public/helm-charts
1
0
Fork 0
mirror of https://github.com/bjw-s-labs/helm-charts.git synced 2025-07-03 08:37:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(common): adding feature flag for default serviceaccount name (#360)

Browse source
This commit is contained in:
Lawrence Gil 2024-10-08 16:31:24 +02:00 committed by GitHub
parent 3e2f1204e0
commit f111be38e9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 89 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

37
charts/library/common-test/tests/pod/field_serviceAccount_test.yaml
View file

@ -18,6 +18,20 @@ tests:
path: spec.template.spec.serviceAccountName path: spec.template.spec.serviceAccountName
value: default value: default
- it: default with flag should pass
set:
enforceServiceAccountCreation: true
asserts:
- hasDocuments:
count: 1
- documentIndex: &deploymentDocument 0
isKind:
of: Deployment
- documentIndex: *deploymentDocument
equal:
path: spec.template.spec.serviceAccountName
value: default
- it: with create, without name should pass - it: with create, without name should pass
set: set:
serviceAccount: serviceAccount:
@ -59,7 +73,24 @@ tests:
set: set:
serviceAccount: serviceAccount:
create: false create: false
name: mySA name: &serviceAccountName mySA
asserts:
- hasDocuments:
count: 1
- documentIndex: &deploymentDocument 0
isKind:
of: Deployment
- documentIndex: *deploymentDocument
equal:
path: spec.template.spec.serviceAccountName
value: *serviceAccountName
- it: without create, with name, with flag should pass
set:
enforceServiceAccountCreation: true
serviceAccount:
create: false
name: &serviceAccountName mySA
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
@ -75,7 +106,7 @@ tests:
set: set:
serviceAccount: serviceAccount:
create: false create: false
name: mySA name: &serviceAccountName mySA
extraServiceAccounts: extraServiceAccounts:
mySA2: mySA2:
create: false create: false
@ -90,7 +121,7 @@ tests:
- documentIndex: *deploymentDocument - documentIndex: *deploymentDocument
equal: equal:
path: spec.template.spec.serviceAccountName path: spec.template.spec.serviceAccountName
value: default value: *serviceAccountName
- it: with extraServiceAccounts identifier should pass - it: with extraServiceAccounts identifier should pass
set: set:

35
charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml
View file

@ -27,6 +27,41 @@ tests:
isKind: isKind:
of: ServiceAccount of: ServiceAccount
- it: controller uses named ServiceAccount by default
set:
serviceAccount:
create: false
name: &ServiceAccountName test
asserts:
- hasDocuments:
count: 1
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
equal:
path: spec.template.spec.serviceAccountName
value: *ServiceAccountName
- it: controller uses `default` ServiceAccount if flag is enabled
set:
enforceServiceAccountCreation: true
serviceAccount:
create: false
name: test
asserts:
- hasDocuments:
count: 1
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
equal:
path: spec.template.spec.serviceAccountName
value: default
- it: a serviceAccount and Secret are created when enabled - it: a serviceAccount and Secret are created when enabled
set: set:
serviceAccount: serviceAccount:

13
charts/library/common/Chart.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v2
name: common name: common
description: Function library for Helm charts description: Function library for Helm charts
type: library type: library
version: 3.5.0 version: 3.5.1
kubeVersion: ">=1.22.0-0" kubeVersion: ">=1.22.0-0"
keywords: keywords:
- common - common
@ -16,13 +16,4 @@ annotations:
artifacthub.io/changes: |- artifacthub.io/changes: |-
- kind: added - kind: added
description: |- description: |-
Add support for binary files in configMapsFromFolderBasePath Add feature flag to override enforcing the creation of a default ServiceAccount
- kind: added
description: |-
Add support for internalTrafficPolicy field in Services
- kind: added
description: |-
Add support for multiple ServiceAccounts
- kind: added
description: |-
Add support for multiple RBAC resources

8
charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl
View file

@ -7,8 +7,12 @@ Returns the value for serviceAccountName
{{- $serviceAccountName := "default" -}} {{- $serviceAccountName := "default" -}}
{{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}} {{- if $rootContext.Values.enforceServiceAccountCreation -}}
{{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}} {{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}}
{{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}}
{{- end -}}
{{- else -}}
{{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}}
{{- end -}} {{- end -}}
{{- with $controllerObject.serviceAccount -}} {{- with $controllerObject.serviceAccount -}}

6
charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl
View file

@ -5,7 +5,11 @@ Return a ServiceAccount Object by its Identifier.
{{- $rootContext := .rootContext -}} {{- $rootContext := .rootContext -}}
{{- $identifier := .id -}} {{- $identifier := .id -}}
{{- if eq $identifier "default" -}} {{- if eq $identifier "default" -}}
{{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $rootContext.Values.serviceAccount) -}} {{- $serviceAccount := deepCopy $rootContext.Values.serviceAccount -}}
{{- if and (eq ($serviceAccount.name) "") (not $serviceAccount.create ) -}}
{{- $_ := set $serviceAccount "name" "default" -}}
{{- end -}}
{{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $serviceAccount) -}}
{{- else -}} {{- else -}}
{{- $serviceAccountValues := dig "extraServiceAccounts" $identifier nil $rootContext.Values.serviceAccount -}} {{- $serviceAccountValues := dig "extraServiceAccounts" $identifier nil $rootContext.Values.serviceAccount -}}
{{- if not (empty $serviceAccountValues) -}} {{- if not (empty $serviceAccountValues) -}}

3
charts/library/common/values.schema.json
View file

@ -34,6 +34,9 @@
"$ref": "schemas/controllers.json#/instance" "$ref": "schemas/controllers.json#/instance"
} }
}, },
"enforceServiceAccountCreation": {
"type": "boolean"
},
"serviceAccount": { "serviceAccount": {
"$ref": "schemas/serviceAccount.json#/settings" "$ref": "schemas/serviceAccount.json#/settings"
}, },

4
charts/library/common/values.yaml
View file

@ -399,6 +399,10 @@ controllers: {}
# # Each initContainer should have its own key # # Each initContainer should have its own key
# initContainers: {} # initContainers: {}
# -- If true forces the controllers to use the `default` ServiceAccount for the namespace if one is not explicitly defined.
# This feature flag will be removed on future versions where this will be the default behavior.
enforceServiceAccountCreation: false
serviceAccount: serviceAccount:
# -- Specifies whether a service account should be created # -- Specifies whether a service account should be created
# The identifier for this ServiceAccount will be `default` # The identifier for this ServiceAccount will be `default`