Workflow controller not working in namespaced deployment

[tigerwings]

Is this a BUG REPORT or FEATURE REQUEST?:
BUG REPORT

What happened:
Workflow controller failed in namespace deployment.
Got errors like:

github.com/argoproj/argo/workflow/controller/controller.go:159: Failed to list *v1alpha1.WorkflowTemplate: workflowtemplates.argoproj.io is forbidden: User "system:serviceaccount:argo-template-dev:argo" cannot list resource "workflowtemplates" in API group "argoproj.io" at the cluster scope

What you expected to happen:
Workflow controller should get deployed successfully in namespaced environment

How to reproduce it (as minimally and precisely as possible):
Deploy workflow controller in a namespace with limited permission to access the cluster scope resources

Anything else we need to know?:
The newly added WorkflowTemplate is the root cause. Unlike WorkflowInformer (https://github.com/argoproj/argo/blob/master/workflow/controller/controller.go#L150), WorkflowTemplateInformer (https://github.com/argoproj/argo/blob/master/workflow/controller/controller.go#L152) does not respect namespaces if specified in the configmap.

Environment:

• Argo version: 2.4.0-RC1

$ argo version

• Kubernetes version :

$ kubectl version -o yaml

Other debugging information (if applicable):

• workflow result:

$ argo get <workflowname>

• executor logs:

$ kubectl logs <failedpodname> -c init
$ kubectl logs <failedpodname> -c wait

• workflow-controller logs:

$ kubectl logs -n argo $(kubectl get pods -l app=workflow-controller -n argo -o name)

[CermakM]

+1 on that one ... just hit it today as well. The workflow controller should not require cluster level access to workflow templates.

[dtaniwaki]

Let me check the issue.

[dtaniwaki]

Fixed in #1580.