From 9cf3bd0119ec85dabbd08610c9b057b492f87a45 Mon Sep 17 00:00:00 2001 From: Romain Caire Date: Tue, 31 Oct 2023 16:26:36 +0100 Subject: [PATCH] feat: add service account configuration for hydra janitor cronjob (#646) --- helm/charts/hydra/README.md | 5 +++++ helm/charts/hydra/templates/_helpers.tpl | 11 +++++++++++ .../hydra/templates/janitor-cron-job-rbac.yaml | 16 ++++++++++++++++ .../hydra/templates/janitor-cron-job.yaml | 2 ++ helm/charts/hydra/values.yaml | 18 ++++++++++++++++++ 5 files changed, 52 insertions(+) create mode 100644 helm/charts/hydra/templates/janitor-cron-job-rbac.yaml diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 8111ef1f00..da98f1db09 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -32,6 +32,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob | object | `{"janitor":{"affinity":{},"annotations":{},"customArgs":[],"extraContainers":"","extraEnv":[],"extraInitContainers":"","labels":{},"nodeSelector":{},"podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"resources":{"limits":{},"requests":{}},"schedule":"0 */1 * * *","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100},"tolerations":[]}}` | CronJob configuration | | cronjob.janitor.affinity | object | `{}` | Configure node affinity | | cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations | +| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | | cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value | | cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. | | cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO value: BAR | @@ -44,6 +45,10 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | | cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran | | cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob | +| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | +| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | cronjob.janitor.tolerations | list | `[]` | Configure node tolerations | | deployment.annotations | object | `{}` | Set custom deployment level annotations | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | diff --git a/helm/charts/hydra/templates/_helpers.tpl b/helm/charts/hydra/templates/_helpers.tpl index c3baef9b53..d1bb5edfce 100644 --- a/helm/charts/hydra/templates/_helpers.tpl +++ b/helm/charts/hydra/templates/_helpers.tpl @@ -172,6 +172,17 @@ Create the name of the service account for the Job to use {{- end }} {{- end }} +{{/* +Create the name of the service account for the Job to use +*/}} +{{- define "hydra.cronjob.janitor.serviceAccountName" -}} +{{- if .Values.cronjob.janitor.serviceAccount.create }} +{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }} +{{- else }} +{{- include "hydra.serviceAccountName" . }} +{{- end }} +{{- end }} + {{/* Checksum annotations generated from configmaps and secrets */}} diff --git a/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml new file mode 100644 index 0000000000..dcb2aa4a16 --- /dev/null +++ b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cronjob.janitor.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.cronjob.janitor.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra/templates/janitor-cron-job.yaml b/helm/charts/hydra/templates/janitor-cron-job.yaml index 7e2ab4a160..ee4c9eb941 100644 --- a/helm/charts/hydra/templates/janitor-cron-job.yaml +++ b/helm/charts/hydra/templates/janitor-cron-job.yaml @@ -46,6 +46,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 12 }} {{- end }} + serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }} volumes: - name: {{ include "hydra.name" . }}-config-volume configMap: diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index 61b3b9be5a..6e8bb4c21e 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -551,6 +551,24 @@ cronjob: # -- Configure node affinity affinity: {} + # -- Set automounting of the SA token + automountServiceAccountToken: true + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + # -- Configure the containers' SecurityContext for the janitor cronjob securityContext: capabilities: