add rbac for argo to backfill chart

charts/substreams-sink-sql-backfill/Chart.yaml

@@ -1,12 +1,6 @@
 apiVersion: v2
 name: substreams-sink-sql-backfill
 description: Chart to backfill clickhouse database using jobs
-annotations:
-  artifacthub.io/images: |
-    - name: fixed image
-      image: ghcr.io/pinax-network/substreams-sink-sql:f9081de
-      platforms:
-        - linux/amd64
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -21,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/substreams-sink-sql-backfill/templates/rbac.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.serviceAccount }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtaskresults
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtasksets
+  - workflowartifactgctasks
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtasksets/status
+  - workflowartifactgctasks/status
+  verbs:
+  - patch

charts/substreams-sink-sql-backfill/values.yaml

@@ -1,7 +1,3 @@
-# Before running the workload, you should have
-# - an existing namespace with the argo workflow serviceAccount
-# - a secret with the credentials for the clickhouse database
-
 image:
   repository: ghcr.io/pinax-network/substreams-sink-sql
   tag: develop
@@ -22,16 +18,14 @@ fullnameOverride: ""
 imagePullSecret: ghcr-cred
 
 # Make sure to use the service account that match with argo workflow server
-serviceAccount: argo-workflows
+serviceAccount: argo-workflows-workflow
 
 # Time to live for containers once the job is completed
 ttlStrategy:
   secondsAfterCompletion: 3600
   secondsAfterFailure: 7200
   secondsAfterSuccess: 3600
 
-# If the namespace exist, make sure the serviceAccount mentionned previously is in that namespace
-# If the namespace does not existe, create it and then add it to `workflowNamespaces` in argo-workflows helm values. This will add the serviceAccount to the new namespace.
 # Indicate the number of parallel jobs and the resources used by a job
 # This way, you can limit the total resources used with <parallelism>*<resource>
 parallelism: 2