diff --git a/charts/drupal/templates/_helpers.tpl b/charts/drupal/templates/_helpers.tpl index 98f3f09c..ddc46f1b 100644 --- a/charts/drupal/templates/_helpers.tpl +++ b/charts/drupal/templates/_helpers.tpl @@ -732,3 +732,11 @@ autoscaling/v2beta1 {{- else }}false {{- end }} {{- end }} + +{{- define "drupal.serviceAccountName" }} +{{- if .Values.serviceAccount.name }} +{{- .Values.serviceAccount.name }} +{{- else }} +{{- .Release.Name }}-sa +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/drupal/templates/backup-cron.yaml b/charts/drupal/templates/backup-cron.yaml index 6a377d5a..c83cf2bf 100644 --- a/charts/drupal/templates/backup-cron.yaml +++ b/charts/drupal/templates/backup-cron.yaml @@ -76,7 +76,7 @@ spec: {{- else }} claimName: {{ .Release.Name }}-backup {{- end }} - {{- include "drupal.imagePullSecrets" . | nindent 10 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} {{- end }} --- diff --git a/charts/drupal/templates/clamav-deployment.yaml b/charts/drupal/templates/clamav-deployment.yaml index efa8f9ec..fb2de452 100644 --- a/charts/drupal/templates/clamav-deployment.yaml +++ b/charts/drupal/templates/clamav-deployment.yaml @@ -68,4 +68,5 @@ spec: - name: avdata source: emptyDir: {} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} {{- end }} diff --git a/charts/drupal/templates/drupal-cron.yaml b/charts/drupal/templates/drupal-cron.yaml index dce0621a..e2385be0 100644 --- a/charts/drupal/templates/drupal-cron.yaml +++ b/charts/drupal/templates/drupal-cron.yaml @@ -159,7 +159,7 @@ spec: volumes: {{- include "drupal.volumes" $ | nindent 12 }} - {{- include "drupal.imagePullSecrets" $ | nindent 10 }} + serviceAccountName: {{ include "drupal.serviceAccountName" $ }} --- {{- end }} {{- end }} diff --git a/charts/drupal/templates/drupal-deployment.yaml b/charts/drupal/templates/drupal-deployment.yaml index e15508a4..7875c89f 100644 --- a/charts/drupal/templates/drupal-deployment.yaml +++ b/charts/drupal/templates/drupal-deployment.yaml @@ -166,7 +166,7 @@ spec: - name: sigsci-tmp emptyDir: {} {{- end }} - {{- include "drupal.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} nodeSelector: {{- .Values.php.nodeSelector | toYaml | nindent 8 }} tolerations: diff --git a/charts/drupal/templates/post-release.yaml b/charts/drupal/templates/post-release.yaml index 030f636c..b0796810 100644 --- a/charts/drupal/templates/post-release.yaml +++ b/charts/drupal/templates/post-release.yaml @@ -40,7 +40,7 @@ spec: {{- end }} resources: {{- .Values.php.postinstall.resources | toYaml | nindent 10 }} - {{- include "drupal.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} volumes: {{- include "drupal.volumes" . | nindent 8 }} {{- if .Values.referenceData.enabled -}} diff --git a/charts/drupal/templates/reference-data-cron.yaml b/charts/drupal/templates/reference-data-cron.yaml index 9155b8b1..0951141e 100644 --- a/charts/drupal/templates/reference-data-cron.yaml +++ b/charts/drupal/templates/reference-data-cron.yaml @@ -53,7 +53,7 @@ spec: {{- else }} claimName: {{ include "drupal.referenceEnvironment" . }}-reference-data {{- end }} - {{- include "drupal.imagePullSecrets" . | nindent 10 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} {{- end }} {{- end }} --- diff --git a/charts/drupal/templates/serviceaccount.yaml b/charts/drupal/templates/serviceaccount.yaml new file mode 100644 index 00000000..0d98a9f6 --- /dev/null +++ b/charts/drupal/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-sa + labels: + {{- include "drupal.release_labels" . | nindent 4 }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} +{{- include "drupal.imagePullSecrets" . }} + \ No newline at end of file diff --git a/charts/drupal/templates/shell-deployment.yaml b/charts/drupal/templates/shell-deployment.yaml index 2924811b..8f65d3fa 100644 --- a/charts/drupal/templates/shell-deployment.yaml +++ b/charts/drupal/templates/shell-deployment.yaml @@ -100,6 +100,6 @@ spec: claimName: {{ .Release.Name }}-backup {{- end }} {{- end }} - {{- include "drupal.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} {{- end }} --- diff --git a/charts/drupal/templates/silta-hub.yaml b/charts/drupal/templates/silta-hub.yaml index 2a50fa01..943e2396 100644 --- a/charts/drupal/templates/silta-hub.yaml +++ b/charts/drupal/templates/silta-hub.yaml @@ -35,7 +35,7 @@ data: {{- include "drupal.volumeMounts" . | nindent 14 }} resources: {{- .Values.php.postinstall.resources | toYaml | nindent 14 }} - {{- include "drupal.imagePullSecrets" . | nindent 10 }} + serviceAccountName: {{ include "drupal.serviceAccountName" . }} volumes: {{- include "drupal.volumes" . | nindent 12 }} syncPullJob: | @@ -63,6 +63,6 @@ data: {{- include "drupal.volumeMounts" . | nindent 14 }} resources: {{- .Values.php.postinstall.resources | toYaml | nindent 14 }} - {{- include "drupal.imagePullSecrets" . | nindent 10 }} + serviceAccountName: {{ .Release.Name }}-sa volumes: {{- include "drupal.volumes" . | nindent 12 }} diff --git a/charts/drupal/templates/solr-statefulset.yaml b/charts/drupal/templates/solr-statefulset.yaml index 7f080c88..42e84a35 100644 --- a/charts/drupal/templates/solr-statefulset.yaml +++ b/charts/drupal/templates/solr-statefulset.yaml @@ -79,7 +79,7 @@ spec: volumes: - name: {{ .Release.Name }}-core-dir emptyDir: {} - + serviceAccountName: {{ include "drupal.serviceAccountName" . }} volumeClaimTemplates: - metadata: name: {{ .Release.Name }}-solr-data diff --git a/charts/drupal/templates/varnish-deployment.yaml b/charts/drupal/templates/varnish-deployment.yaml index 0f487aae..d194a776 100644 --- a/charts/drupal/templates/varnish-deployment.yaml +++ b/charts/drupal/templates/varnish-deployment.yaml @@ -74,4 +74,5 @@ spec: - name: varnish-secret secret: secretName: {{ .Release.Name }}-secrets-varnish + serviceAccountName: {{ include "drupal.serviceAccountName" . }} {{- end }} diff --git a/charts/drupal/tests/private_docker_image_test.yaml b/charts/drupal/tests/private_docker_image_test.yaml index 326f57a0..e44eaf30 100644 --- a/charts/drupal/tests/private_docker_image_test.yaml +++ b/charts/drupal/tests/private_docker_image_test.yaml @@ -1,47 +1,21 @@ suite: private docker image templates: - - drupal-configmap.yaml - - drupal-cron.yaml - - drupal-deployment.yaml - - drupal-secret.yaml - - post-release.yaml -capabilities: - apiVersions: - - pxc.percona.com/v1 + - serviceaccount.yaml + tests: - it: has no image pull secret by default - template: drupal-deployment.yaml + template: serviceaccount.yaml asserts: - isNull: path: spec.template.spec.imagePullSecrets - - template: drupal-cron.yaml - isNull: - path: spec.jobTemplate.spec.template.spec.imagePullSecrets - - template: post-release.yaml - isNull: - path: spec.template.spec.imagePullSecrets - it: sets the image pull secret - template: drupal-deployment.yaml + template: serviceaccount.yaml set: imagePullSecrets: - name: gcr asserts: - contains: - path: spec.template.spec.imagePullSecrets - content: - name: gcr - - - template: drupal-cron.yaml - contains: - path: spec.jobTemplate.spec.template.spec.imagePullSecrets + path: imagePullSecrets content: name: gcr - - - template: post-release.yaml - contains: - path: spec.template.spec.imagePullSecrets - content: - name: gcr - - diff --git a/charts/drupal/tests/serviceaccount_test.yaml b/charts/drupal/tests/serviceaccount_test.yaml new file mode 100644 index 00000000..cbd74d9a --- /dev/null +++ b/charts/drupal/tests/serviceaccount_test.yaml @@ -0,0 +1,56 @@ +suite: service account test +templates: + - drupal-configmap.yaml + - drupal-cron.yaml + - drupal-deployment.yaml + - drupal-secret.yaml + - post-release.yaml + - backup-cron.yaml +tests: + - it: has default release serviceaccount by default + template: drupal-deployment.yaml + set: + backup: + enabled: true + asserts: + - template: drupal-deployment.yaml + equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-sa + - template: drupal-cron.yaml + equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: RELEASE-NAME-sa + - template: post-release.yaml + equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-sa + - template: backup-cron.yaml + equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: RELEASE-NAME-sa + + - it: can set a custom serviceaccount + template: drupal-deployment.yaml + set: + serviceAccount: + name: foo + backup: + enabled: true + asserts: + - template: drupal-deployment.yaml + equal: + path: spec.template.spec.serviceAccountName + value: foo + - template: drupal-cron.yaml + equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: foo + - template: post-release.yaml + equal: + path: spec.template.spec.serviceAccountName + value: foo + - template: backup-cron.yaml + equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: foo diff --git a/charts/drupal/values.schema.json b/charts/drupal/values.schema.json index c9c81d60..aa501623 100644 --- a/charts/drupal/values.schema.json +++ b/charts/drupal/values.schema.json @@ -8,6 +8,14 @@ "branchName": { "type": "string" }, "imagePullSecrets": { "type": "array" }, "imagePullSecret": { "type": "string" }, + "serviceAccount": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { "type": "string" }, + "automountServiceAccountToken": { "type": "boolean" } + } + }, "app": { "type": "string" }, "webRoot": { "type": "string" }, diff --git a/charts/drupal/values.yaml b/charts/drupal/values.yaml index e702d4b1..c6f327e5 100644 --- a/charts/drupal/values.yaml +++ b/charts/drupal/values.yaml @@ -27,6 +27,12 @@ imagePullSecrets: [] # Custom imagePullSecret for the containers. Base64 encoded. This will create a secret and append it to the imagePullSecrets. imagePullSecret: "" +serviceAccount: + # Default value: [Release.Name]-sa + name: "" + # Mount service account token to the containers. + automountServiceAccountToken: false + # The app label added to our Kubernetes resources. app: drupal @@ -593,6 +599,8 @@ mariadb: operator: NotIn values: - static-ip + serviceAccount: + create: true enableServiceLinks: false varnish: @@ -657,6 +665,10 @@ elasticsearch: # Disable service links that cause a slow startup. enableServiceLinks: false + rbac: + create: true + automountToken: false + # This value should be slightly less than 50% of the requested memory. esJavaOpts: -Xmx220m -Xms220m xpack: @@ -687,6 +699,9 @@ elasticsearch: memcached: enabled: false replicaCount: 1 + serviceAccount: + create: true + automountServiceAccountToken: false resources: requests: cpu: 10m @@ -700,7 +715,7 @@ memcached: # MaxItemSize - -I 4M -# https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml +# https://github.com/bitnami/charts/blob/d4dba2b393167d79b8c8f65b46c48b70ee3a9662/bitnami/redis/values.yaml redis: enabled: false architecture: standalone @@ -719,6 +734,8 @@ redis: requests: cpu: 50m memory: 256Mi + serviceAccount: + automountServiceAccountToken: false # Mailhog service overrides # see: https://github.com/codecentric/helm-charts/blob/master/charts/mailhog/values.yaml