feat(Argo): Add secret access whitelist for server. (#499)

Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
2020-11-18 11:59:17 -08:00 · 2020-11-18 11:59:17 -08:00 · af9a14a1ec
commit af9a14a1ec
parent d265f7dd75
3 changed files with 25 additions and 14 deletions
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@ -13,12 +13,6 @@ rules:
  - get
  - watch
  - list
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
  - ""
  resources:
@ -30,6 +24,21 @@ rules:
  - list
  - watch
  - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+{{- with .Values.server.rbac.secretWhitelist }}
+  resourceNames: {{- toYaml . | nindent 4 }}
+{{- end }}
 - apiGroups:
  - ""
  resources:
@ -41,15 +50,14 @@ rules:
  - ""
  resources:
  - secrets
-  - serviceaccounts
  resourceNames:
-  {{- if .Values.controller.persistence.postgresql }}
-  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.postgresql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
-  {{- if .Values.controller.persistence.mysql }}
-  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.mysql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
  {{- end}}
  verbs:
  - get