fix(argo-workflows): create service account secrets (#3826)

m-kay · web-flow · commit c871f52300ae · 2026-04-14T14:22:04.000+09:00
diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: v4.0.4
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 1.0.7
+version: 1.0.8
 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -16,5 +16,8 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump argo-workflows to v4.0.4
+    - kind: fixed
+      description: Fix missing service account secrets
+      links:
+        - name: GitHub Issue
+          url: https://github.com/argoproj/argo-helm/issues/3236
diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md
@@ -244,6 +244,7 @@ Fields to note:
 | workflow.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding |
 | workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
+| workflow.serviceAccount.createSecret | bool | `false` | Specifies whether a secret for each service account should be created |
 | workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account |
 | workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows |
 | workflow.serviceAccount.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` |
diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml
@@ -21,5 +21,20 @@ metadata:
 imagePullSecrets:
     {{- toYaml . | nindent 2 }}
   {{- end }}
+  {{- if $.Values.workflow.serviceAccount.createSecret }}
+secrets:
+  - name: {{ $.Values.workflow.serviceAccount.name }}.service-account-token
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: {{ $.Values.workflow.serviceAccount.name }}.service-account-token
+    {{- with $namespace }}
+  namespace: {{ . }}
+    {{- end }}
+  annotations:
+    kubernetes.io/service-account.name: "{{ $.Values.workflow.serviceAccount.name }}"
+  {{- end }}
   {{- end }}
 {{- end }}
diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml
@@ -88,6 +88,8 @@ workflow:
   serviceAccount:
     # -- Specifies whether a service account should be created
     create: false
+    # -- Specifies whether a secret for each service account should be created
+    createSecret: false
     # -- Labels applied to created service account
     labels: {}
     # -- Annotations applied to created service account
