diff --git a/charts/redpanda/templates/_helpers.tpl b/charts/redpanda/templates/_helpers.tpl index bf76335be0..6c9ad88d16 100644 --- a/charts/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/templates/_helpers.tpl @@ -49,14 +49,54 @@ Get the version of redpanda being used as an image {{/* Create the name of the service account to use +{{ include "redpanda.serviceAccountName" (list . "statefulset") }} +{{ include "redpanda.serviceAccountName" (list . "kafkaProduceConsume" "tests") }} + * root is the chart root . + * service_id is the service as defined in values. + ex: statefulset, postUpgrade, postInstallUpgrade + * child is a child of serviceAccounts containing it's own serviceAccount definition. + ex: tests */}} {{- define "redpanda.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "redpanda.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} +{{- $root := index . 0 }} +{{- $service_id := index . 1 }} +{{- $child := (ternary (last .) "" (gt (len .) 2)) }} +{{- $service := (fromJson (include "redpanda.serviceAccount" (list $root.Values.serviceAccount $service_id $child))) -}} +{{- if $service.create }} + {{- default (include "redpanda.fullname" $root) $service.name }} +{{- else -}} + {{- default "default" $service.name }} +{{- end -}} +{{- end -}} + +{{/* +Get the serviceAccount definition and if it does not exists return parent defintion +{{ include "redpanda.serviceAccount" (list .Values.serviceAccount "statefulset") }} +{{ include "redpanda.serviceAccountName" (list .Values.serviceAccount "kafkaProduceConsume" "tests") }} + * root is the chart root . + * service_id is the service as defined in values. + ex: statefulset, postUpgrade, postInstallUpgrade, tests + * child is a child of serviceAccounts containing it's own serviceAccount definition. + ex: tests +*/}} +{{- define "redpanda.serviceAccount" -}} +{{ $root := index . 0 }} +{{ $service := index . 1 }} +{{ $child := (ternary (last .) "" (gt (len .) 2)) }} +{{- with $root -}} + {{- if hasKey . $child -}} + {{ if hasKey (get . $child) $service }} + {{ toJson (get (get . $child) $service) }} + {{- else }} + {{ toJson (get . $child) }} + {{- end }} + {{- else if hasKey . $service }} + {{ toJson (get . $service) }} + {{- else -}} + {{ toJson . }} + {{- end -}} +{{- end -}} +{{- end -}} {{/* Use AppVersion if image.tag is not set diff --git a/charts/redpanda/templates/post-install-upgrade-job.yaml b/charts/redpanda/templates/post-install-upgrade-job.yaml index e43a3c8daf..28f4d0f7d2 100644 --- a/charts/redpanda/templates/post-install-upgrade-job.yaml +++ b/charts/redpanda/templates/post-install-upgrade-job.yaml @@ -48,6 +48,9 @@ spec: {{- end }} spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "postInstallUpgrade" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }}-post-install image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} @@ -66,7 +69,7 @@ spec: - > {{- if .Values.auth.sasl.enabled }} {{- range $user := .Values.auth.sasl.users }} - rpk acl user create {{ $user.name }} -p {{ $user.password | quote }} {{ template "rpk-common-flags" $ }} + rpk acl user create {{ $user.name }} -p {{ $user.password | quote }} {{ template "rpk-common-flags" $ }} ; {{- end }} {{- end }} diff --git a/charts/redpanda/templates/post-upgrade.yaml b/charts/redpanda/templates/post-upgrade.yaml index eb4db7b711..5c1ec13093 100644 --- a/charts/redpanda/templates/post-upgrade.yaml +++ b/charts/redpanda/templates/post-upgrade.yaml @@ -32,6 +32,9 @@ spec: {{- end }} spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "postUpgrade" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }}-post-upgrade image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/serviceaccount.yaml b/charts/redpanda/templates/serviceaccount.yaml index 8969c764a7..30d1c78bda 100644 --- a/charts/redpanda/templates/serviceaccount.yaml +++ b/charts/redpanda/templates/serviceaccount.yaml @@ -14,8 +14,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} ---- +{{- if .Values.serviceAccount -}} {{- if .Values.serviceAccount.create -}} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -35,3 +36,54 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +{{- $root := . -}} +{{- range $k, $v := (omit .Values.serviceAccount "create" "annotations" "name") -}} +{{- if $v.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "redpanda.serviceAccountName" (list $root $k) }} + namespace: {{ $root.Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "redpanda.chart" $root }} + app.kubernetes.io/name: {{ template "redpanda.name" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name | quote }} + app.kubernetes.io/managed-by: {{ $root.Release.Service | quote }} + app.kubernetes.io/component: {{ template "redpanda.name" $root }} + {{- with $root.Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $v.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} + +{{- if .Values.serviceAccount.tests }} +{{- range $k, $v := (omit .Values.serviceAccount.tests "create" "annotations" "name") }} +{{- if $v.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "redpanda.serviceAccountName" (list $root $k "tests") }} + namespace: {{ $root.Release.Namespace | quote }} + labels: + helm.sh/chart: {{ template "redpanda.chart" $root }} + app.kubernetes.io/name: {{ template "redpanda.name" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name | quote }} + app.kubernetes.io/managed-by: {{ $root.Release.Service | quote }} + app.kubernetes.io/component: {{ template "redpanda.name" $root }} + {{- with $root.Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $v.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/redpanda/templates/statefulset.yaml b/charts/redpanda/templates/statefulset.yaml index 7750747e02..4c94245d25 100644 --- a/charts/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/templates/statefulset.yaml @@ -57,6 +57,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "statefulset" ) }} + {{- end }} securityContext: {{- toYaml .Values.statefulset.podSecurityContext | nindent 8 }} initContainers: diff --git a/charts/redpanda/templates/tests/test-api-status.yaml b/charts/redpanda/templates/tests/test-api-status.yaml index 02e40fb4fa..c92b959b1d 100644 --- a/charts/redpanda/templates/tests/test-api-status.yaml +++ b/charts/redpanda/templates/tests/test-api-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "apiStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml index cbef84ff37..e60953cda0 100644 --- a/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml +++ b/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaInternalTlsStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml index 3c683cb99b..2918767122 100644 --- a/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml +++ b/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml @@ -39,6 +39,9 @@ spec: template: spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaProduceConsume" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml index dcce83c391..e859f1948d 100644 --- a/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml +++ b/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaSaslStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml b/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml index 3e787fa20e..7321f7ce60 100644 --- a/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml +++ b/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaSaslTlsStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml index b4c6ca9d96..cb39f45606 100644 --- a/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml +++ b/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "pandaProxyInternalTlsStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-status.yaml index b1221e6a02..a2439e43cc 100644 --- a/charts/redpanda/templates/tests/test-pandaproxy-status.yaml +++ b/charts/redpanda/templates/tests/test-pandaproxy-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "pandaProxyStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml index 8d6205845c..5d2bf0c807 100644 --- a/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml +++ b/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml @@ -34,6 +34,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "schemaRegistryInternalTlsStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/templates/tests/test-schemaregistry-status.yaml b/charts/redpanda/templates/tests/test-schemaregistry-status.yaml index d3ed792665..cb75ae669b 100644 --- a/charts/redpanda/templates/tests/test-schemaregistry-status.yaml +++ b/charts/redpanda/templates/tests/test-schemaregistry-status.yaml @@ -36,6 +36,9 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: restartPolicy: Never + {{- if .Values.serviceAccount }} + serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "schemaRegistryStatus" "tests" ) }} + {{- end }} containers: - name: {{ template "redpanda.name" . }} image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} diff --git a/charts/redpanda/values.schema.json b/charts/redpanda/values.schema.json index 371b5bbb19..ef13238d45 100644 --- a/charts/redpanda/values.schema.json +++ b/charts/redpanda/values.schema.json @@ -559,6 +559,40 @@ }, "name": { "type": "string" + }, + "statefulset": { + "$ref": "#/$defs/serviceAccount" + }, + "postUpgradeJob": { + "$ref": "#/$defs/serviceAccount" + }, + "postInstallJob": { + "$ref": "#/$defs/serviceAccount" + }, + "tests": { + "type": "object", + "required": [ + "create", + "annotations", + "name" + ], + "propertyNames": { + "pattern": "^[A-Za-z_][A-Za-z0-9_]*$" + }, + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": { + "$ref": "#/$defs/serviceAccount" + } } } }, @@ -896,5 +930,27 @@ } } } + }, + "$defs": { + "serviceAccount": { + "type": "object", + "required": [ + "create", + "annotations", + "name" + ], + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": false + } } } diff --git a/charts/redpanda/values.yaml b/charts/redpanda/values.yaml index 756645c135..e81fc4c6c4 100644 --- a/charts/redpanda/values.yaml +++ b/charts/redpanda/values.yaml @@ -327,6 +327,65 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # All config bellow this comment allows for setting specific service accounts + # for parts of the helm. Any services with no additional config will use the + # service account defined in the top level serviceAccount definition. + # Create service account specific to statefulset and tests + #statefulset: + # create: true + # annotations: {} + # name: "test" + # postUpgrade: + # create: false + # annotations: {} + # name: "" + # postInstallUpgrade: + # create: false + # annotations: {} + # name: "" + # Test specific service account + # Setting values for the tests object will apply the same service account to + # all tests. + # tests: + # create: false + # annotations: {} + # name: "" + # apiStatus: + # create:false + # annotations: {} + # name: "" + # kafkaInternalTlsStatus: + # create: false + # annotations: {} + # name: "" + # kafkaProduceConsume: + # create: false + # annotations: {} + # name: "" + # kafkaSaslStatus: + # create: false + # annotations: {} + # name: "" + # kafkaSaslTlsStatus: + # create: false + # annotations: {} + # name: "" + # pandaProxyInternalTlsStatus: + # create: false + # annotations: {} + # name: "" + # pandaProxyStatus: + # create: false + # annotations: {} + # name: "" + # schemaRegistryInternalTlsStatus: + # create: false + # annotations: {} + # name: "" + # schemaRegistryStatus: + # create: false + # annotations: {} + # name: "" tuning: {} # This section contains Redpanda tuning parameters.