feat(argo-workflows): allow additional rules for service account that runs the workflows (#3186)

* feat(argo-workflows): allow additional rules for service account that runs the workflows

Signed-off-by: fuyuan.chu <fuyuan.chu@airwallex.com>

* Update charts/argo-workflows/templates/controller/workflow-role.yaml

Co-authored-by: Aikawa <yu.croco@gmail.com>
Signed-off-by: awx-fuyuanchu <86345114+awx-fuyuanchu@users.noreply.github.com>

---------

Signed-off-by: fuyuan.chu <fuyuan.chu@airwallex.com>
Signed-off-by: awx-fuyuanchu <86345114+awx-fuyuanchu@users.noreply.github.com>
Co-authored-by: Aikawa <yu.croco@gmail.com>

charts/argo-workflows/README.md

@@ -136,6 +136,7 @@ Fields to note:
 | workflow.rbac.agentPermissions | bool | `false` | Allows permissions for the Argo Agent. Only required if using http/plugin templates |
 | workflow.rbac.artifactGC | bool | `false` | Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc |
 | workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) |
+| workflow.rbac.rules | list | `[]` | Additional rules for the service account that runs the workflows. |
 | workflow.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
 | workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |