diff --git a/README.md b/README.md index 2cfc0032..76b7b7b3 100644 --- a/README.md +++ b/README.md @@ -214,12 +214,13 @@ helm delete --namespace test my-application | Key | Type | Default | Description | |-----|------|---------|-------------| | rbac.enabled | bool | `true` | Enable RBAC. | -| rbac.existingServiceAccountName | string | `""` | Existing Service Account Name. | -| rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. | -| rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. | -| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. | -| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. | +| rbac.serviceAccount.create | bool | `false` | Create Service Account. If set to true, a specific service account is created. | +| rbac.serviceAccount.name | string | `""` | Service Account Name. If not set and `rbac.serviceAccount.create` is set to true, a name is generated using the fullname template. If not set and `rbac.serviceAccount.create` is set to false, `"default"` service account is used. | +| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. If `rbac.serviceAccount.create` is set to true, these labels are appended to the service account. | +| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. If `rbac.serviceAccount.create` is set to true, these annotations are appended to the service account. | | rbac.roles | list | `nil` | Namespaced Roles. | +| rbac.additionalLabels | object | `nil` | Additional labels for the Role and RoleBinding resources. | +| rbac.annotations | object | `nil` | Annotations for the Role and RoleBinding resources. | ### ConfigMap Parameters diff --git a/application/templates/_helpers.tpl b/application/templates/_helpers.tpl index 402bac0b..714be434 100644 --- a/application/templates/_helpers.tpl +++ b/application/templates/_helpers.tpl @@ -69,17 +69,16 @@ reference: name: {{ include "application.name" . }} {{- end }} -{{- define "application.service-account-name" }} -{{- if .Values.rbac.enabled }} - {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }} - {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }} - {{- end }} - {{- if .Values.rbac.serviceAccount.enabled }} +{{/* +Get the name of the service account to use. +If the service account is set to be created, return the service account name or a default name. +If the service account is not set to be created and a name is provided, return the provided name; +otherwise, return the default namespace service account. +*/}} +{{- define "application.serviceAccountName" }} + {{- if .Values.rbac.serviceAccount.create }} {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }} {{- else }} - {{- default "null" .Values.rbac.existingServiceAccountName }} + {{- default "default" .Values.rbac.serviceAccount.name }} {{- end }} -{{- else }} - null -{{- end }} {{- end }} diff --git a/application/templates/cronjob.yaml b/application/templates/cronjob.yaml index 5ea469cd..f32c1268 100644 --- a/application/templates/cronjob.yaml +++ b/application/templates/cronjob.yaml @@ -54,7 +54,7 @@ spec: annotations: {{ toYaml . | nindent 12 }} {{- end }} spec: - serviceAccountName: {{ template "application.service-account-name" $ }} + serviceAccountName: {{ include "application.serviceAccountName" $ }} containers: - name: {{ $name }} {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }} diff --git a/application/templates/deployment.yaml b/application/templates/deployment.yaml index b417df1b..f5a9329e 100644 --- a/application/templates/deployment.yaml +++ b/application/templates/deployment.yaml @@ -74,7 +74,7 @@ spec: ] {{- end }} spec: - serviceAccountName: {{ template "application.service-account-name" $ }} + serviceAccountName: {{ include "application.serviceAccountName" $ }} {{- if .Values.deployment.hostAliases }} hostAliases: {{ toYaml .Values.deployment.hostAliases | indent 6 }} diff --git a/application/templates/job.yaml b/application/templates/job.yaml index 27539f96..590cd750 100644 --- a/application/templates/job.yaml +++ b/application/templates/job.yaml @@ -37,7 +37,7 @@ spec: annotations: {{ toYaml . | nindent 8 }} {{- end }} spec: - serviceAccountName: {{ template "application.service-account-name" $ }} + serviceAccountName: {{ include "application.serviceAccountName" $ }} containers: - name: {{ $name }} @@ -98,7 +98,7 @@ spec: restartPolicy: OnFailure {{ end }} {{- with $job.imagePullSecrets}} - imagePullSecrets: + imagePullSecrets: {{ toYaml . | indent 8 }} {{ end }} {{- with $job.volumes }} diff --git a/application/templates/rolebinding.yaml b/application/templates/rolebinding.yaml index d32a4acd..7fc96968 100644 --- a/application/templates/rolebinding.yaml +++ b/application/templates/rolebinding.yaml @@ -21,11 +21,7 @@ roleRef: name: {{ template "application.name" $ }}-role-{{ .name }} subjects: - kind: ServiceAccount - {{- if $.Values.rbac.serviceAccount.name }} - name: {{ $.Values.rbac.serviceAccount.name }} - {{- else }} - name: {{ template "application.name" $ }} - {{- end }} + name: {{ include "application.serviceAccountName" $ }} namespace: {{ $.Release.Namespace }} {{- end }} {{- end }} diff --git a/application/templates/serviceaccount.yaml b/application/templates/serviceaccount.yaml index c548face..0715e7fd 100644 --- a/application/templates/serviceaccount.yaml +++ b/application/templates/serviceaccount.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.enabled }} +{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.create }} --- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "application.service-account-name" . }} + name: {{ include "application.serviceAccountName" . }} namespace: {{ template "application.namespace" . }} labels: {{- include "application.labels" $ | nindent 4 }} diff --git a/application/tests/cronjob_test.yaml b/application/tests/cronjob_test.yaml index 59cffe9c..ace7cc92 100644 --- a/application/tests/cronjob_test.yaml +++ b/application/tests/cronjob_test.yaml @@ -78,7 +78,7 @@ tests: path: spec.jobTemplate.spec.template.spec.containers[0].image value: example-image:example-tag@sha256:example-digest - - it: yields empty service account name when disabled + - it: yields default service account name when create is disabled and no existing service account name is given set: cronJob: enabled: true @@ -86,10 +86,11 @@ tests: example: image: repository: example-image - rbac.serviceAccount.enabled: false + rbac.serviceAccount.create: false asserts: - - isNullOrEmpty: + - equal: path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: default - it: uses service account name override when present set: @@ -99,7 +100,7 @@ tests: example: image: repository: example-image - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: example-sa asserts: - equal: @@ -115,7 +116,7 @@ tests: image: repository: example-image applicationName: example-app - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: "" asserts: - equal: diff --git a/application/tests/deployment_test.yaml b/application/tests/deployment_test.yaml index 6bcafc42..35412bf6 100644 --- a/application/tests/deployment_test.yaml +++ b/application/tests/deployment_test.yaml @@ -87,16 +87,17 @@ tests: path: spec.template.spec.containers[0].image value: example-image:example-tag@sha256:example-digest - - it: yields empty service account name when disabled + - it: yields default service account name when create is disabled and no existing service account name is given set: - rbac.serviceAccount.enabled: false + rbac.serviceAccount.create: false asserts: - - isNullOrEmpty: - path: spec.template.spec.serviceAccountName + - equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: default - it: uses service account name override when present set: - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: example-sa asserts: - equal: @@ -106,7 +107,7 @@ tests: - it: uses a generated service account name when not given set: applicationName: example-app - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: "" asserts: - equal: diff --git a/application/tests/job_test.yaml b/application/tests/job_test.yaml index 2441db3b..6ef5cb68 100644 --- a/application/tests/job_test.yaml +++ b/application/tests/job_test.yaml @@ -104,10 +104,11 @@ tests: example: image: repository: example-image - rbac.serviceAccount.enabled: false + rbac.serviceAccount.create: false asserts: - - isNullOrEmpty: + - equal: path: spec.template.spec.serviceAccountName + value: default - it: uses service account name override when present set: @@ -117,7 +118,7 @@ tests: example: image: repository: example-image - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: example-sa asserts: - equal: @@ -133,7 +134,7 @@ tests: image: repository: example-image applicationName: example-app - rbac.serviceAccount.enabled: true + rbac.serviceAccount.create: true rbac.serviceAccount.name: "" asserts: - equal: diff --git a/application/tests/serviceaccount_test.yaml b/application/tests/serviceaccount_test.yaml index 14e838ce..8579e13f 100644 --- a/application/tests/serviceaccount_test.yaml +++ b/application/tests/serviceaccount_test.yaml @@ -9,7 +9,7 @@ tests: rbac: enabled: false serviceAccount: - enabled: true + create: true asserts: - hasDocuments: count: 0 @@ -19,7 +19,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: false + create: false asserts: - hasDocuments: count: 0 @@ -29,7 +29,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: true + create: true asserts: - hasDocuments: count: 1 @@ -41,7 +41,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: true + create: true additionalLabels: foo: bar test: ing @@ -59,7 +59,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: true + create: true annotations: foo: bar test: ing @@ -76,7 +76,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: true + create: true asserts: - matchRegex: path: metadata.annotations["serviceaccounts.openshift.io/oauth-redirectreference.primary"] @@ -87,7 +87,7 @@ tests: rbac: enabled: true serviceAccount: - enabled: true + create: true name: example-name-that-should-be-used asserts: - equal: diff --git a/application/values-test.yaml b/application/values-test.yaml index 5ab93b63..97efc9c3 100644 --- a/application/values-test.yaml +++ b/application/values-test.yaml @@ -270,7 +270,7 @@ service: kubernetes.io/ingress.class: external-ingress ingress.kubernetes.io/rewrite-target: / ingress.kubernetes.io/force-ssl-redirect: "true" - + ports: - port: 8080 name: http @@ -385,7 +385,7 @@ forecastle: # URL of the icon for the custom app icon: https://raw.githubusercontent.com/stakater/ForecastleIcons/master/stakater-big.png - + # Name of the application to be displayed on the Forecastle Dashboard displayName: "application" @@ -404,7 +404,7 @@ rbac: # Service Account to use by pods serviceAccount: - enabled: true + create: true name: "application" # Additional Labels on service account @@ -702,13 +702,13 @@ externalSecret: #SecretStore defines which SecretStore to use when fetching the secret data secretStore: name: example-secret-store - #kind: SecretStore # or ClusterSecretStore + #kind: SecretStore # or ClusterSecretStore # RefreshInterval is the amount of time before the values reading again from the SecretStore provider refreshInterval: "1m" files: secret-1-name: - #Data defines the connection between the Kubernetes Secret keys and the Provider data + #Data defines the connection between the Kubernetes Secret keys and the Provider data data: example-secret-key: remoteRef: @@ -1315,7 +1315,7 @@ backup: snapshotVolumes: true storageLocation: "dpa-1" ttl: "1h0m0s" - includedResources: + includedResources: - deployments - services - persistentvolumeclaims @@ -1330,7 +1330,7 @@ backup: - resourcequotas - controllerrevisions.apps -job: +job: enabled: true jobs: db-migration: @@ -1340,15 +1340,15 @@ job: helm.sh/hook-delete-policy: "before-hook-creation" imagePullSecrets: - name: nexus-secret - image: + image: repository: docker.io/nginx tag: v1.0.0 - env: + env: KEY: value: VALUE command: ["/bin/bash"] args: ["-c","sleep 5000"] - resources: + resources: requests: memory: 5Gi cpu: 1 diff --git a/application/values.yaml b/application/values.yaml index 42a573ed..11d5012c 100644 --- a/application/values.yaml +++ b/application/values.yaml @@ -654,22 +654,18 @@ rbac: # -- (bool) Enable RBAC. # @section -- RBAC Parameters enabled: true - # -- (string) Existing Service Account Name. - # @section -- RBAC Parameters - existingServiceAccountName: "" serviceAccount: - # -- (bool) Deploy Service Account. + # -- (bool) Create Service Account. If set to true, a specific service account is created. # @section -- RBAC Parameters - enabled: false - # -- (string) Service Account Name. - # @default -- `{{ include "application.name" $ }}` + create: false + # -- (string) Service Account Name. If not set and `rbac.serviceAccount.create` is set to true, a name is generated using the fullname template. If not set and `rbac.serviceAccount.create` is set to false, `"default"` service account is used. # @section -- RBAC Parameters name: "" - # -- (object) Additional labels for Service Account. + # -- (object) Additional labels for Service Account. If `rbac.serviceAccount.create` is set to true, these labels are appended to the service account. # @section -- RBAC Parameters additionalLabels: # key: value - # -- (object) Annotations for Service Account. + # -- (object) Annotations for Service Account. If `rbac.serviceAccount.create` is set to true, these annotations are appended to the service account. # @section -- RBAC Parameters annotations: # key: value @@ -692,6 +688,14 @@ rbac: # - secrets # verbs: # - get + # -- (object) Additional labels for the Role and RoleBinding resources. + # @section -- RBAC Parameters + additionalLabels: + # key: value + # -- (object) Annotations for the Role and RoleBinding resources. + # @section -- RBAC Parameters + annotations: + # key: value configMap: # -- (bool) Deploy additional ConfigMaps.