rackerlabs
diff --git a/‎components/argo-events/argo-role.yaml‎
Lines changed: 0 additions & 148 deletions b/‎components/argo-events/argo-role.yaml‎
Lines changed: 0 additions & 148 deletions
diff --git a/‎components/argo-events/argo-server-rb.yaml‎
Lines changed: 8 additions & 0 deletions b/‎components/argo-events/argo-server-rb.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎components/argo-events/argo-server-role.yaml‎
Lines changed: 0 additions & 88 deletions b/‎components/argo-events/argo-server-role.yaml‎
Lines changed: 0 additions & 88 deletions
diff --git a/‎components/argo-events/controller-rb.yaml‎
Lines changed: 8 additions & 0 deletions b/‎components/argo-events/controller-rb.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎components/argo-events/default-role.yaml‎
Lines changed: 0 additions & 25 deletions b/‎components/argo-events/default-role.yaml‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎components/argo-events/kustomization.yaml‎
Lines changed: 14 additions & 4 deletions b/‎components/argo-events/kustomization.yaml‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎components/argo/argo-server-runtime.yaml‎
Lines changed: 40 additions & 0 deletions b/‎components/argo/argo-server-runtime.yaml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎components/argo/kustomization.yaml‎
Lines changed: 7 additions & 13 deletions b/‎components/argo/kustomization.yaml‎
Lines changed: 7 additions & 13 deletions
@@ -0,0 +1,8 @@
+apiVersion: apps/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-binding
+subjects:
+- kind: ServiceAccount
+  name: argo-server
+  namespace: argo
@@ -0,0 +1,8 @@
+apiVersion: apps/v1
+kind: RoleBinding
+metadata:
+  name: argo-binding
+subjects:
+- kind: ServiceAccount
+  name: argo
+  namespace: argo
@@ -7,10 +7,9 @@ resources:
   - https://github.com/argoproj/argo-events/releases/download/v1.9.7/install.yaml
   - https://github.com/argoproj/argo-events/releases/download/v1.9.7/install-validating-webhook.yaml
 
-  ## configure rbac to integrate with argo-workflow
-  # - default-role.yaml
-  - argo-server-role.yaml
-  - argo-role.yaml
+  # grant the argo-workflows the ability to run workflows in this namespace
+  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/argo-server-rbac?ref=v3.5.10
+  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/workflow-controller-rbac?ref=v3.5.10
 
   ## configure webhook Sensor and associated role
   - sensor-workflow-role.yaml
@@ -23,3 +22,14 @@ resources:
 
   ## copy openstack/cinder-netapp-config to argo-events/netapp-config
   - secret-netapp.yaml
+
+patches:
+- target:
+    kind: RoleBinding
+    name: argo-binding
+  path: controller-rb.yaml
+
+- target:
+    kind: RoleBinding
+    name: argo-server-binding
+  path: argo-server-rb.yaml
@@ -0,0 +1,40 @@
+# This is a role and rolebinding to provide the argo-server with permissions
+# it needs to run in its own namespace.
+# - to read the configmap for its configuration
+# - read the SSO secret
+# - create and read other secrets for auth tokens
+# - events to provide prometheus metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-server-runtime
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+    resourceNames:
+      - workflow-controller-configmap
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-runtime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-server-runtime
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
@@ -3,11 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # the same as using namespace-install.yaml but easier to follow what the
-  # actual pieces we are using are
+  # We are doing upstream's namespace-install.yaml but since we
+  # want the actual workflows to run in a different namespace
+  # the roles are created there
   - https://github.com/argoproj/argo-workflows/manifests/base?ref=v3.5.10
-  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/argo-server-rbac?ref=v3.5.10
-  - https://github.com/argoproj/argo-workflows/manifests/namespace-install/workflow-controller-rbac?ref=v3.5.10
+  # give the workflow controller access it needs
+  - workflow-controller-runtime.yaml
+  # give the argo-server access it needs
+  - argo-server-runtime.yaml
 
   # ingress for workflows.${DNS_ZONE} to the argo server for the UI
   - ingress.yaml
@@ -41,15 +44,6 @@ patches:
     name: workflow-controller
   path: ./workflow-controller-deployment.yaml
 
-# see the patch for details on the change
-- target:
-    group: rbac.authorization.k8s.io
-    version: v1
-    kind: Role
-    # this is the role that the workflow-controller runs with
-    name: argo-role
-  path: ./workflow-controller-role.yaml
-
 # apply our configuration changes to the configmap
 configMapGenerator:
   - name: workflow-controller-configmap