feat(argo): Allow setting up ServiceAccount and RBAC resources for running workflows (#402)

charts/argo/templates/workflow-rb.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.workflow.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-workflow
+{{- if .Values.workflow.namespace }}
+  namespace: {{ .Values.workflow.namespace }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-workflow
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.workflow.serviceAccount.name }}
+  {{- if .Values.workflow.namespace }}
+  namespace: {{ .Values.workflow.namespace }}
+  {{- end }}
+{{- end }}

charts/argo/templates/workflow-role.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.workflow.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-workflow
+  {{- if .Values.workflow.namespace }}
+  namespace: {{ .Values.workflow.namespace }}
+  {{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - watch
+{{- end }}

charts/argo/templates/workflow-sa.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.workflow.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.workflow.serviceAccount.name }}
+  {{- if .Values.workflow.namespace }}
+  namespace: {{ .Values.workflow.namespace }}
+  {{- end }}
+  {{- with .Values.workflow.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}