feat: add optional rbac.secrets value to give GET/LIST/WATCH on Secrets

charts/airflow/README.md

@@ -407,7 +407,8 @@ Parameter | Description | Default
 Parameter | Description | Default
 --- | --- | ---
 `rbac.create` | if Kubernetes RBAC resources are created | `true`
-`rbac.events` | if the created RBAR role has GET/LIST access to Event resources | `false`
+`rbac.events` | if the created RBAC Role has GET/LIST on Event resources | `true`
+`rbac.secrets` | if the created RBAC Role has GET/LIST/WATCH on Secret resources | `false`
 
 </details>
 

charts/airflow/templates/rbac/airflow-role.yaml

@@ -18,6 +18,16 @@ rules:
   - "get"
   - "list"
 {{- end }}
+{{- if .Values.rbac.secrets }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+{{- end }}
 - apiGroups:
   - ""
   resources:

charts/airflow/values.yaml

@@ -1602,6 +1602,8 @@ rbac:
   ## if Kubernetes RBAC resources are created
   ## - these allow the service account to create/delete Pods in the airflow namespace,
   ##   which is required for the KubernetesPodOperator() to function
+  ## - if `false`, you must create a custom Role and RoleBinding
+  ##   for the ServiceAccount defined in `serviceAccount.name`
   ##
   create: true
 
@@ -1610,6 +1612,11 @@ rbac:
   ##
   events: true
 
+  ## if the created RBAC Role has GET/LIST/WATCH on Secret resources
+  ## - [WARNING] when true, workers/dags can read Secrets in airflow's namespace
+  ##
+  secrets: false
+
 ###################################
 ## CONFIG | Kubernetes ServiceAccount
 ###################################