Added support for serviceAccount and allowing for serviceAccounts to be defined for each deployment/pod resource

Scroul · Lukas Sandholm Duberg · commit 1ca5d26a2b6a · 2022-12-02T14:14:13.000+01:00
diff --git a/charts/redpanda/templates/_helpers.tpl b/charts/redpanda/templates/_helpers.tpl
@@ -49,14 +49,54 @@ Get the version of redpanda being used as an image
 
 {{/*
 Create the name of the service account to use
+{{ include "redpanda.serviceAccountName" (list . "statefulset") }}
+{{ include "redpanda.serviceAccountName" (list . "kafkaProduceConsume" "tests") }}
+  * root is the chart root .
+  * service_id is the service as defined in values.
+    ex: statefulset, postUpgrade, postInstallUpgrade
+  * child is a child of serviceAccounts containing it's own serviceAccount definition.
+    ex: tests
 */}}
 {{- define "redpanda.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "redpanda.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
+{{- $root := index . 0 }}
+{{- $service_id := index . 1 }}
+{{- $child := (ternary (last .) "" (gt (len .) 2)) }}
+{{- $service := (fromJson (include "redpanda.serviceAccount" (list $root.Values.serviceAccount $service_id $child))) -}}
+{{- if $service.create }}
+  {{- default (include "redpanda.fullname" $root) $service.name }}
+{{- else -}}
+  {{- default "default" $service.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the serviceAccount definition and if it does not exists return parent defintion
+{{ include "redpanda.serviceAccount" (list .Values.serviceAccount "statefulset") }}
+{{ include "redpanda.serviceAccountName" (list .Values.serviceAccount "kafkaProduceConsume" "tests") }}
+  * root is the chart root .
+  * service_id is the service as defined in values.
+    ex: statefulset, postUpgrade, postInstallUpgrade, tests
+  * child is a child of serviceAccounts containing it's own serviceAccount definition.
+    ex: tests
+*/}}
+{{- define "redpanda.serviceAccount" -}}
+{{ $root := index . 0 }}
+{{ $service := index . 1 }}
+{{ $child := (ternary (last .) "" (gt (len .) 2)) }}
+{{- with $root -}}
+  {{- if hasKey . $child -}}
+    {{ if hasKey (get . $child) $service }}
+      {{ toJson (get (get . $child) $service) }}
+    {{- else }}
+      {{ toJson (get . $child) }}
+    {{- end }}
+  {{- else if hasKey . $service }}
+    {{ toJson (get . $service) }}
+  {{- else -}}
+    {{ toJson . }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
 
 {{/*
 Use AppVersion if image.tag is not set
diff --git a/charts/redpanda/templates/post-install-upgrade-job.yaml b/charts/redpanda/templates/post-install-upgrade-job.yaml
@@ -48,6 +48,9 @@ spec:
 {{- end }}
     spec:
       restartPolicy: Never
+      {{- if .Values.serviceAccount }}
+      serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "postInstallUpgrade" ) }}
+      {{- end }}
       containers:
       - name: {{ template "redpanda.name" . }}-post-install
         image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
@@ -66,7 +69,7 @@ spec:
           - >
 {{- if .Values.auth.sasl.enabled }}
   {{- range $user := .Values.auth.sasl.users }}
-            rpk acl user create {{ $user.name }} -p {{ $user.password | quote }} {{ template "rpk-common-flags" $ }} 
+            rpk acl user create {{ $user.name }} -p {{ $user.password | quote }} {{ template "rpk-common-flags" $ }}
             ;
   {{- end }}
 {{- end }}
diff --git a/charts/redpanda/templates/post-upgrade.yaml b/charts/redpanda/templates/post-upgrade.yaml
@@ -32,6 +32,9 @@ spec:
 {{- end }}
     spec:
       restartPolicy: Never
+      {{- if .Values.serviceAccount }}
+      serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "postUpgrade" ) }}
+      {{- end }}
       containers:
       - name: {{ template "redpanda.name" . }}-post-upgrade
         image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/serviceaccount.yaml b/charts/redpanda/templates/serviceaccount.yaml
@@ -14,8 +14,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
----
+{{- if .Values.serviceAccount -}}
 {{- if .Values.serviceAccount.create -}}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -35,3 +36,54 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+{{- $root := . -}}
+{{- range $k, $v := (omit .Values.serviceAccount "create" "annotations" "name") -}}
+{{- if $v.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "redpanda.serviceAccountName" (list $root $k) }}
+  namespace: {{ $root.Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "redpanda.chart" $root }}
+    app.kubernetes.io/name: {{ template "redpanda.name" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service | quote }}
+    app.kubernetes.io/component: {{ template "redpanda.name" $root }}
+  {{- with $root.Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $v.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.serviceAccount.tests }}
+{{- range $k, $v := (omit .Values.serviceAccount.tests "create" "annotations" "name") }}
+{{- if $v.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "redpanda.serviceAccountName" (list $root $k "tests") }}
+  namespace: {{ $root.Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "redpanda.chart" $root }}
+    app.kubernetes.io/name: {{ template "redpanda.name" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service | quote }}
+    app.kubernetes.io/component: {{ template "redpanda.name" $root }}
+  {{- with $root.Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $v.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/redpanda/templates/statefulset.yaml b/charts/redpanda/templates/statefulset.yaml
@@ -57,6 +57,9 @@ spec:
         {{- toYaml . | nindent 8 }}
 {{- end }}
     spec:
+      {{- if .Values.serviceAccount }}
+      serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "statefulset" ) }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.statefulset.podSecurityContext | nindent 8 }}
       initContainers:
diff --git a/charts/redpanda/templates/tests/test-api-status.yaml b/charts/redpanda/templates/tests/test-api-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "apiStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaInternalTlsStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml
@@ -39,6 +39,9 @@ spec:
   template:
     spec:
       restartPolicy: Never
+      {{- if .Values.serviceAccount }}
+      serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaProduceConsume" "tests" ) }}
+      {{- end }}
       containers:
         - name: {{ template "redpanda.name" . }}
           image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaSaslStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml b/charts/redpanda/templates/tests/test-kafka-sasl-tls-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "kafkaSaslTlsStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "pandaProxyInternalTlsStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "pandaProxyStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml
@@ -34,6 +34,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "schemaRegistryInternalTlsStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/templates/tests/test-schemaregistry-status.yaml b/charts/redpanda/templates/tests/test-schemaregistry-status.yaml
@@ -36,6 +36,9 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   restartPolicy: Never
+  {{- if .Values.serviceAccount }}
+  serviceAccountName: {{ include "redpanda.serviceAccountName" (list . "schemaRegistryStatus" "tests" ) }}
+  {{- end }}
   containers:
     - name: {{ template "redpanda.name" . }}
       image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
diff --git a/charts/redpanda/values.schema.json b/charts/redpanda/values.schema.json
@@ -559,6 +559,40 @@
         },
         "name": {
           "type": "string"
+        },
+        "statefulset": {
+          "$ref": "#/$defs/serviceAccount"
+        },
+        "postUpgradeJob": {
+          "$ref": "#/$defs/serviceAccount"
+        },
+        "postInstallJob": {
+          "$ref": "#/$defs/serviceAccount"
+        },
+        "tests": {
+          "type": "object",
+          "required": [
+            "create",
+            "annotations",
+            "name"
+          ],
+          "propertyNames": {
+            "pattern": "^[A-Za-z_][A-Za-z0-9_]*$"
+          },
+          "properties": {
+            "create": {
+              "type": "boolean"
+            },
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            }
+          },
+          "additionalProperties": {
+            "$ref": "#/$defs/serviceAccount"
+          }
         }
       }
     },
@@ -896,5 +930,27 @@
         }
       }
     }
+  },
+  "$defs": {
+    "serviceAccount": {
+      "type": "object",
+      "required": [
+        "create",
+        "annotations",
+        "name"
+      ],
+      "properties": {
+        "create": {
+          "type": "boolean"
+        },
+        "annotations": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false
+    }
   }
 }
diff --git a/charts/redpanda/values.yaml b/charts/redpanda/values.yaml
@@ -327,6 +327,65 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  # All config bellow this comment allows for setting specific service accounts
+  # for parts of the helm. Any services with no additional config will use the
+  # service account defined in the top level serviceAccount definition.
+  # Create service account specific to statefulset and tests
+  #statefulset:
+  #  create: true
+  #  annotations: {}
+  #  name: "test"
+ # postUpgrade:
+ #   create: false
+ #   annotations: {}
+ #   name: ""
+ # postInstallUpgrade:
+ #   create: false
+ #   annotations: {}
+ #   name: ""
+ # Test specific service account
+ # Setting values for the tests object will apply the same service account to
+ # all tests.
+ # tests:
+ #   create: false
+ #   annotations: {}
+ #   name: ""
+   # apiStatus:
+   #   create:false
+   #   annotations: {}
+   #   name: ""
+   # kafkaInternalTlsStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # kafkaProduceConsume:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # kafkaSaslStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # kafkaSaslTlsStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # pandaProxyInternalTlsStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # pandaProxyStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # schemaRegistryInternalTlsStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
+   # schemaRegistryStatus:
+   #   create: false
+   #   annotations: {}
+   #   name: ""
 
 tuning: {}
   # This section contains Redpanda tuning parameters.
