diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index ea06564..7c351cd 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -26,7 +26,7 @@ jobs: helm template --debug gitea-helm . - name: unit tests run: | - helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest + helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest make unittests - name: verify readme run: | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7f8f4f0..255d0ee 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -61,3 +61,5 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest # run the unittests make unittests ``` + +See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions. diff --git a/README.md b/README.md index 34f7e99..ca052a3 100644 --- a/README.md +++ b/README.md @@ -655,6 +655,17 @@ gitea: | `statefulset.labels` | Labels for the statefulset | `{}` | | `statefulset.annotations` | Annotations for the Gitea StatefulSet to be created | `{}` | +### ServiceAccount + +| Name | Description | Value | +| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount | `false` | +| `serviceAccount.name` | Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. | `""` | +| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of the service account token | `false` | +| `serviceAccount.imagePullSecrets` | Image pull secrets, available to the ServiceAccount | `[]` | +| `serviceAccount.annotations` | Custom annotations for the ServiceAccount | `{}` | +| `serviceAccount.labels` | Custom labels for the ServiceAccount | `{}` | + ### Persistence | Name | Description | Value | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 97c286c..51ec558 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -311,3 +311,7 @@ https {{- define "gitea.gpg-key-secret-name" -}} {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }} {{- end -}} + +{{- define "gitea.serviceAccountName" -}} +{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }} +{{- end -}} diff --git a/templates/gitea/serviceaccount.yaml b/templates/gitea/serviceaccount.yaml new file mode 100644 index 0000000..e730f9c --- /dev/null +++ b/templates/gitea/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gitea.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{- . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- . | toYaml | nindent 2 }} +{{- end }} +{{- end }} diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index afa9c05..9867dd2 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -39,6 +39,9 @@ spec: {{- if .Values.schedulerName }} schedulerName: "{{ .Values.schedulerName }}" {{- end }} + {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }} + serviceAccountName: {{ include "gitea.serviceAccountName" . }} + {{- end }} {{- if .Values.priorityClassName }} priorityClassName: "{{ .Values.priorityClassName }}" {{- end }} diff --git a/unittests/serviceaccount/basic.yaml b/unittests/serviceaccount/basic.yaml new file mode 100644 index 0000000..73d8e1e --- /dev/null +++ b/unittests/serviceaccount/basic.yaml @@ -0,0 +1,82 @@ +suite: ServiceAccount template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/serviceaccount.yaml +tests: + - it: skips rendering by default + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceAccount object with serviceAccount.create=true + set: + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests + - equal: + path: automountServiceAccountToken + value: false + - notExists: + path: imagePullSecrets + - notExists: + path: metadata.annotations + - it: allows for adding custom labels + set: + serviceAccount: + create: true + labels: + custom: label + asserts: + - equal: + path: metadata.labels.custom + value: label + - it: allows for adding custom annotations + set: + serviceAccount: + create: true + annotations: + myCustom: annotation + asserts: + - equal: + path: metadata.annotations.myCustom + value: annotation + - it: allows to override the generated name + set: + serviceAccount: + create: true + name: provided-serviceaccount-name + asserts: + - equal: + path: metadata.name + value: provided-serviceaccount-name + - it: allows to mount the token + set: + serviceAccount: + create: true + automountServiceAccountToken: true + asserts: + - equal: + path: automountServiceAccountToken + value: true + - it: allows to reference image pull secrets + set: + serviceAccount: + create: true + imagePullSecrets: + - name: testing-image-pull-secret + - name: another-pull-secret + asserts: + - contains: + path: imagePullSecrets + content: + name: testing-image-pull-secret + - contains: + path: imagePullSecrets + content: + name: another-pull-secret diff --git a/unittests/serviceaccount/reference.yaml b/unittests/serviceaccount/reference.yaml new file mode 100644 index 0000000..9c01594 --- /dev/null +++ b/unittests/serviceaccount/reference.yaml @@ -0,0 +1,32 @@ +suite: ServiceAccount template (reference) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/serviceaccount.yaml + - templates/gitea/statefulset.yaml + - templates/gitea/config.yaml +tests: + - it: does not modify the StatefulSet by default + template: templates/gitea/statefulset.yaml + asserts: + - notExists: + path: spec.serviceAccountName + - it: adds the reference to the StatefulSet with serviceAccount.create=true + template: templates/gitea/statefulset.yaml + set: + serviceAccount.create: true + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: gitea-unittests + - it: allows referencing an externally created ServiceAccount to the StatefulSet + template: templates/gitea/statefulset.yaml + set: + serviceAccount: + create: false # explicitly set to define rendering behavior + name: "externally-existing-serviceaccount" + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: externally-existing-serviceaccount diff --git a/values.yaml b/values.yaml index 4e3e085..a73a88b 100644 --- a/values.yaml +++ b/values.yaml @@ -205,6 +205,23 @@ statefulset: labels: {} annotations: {} +## @section ServiceAccount + +## @param serviceAccount.create Enable the creation of a ServiceAccount +## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. +## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token +## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount +## @param serviceAccount.annotations Custom annotations for the ServiceAccount +## @param serviceAccount.labels Custom labels for the ServiceAccount +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + imagePullSecrets: [] + # - name: private-registry-access + annotations: {} + labels: {} + ## @section Persistence # ## @param persistence.enabled Enable persistent storage