: - "" resources: - pods - pods/exec verbs: - create - get - list - watch - update - patch - delete - apiGroups: - "" resources: - configmaps verbs: - get - watch - list - apiGroups: - "" resources: - persistentvolumeclaims - persistentvolumeclaims/finalizers verbs: - create - update - delete - get - apiGroups: - argoproj.io resources: - workflows - workflows/finalizers - workflowtasksets - workflowtasksets/finalizers - workflowartifactgctasks verbs: - get - list - watch - update - patch - delete - create - apiGroups: - argoproj.io resources: - workflowtemplates - workflowtemplates/finalizers verbs: - get - list - watch - apiGroups: - argoproj.io resources: - cronworkflows - cronworkflows/finalizers verbs: - get - list - watch - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - argoproj.io resources: - workflowtaskresults verbs: - list - watch - deletecollection - apiGroups: - "" resources: - serviceaccounts verbs: - get - list - apiGroups: - "policy" resources: - poddisruptionbudgets verbs: - create - get - delete {{- if (include "argo-workflows.controller.persistence.enabled" .) }} - apiGroups: - "" resources: - secrets resourceNames: - {{ include "argo-workflows.controller.database.username.secret" . }} - {{ include "argo-workflows.controller.database.password.secret" . }} {{/* for HTTP templates */}} - argo-workflows-agent-ca-certificates verbs: - get {{- end }} - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - coordination.k8s.io resources: - leases resourceNames: {{- if .Values.controller.instanceID.enabled }} {{- if .Values.controller.instanceID.useReleaseName }} - workflow-controller-{{ .Release.Name }} - workflow-controller-lease-{{ .Release.Name }} {{- else }} - workflow-controller-{{ .Values.controller.instanceID.explicitID }} - workflow-controller-lease-{{ .Values.controller.instanceID.explicitID }} {{- end }} {{- else }} - workflow-controller - workflow-controller-lease {{- end }} verbs: - get - watch - update - patch - delete {{- if .Values.controller.clusterWorkflowTemplates.enabled }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "argo-workflows.controller.fullname.namespace" . }}-cluster-template labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/part-of: argo-workflows app.kubernetes.io/component: controller {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} rules: - apiGroups: - argoproj.io resources: - clusterworkflowtemplates - clusterworkflowtemplates/finalizers verbs: - get - list - watch {{- end }} {{- end }}