Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: harmonize service account binding #major #363

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+158 −61
Open

feat!: harmonize service account binding #major #363

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f6dbdde
feat: allow usage of existing service account
aslafy-z Nov 15, 2024
de41a4f
use default serviceaccount if not set and create disabled
aslafy-z Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,11 +213,13 @@ helm delete --namespace test my-application
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| rbac.enabled | bool | `true` | Enable RBAC. |
| rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. |
| rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. |
| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. |
| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. |
| rbac.serviceAccount.create | bool | `false` | Specifies whether to create a dedicated service account. If set to `true`, a new service account will be created. |
| rbac.serviceAccount.name | string | `""` | The name of the service account. Behavior based on its value and `rbac.serviceAccount.create`: If `rbac.serviceAccount.create` is `false` and `name` is empty, the default service account ("default") is used. If `rbac.serviceAccount.create` is `false` and `name` is set, the provided name is used. If `rbac.serviceAccount.create` is `true` and `name` is empty, a name is auto-generated using the fullname template. If `rbac.serviceAccount.create` is `true` and `name` is set, the provided name is used for creation. |
| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. If `rbac.serviceAccount.create` is set to true, these labels are appended to the service account. |
| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. If `rbac.serviceAccount.create` is set to true, these annotations are appended to the service account. |
| rbac.roles | list | `nil` | Namespaced Roles. |
| rbac.additionalLabels | object | `nil` | Additional labels for the Role and RoleBinding resources. |
| rbac.annotations | object | `nil` | Annotations for the Role and RoleBinding resources. |

### ConfigMap Parameters

Expand Down
14 changes: 14 additions & 0 deletions application/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,17 @@ reference:
kind: Route
name: {{ include "application.name" . }}
{{- end }}

{{/*
Get the name of the service account to use.
If the service account is set to be created, return the service account name or a default name.
If the service account is not set to be created and a name is provided, return the provided name;
otherwise, return the default namespace service account.
*/}}
{{- define "application.serviceAccountName" }}
{{- if .Values.rbac.serviceAccount.create }}
{{- default (include "application.name" .) .Values.rbac.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.rbac.serviceAccount.name }}
{{- end }}
{{- end }}
8 changes: 1 addition & 7 deletions application/templates/cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,7 @@ spec:
annotations: {{ toYaml . | nindent 12 }}
{{- end }}
spec:
{{- if $.Values.rbac.enabled }}
{{- if $.Values.rbac.serviceAccount.name }}
serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
{{- else }}
serviceAccountName: {{ template "application.name" $ }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}
containers:
- name: {{ $name }}
{{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}
Expand Down
8 changes: 1 addition & 7 deletions application/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ spec:
]
{{- end }}
spec:
serviceAccountName: {{ include "application.serviceAccountName" $ }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{ toYaml .Values.deployment.hostAliases | indent 6 }}
Expand Down Expand Up @@ -311,13 +312,6 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.rbac.serviceAccount.enabled }}
{{- if .Values.rbac.serviceAccount.name }}
serviceAccountName: {{ .Values.rbac.serviceAccount.name }}
{{- else }}
serviceAccountName: {{ template "application.name" $ }}
{{- end }}
{{- end }}
{{- if .Values.deployment.hostNetwork }}
hostNetwork: {{ .Values.deployment.hostNetwork }}
{{- end }}
Expand Down
10 changes: 2 additions & 8 deletions application/templates/job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,7 @@ spec:
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if $.Values.rbac.enabled }}
{{- if $.Values.rbac.serviceAccount.name }}
serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
{{- else }}
serviceAccountName: {{ template "application.name" $ }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}
containers:
- name: {{ $name }}

Expand Down Expand Up @@ -104,7 +98,7 @@ spec:
restartPolicy: OnFailure
{{ end }}
{{- with $job.imagePullSecrets}}
imagePullSecrets:
imagePullSecrets:
{{ toYaml . | indent 8 }}
{{ end }}
{{- if $job.dnsConfig }}
Expand Down
6 changes: 1 addition & 5 deletions application/templates/rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,7 @@ roleRef:
name: {{ template "application.name" $ }}-role-{{ .name }}
subjects:
- kind: ServiceAccount
{{- if $.Values.rbac.serviceAccount.name }}
name: {{ $.Values.rbac.serviceAccount.name }}
{{- else }}
name: {{ template "application.name" $ }}
{{- end }}
name: {{ include "application.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}
4 changes: 2 additions & 2 deletions application/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.enabled }}
{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ default (include "application.name" .) .Values.rbac.serviceAccount.name }}
name: {{ include "application.serviceAccountName" . }}
namespace: {{ template "application.namespace" . }}
labels:
{{- include "application.labels" $ | nindent 4 }}
Expand Down
45 changes: 45 additions & 0 deletions application/tests/cronjob_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,48 @@ tests:
- equal:
path: spec.jobTemplate.spec.template.spec.containers[0].image
value: example-image:example-tag@sha256:example-digest

- it: yields default service account name when create is disabled and no existing service account name is given
set:
cronJob:
enabled: true
jobs:
example:
image:
repository: example-image
rbac.serviceAccount.create: false
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.serviceAccountName
value: default

- it: uses service account name override when present
set:
cronJob:
enabled: true
jobs:
example:
image:
repository: example-image
rbac.serviceAccount.create: true
rbac.serviceAccount.name: example-sa
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.serviceAccountName
value: example-sa

- it: uses a generated service account name when not given
set:
cronJob:
enabled: true
jobs:
example:
image:
repository: example-image
applicationName: example-app
rbac.serviceAccount.create: true
rbac.serviceAccount.name: ""
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.serviceAccountName
value: example-app
11 changes: 6 additions & 5 deletions application/tests/deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,16 +87,17 @@ tests:
path: spec.template.spec.containers[0].image
value: example-image:example-tag@sha256:example-digest

- it: yields empty service account name when disabled
- it: yields default service account name when create is disabled and no existing service account name is given
set:
rbac.serviceAccount.enabled: false
rbac.serviceAccount.create: false
asserts:
- notExists:
- equal:
path: spec.template.spec.serviceAccountName
value: default

- it: uses service account name override when present
set:
rbac.serviceAccount.enabled: true
rbac.serviceAccount.create: true
rbac.serviceAccount.name: example-sa
asserts:
- equal:
Expand All @@ -106,7 +107,7 @@ tests:
- it: uses a generated service account name when not given
set:
applicationName: example-app
rbac.serviceAccount.enabled: true
rbac.serviceAccount.create: true
rbac.serviceAccount.name: ""
asserts:
- equal:
Expand Down
45 changes: 45 additions & 0 deletions application/tests/job_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,48 @@ tests:
path: spec.template.metadata.annotations
value:
helm.sh/hook: "pre-install,pre-upgrade"

- it: yields empty service account name when disabled
set:
job:
enabled: true
jobs:
example:
image:
repository: example-image
rbac.serviceAccount.create: false
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: default

- it: uses service account name override when present
set:
job:
enabled: true
jobs:
example:
image:
repository: example-image
rbac.serviceAccount.create: true
rbac.serviceAccount.name: example-sa
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: example-sa

- it: uses a generated service account name when not given
set:
job:
enabled: true
jobs:
example:
image:
repository: example-image
applicationName: example-app
rbac.serviceAccount.create: true
rbac.serviceAccount.name: ""
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: example-app
1 change: 1 addition & 0 deletions application/tests/rolebinding_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ tests:
roles:
- name: example
serviceAccount:
create: true
name: ""
asserts:
- equal:
Expand Down
14 changes: 7 additions & 7 deletions application/tests/serviceaccount_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ tests:
rbac:
enabled: false
serviceAccount:
enabled: true
create: true
asserts:
- hasDocuments:
count: 0
Expand All @@ -19,7 +19,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: false
create: false
asserts:
- hasDocuments:
count: 0
Expand All @@ -29,7 +29,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: true
create: true
asserts:
- hasDocuments:
count: 1
Expand All @@ -41,7 +41,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: true
create: true
additionalLabels:
foo: bar
test: ing
Expand All @@ -59,7 +59,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: true
create: true
annotations:
foo: bar
test: ing
Expand All @@ -76,7 +76,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: true
create: true
asserts:
- matchRegex:
path: metadata.annotations["serviceaccounts.openshift.io/oauth-redirectreference.primary"]
Expand All @@ -87,7 +87,7 @@ tests:
rbac:
enabled: true
serviceAccount:
enabled: true
create: true
name: example-name-that-should-be-used
asserts:
- equal:
Expand Down
Loading
Loading