Merge pull request #14 from QGreenland-Net/argo-garbage-collection-pe…

…rmissions

Add role/rolebinding for argo artifact garbage collection

helm/templates/gc-role.yaml

@@ -0,0 +1,25 @@
+# Role for argo workflow garbage collection that is utilized by the
+# `argo-workflow` service account (see `gc-rolebinding.yaml` ).
+# This role is copied from the example given here:
+# https://argo-workflows.readthedocs.io/en/latest/walk-through/artifacts/#service-accounts-and-annotations
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use artifact GC.
+  name: artifactgc
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks/status
+  verbs:
+  - patch

helm/templates/gc-rolebinding.yaml

@@ -0,0 +1,17 @@
+# Rolebinding for the argo-workflow service account to the artifactgc role (see
+# gc-role.yaml).
+# For more information about rolebindings, see
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gc-rolebinding
+  namespace: qgnet
+subjects:
+- kind: ServiceAccount
+  name: argo-workflow
+  namespace: qgnet
+roleRef:
+  kind: Role
+  name: artifactgc
+  apiGroup: rbac.authorization.k8s.io

scripts/install-ogdc.sh

@@ -16,9 +16,10 @@ THIS_DIR="$( cd "$(dirname "$0")"; pwd -P )"
 # TODO: only enable this behavior in dev.
 if [ "$ENV" = "dev" ]; then
   if [ -z "$OGDC_PV_HOST_PATH" ]; then
-    OGDC_PV_HOST_PATH=$(realpath "${THIS_DIR}/../ogdc-local-hostmount/")
+    OGDC_PV_HOST_PATH="${THIS_DIR}/../ogdc-local-hostmount/"
   fi
-  mkdir -p OGDC_PV_HOST_PATH
+  mkdir -p ${OGDC_PV_HOST_PATH}
+  OGDC_PV_HOST_PATH=$(realpath "${OGDC_PV_HOST_PATH}")
   echo "Using OGDC_PV_HOST_PATH=${OGDC_PV_HOST_PATH}"
 fi