Add support for ServiceAccount configuration (#451)
### Description of the change This adds a new values object `serviceAccount`, that allows creating a dedicated ServiceAccount with the Helm Release into the cluster. It supports all common options like labels, annotations, name override (or referring to an externally created ServiceAccount), auto-mount token, image pull secrets. It supersedes the stale PR #357. ### Benefits Users can deploy Gitea with more fine-tuned security settings. ### Applicable issues - related to #448 ### Additional information I've bumped the helm-unittest plugin in the CI build, to be able to use the `exists` and `notExists` feature in the new tests. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/451 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
This commit is contained in:
parent
0ca013647d
commit
5e5496f15d
|
@ -26,7 +26,7 @@ jobs:
|
||||||
helm template --debug gitea-helm .
|
helm template --debug gitea-helm .
|
||||||
- name: unit tests
|
- name: unit tests
|
||||||
run: |
|
run: |
|
||||||
helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
|
helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
|
||||||
make unittests
|
make unittests
|
||||||
- name: verify readme
|
- name: verify readme
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -61,3 +61,5 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
|
||||||
# run the unittests
|
# run the unittests
|
||||||
make unittests
|
make unittests
|
||||||
```
|
```
|
||||||
|
|
||||||
|
See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
|
||||||
|
|
11
README.md
11
README.md
|
@ -655,6 +655,17 @@ gitea:
|
||||||
| `statefulset.labels` | Labels for the statefulset | `{}` |
|
| `statefulset.labels` | Labels for the statefulset | `{}` |
|
||||||
| `statefulset.annotations` | Annotations for the Gitea StatefulSet to be created | `{}` |
|
| `statefulset.annotations` | Annotations for the Gitea StatefulSet to be created | `{}` |
|
||||||
|
|
||||||
|
### ServiceAccount
|
||||||
|
|
||||||
|
| Name | Description | Value |
|
||||||
|
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
|
||||||
|
| `serviceAccount.create` | Enable the creation of a ServiceAccount | `false` |
|
||||||
|
| `serviceAccount.name` | Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. | `""` |
|
||||||
|
| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of the service account token | `false` |
|
||||||
|
| `serviceAccount.imagePullSecrets` | Image pull secrets, available to the ServiceAccount | `[]` |
|
||||||
|
| `serviceAccount.annotations` | Custom annotations for the ServiceAccount | `{}` |
|
||||||
|
| `serviceAccount.labels` | Custom labels for the ServiceAccount | `{}` |
|
||||||
|
|
||||||
### Persistence
|
### Persistence
|
||||||
|
|
||||||
| Name | Description | Value |
|
| Name | Description | Value |
|
||||||
|
|
|
@ -311,3 +311,7 @@ https
|
||||||
{{- define "gitea.gpg-key-secret-name" -}}
|
{{- define "gitea.gpg-key-secret-name" -}}
|
||||||
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
|
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "gitea.serviceAccountName" -}}
|
||||||
|
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
|
||||||
|
{{- end -}}
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
{{- if .Values.serviceAccount.create }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "gitea.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels:
|
||||||
|
{{- include "gitea.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceAccount.labels }}
|
||||||
|
{{- . | toYaml | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- . | toYaml | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||||
|
{{- with .Values.serviceAccount.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- . | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -39,6 +39,9 @@ spec:
|
||||||
{{- if .Values.schedulerName }}
|
{{- if .Values.schedulerName }}
|
||||||
schedulerName: "{{ .Values.schedulerName }}"
|
schedulerName: "{{ .Values.schedulerName }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
|
||||||
|
serviceAccountName: {{ include "gitea.serviceAccountName" . }}
|
||||||
|
{{- end }}
|
||||||
{{- if .Values.priorityClassName }}
|
{{- if .Values.priorityClassName }}
|
||||||
priorityClassName: "{{ .Values.priorityClassName }}"
|
priorityClassName: "{{ .Values.priorityClassName }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
suite: ServiceAccount template (basic)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/serviceaccount.yaml
|
||||||
|
tests:
|
||||||
|
- it: skips rendering by default
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
- it: renders default ServiceAccount object with serviceAccount.create=true
|
||||||
|
set:
|
||||||
|
serviceAccount.create: true
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- containsDocument:
|
||||||
|
kind: ServiceAccount
|
||||||
|
apiVersion: v1
|
||||||
|
name: gitea-unittests
|
||||||
|
- equal:
|
||||||
|
path: automountServiceAccountToken
|
||||||
|
value: false
|
||||||
|
- notExists:
|
||||||
|
path: imagePullSecrets
|
||||||
|
- notExists:
|
||||||
|
path: metadata.annotations
|
||||||
|
- it: allows for adding custom labels
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
labels:
|
||||||
|
custom: label
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: metadata.labels.custom
|
||||||
|
value: label
|
||||||
|
- it: allows for adding custom annotations
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
annotations:
|
||||||
|
myCustom: annotation
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: metadata.annotations.myCustom
|
||||||
|
value: annotation
|
||||||
|
- it: allows to override the generated name
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
name: provided-serviceaccount-name
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: metadata.name
|
||||||
|
value: provided-serviceaccount-name
|
||||||
|
- it: allows to mount the token
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: automountServiceAccountToken
|
||||||
|
value: true
|
||||||
|
- it: allows to reference image pull secrets
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: testing-image-pull-secret
|
||||||
|
- name: another-pull-secret
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: imagePullSecrets
|
||||||
|
content:
|
||||||
|
name: testing-image-pull-secret
|
||||||
|
- contains:
|
||||||
|
path: imagePullSecrets
|
||||||
|
content:
|
||||||
|
name: another-pull-secret
|
|
@ -0,0 +1,32 @@
|
||||||
|
suite: ServiceAccount template (reference)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/serviceaccount.yaml
|
||||||
|
- templates/gitea/statefulset.yaml
|
||||||
|
- templates/gitea/config.yaml
|
||||||
|
tests:
|
||||||
|
- it: does not modify the StatefulSet by default
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
asserts:
|
||||||
|
- notExists:
|
||||||
|
path: spec.serviceAccountName
|
||||||
|
- it: adds the reference to the StatefulSet with serviceAccount.create=true
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
serviceAccount.create: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.serviceAccountName
|
||||||
|
value: gitea-unittests
|
||||||
|
- it: allows referencing an externally created ServiceAccount to the StatefulSet
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
serviceAccount:
|
||||||
|
create: false # explicitly set to define rendering behavior
|
||||||
|
name: "externally-existing-serviceaccount"
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.serviceAccountName
|
||||||
|
value: externally-existing-serviceaccount
|
17
values.yaml
17
values.yaml
|
@ -205,6 +205,23 @@ statefulset:
|
||||||
labels: {}
|
labels: {}
|
||||||
annotations: {}
|
annotations: {}
|
||||||
|
|
||||||
|
## @section ServiceAccount
|
||||||
|
|
||||||
|
## @param serviceAccount.create Enable the creation of a ServiceAccount
|
||||||
|
## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
|
||||||
|
## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
|
||||||
|
## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
|
||||||
|
## @param serviceAccount.annotations Custom annotations for the ServiceAccount
|
||||||
|
## @param serviceAccount.labels Custom labels for the ServiceAccount
|
||||||
|
serviceAccount:
|
||||||
|
create: false
|
||||||
|
name: ""
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - name: private-registry-access
|
||||||
|
annotations: {}
|
||||||
|
labels: {}
|
||||||
|
|
||||||
## @section Persistence
|
## @section Persistence
|
||||||
#
|
#
|
||||||
## @param persistence.enabled Enable persistent storage
|
## @param persistence.enabled Enable persistent storage
|
||||||
|
|
Loading…
Reference in New Issue