Secret-Protection

[boehb-efs]

First of: what we basically want to achieve is protection of our secrets within argo-namespace (especially sso client-secret). To be more specific: some workflows (triggered by sensors) should be able to read the secret, others (user-workflows) not.

What I tried so far:

• enable SSO RBAC with admin-user (can read secret) and user (can't read secret). However, the workflow runs in a different serviceaccount, which must or must not have access to the secret. A differentiation of which workflow can run in an admin-serviceaccount is not possible.
• install 2 argo-instances (user-argo & management-argo), which run in the same domain, but different paths (http://.../argo vs. http://.../argo-mgmt) - where user-argo uses a public sso-client (so no secret required). However, the storage of current_namespace leeds to unexpected behaviour, so you cannot simply switch between user- and management-argo. Basically, one has to reload ignoring cached content (shift+f5).
  

Does anybody have an idea, how to achieve, what we want to achieve? This is essentially a killer argument :-/