diff --git a/README.md b/README.md index eb5bb20..5bf1b6c 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,7 @@ understand. | processExporter.port | int | `9256` | Process exporter metrics port | | replicaCount | int | `2` | The number of pods to start | | securityContext | object | `{}` | Additional security context | +| serviceAccount.name | string | `""` | The name of the service account to assign to the StatefulSet pods. When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). When left empty, Kubernetes will use the default service account in the namespace. | | service.name | string | `"iap-service"` | The name of this Kubernetes service object. | | service.port | int | `443` | The port that this service object is listening on. | | service.type | string | `"ClusterIP"` | The service type. | diff --git a/charts/iap/Chart.yaml b/charts/iap/Chart.yaml index a997ee9..6bca383 100644 --- a/charts/iap/Chart.yaml +++ b/charts/iap/Chart.yaml @@ -10,7 +10,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.0 +version: 1.9.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/iap/templates/_helpers.tpl b/charts/iap/templates/_helpers.tpl index f2aed98..7d9b8f9 100644 --- a/charts/iap/templates/_helpers.tpl +++ b/charts/iap/templates/_helpers.tpl @@ -52,17 +52,6 @@ app.kubernetes.io/name: {{ include "iap.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{/* -Create the name of the service account to use -*/}} -{{- define "iap.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "iap.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - {{/* Common annotations. */}} diff --git a/charts/iap/templates/statefulset.yaml b/charts/iap/templates/statefulset.yaml index a41ad9d..0e2195a 100644 --- a/charts/iap/templates/statefulset.yaml +++ b/charts/iap/templates/statefulset.yaml @@ -41,7 +41,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: "" + serviceAccountName: {{ .Values.serviceAccount.name | default "" | quote }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.hostAliases }} diff --git a/charts/iap/tests/statefulset_test.yaml b/charts/iap/tests/statefulset_test.yaml index 4296394..c927326 100644 --- a/charts/iap/tests/statefulset_test.yaml +++ b/charts/iap/tests/statefulset_test.yaml @@ -1034,6 +1034,55 @@ tests: path: spec.template.spec.initContainers[0].args[1] pattern: '.*BRANCHES=\(\s+\).*' + # Service Account Tests + - it: should default serviceAccountName to empty string + set: + statefulset.enabled: true + replicaCount: 1 + image: + repository: "test/app" + tag: "v1.0.0" + pullPolicy: "IfNotPresent" + service: + port: 80 + applicationPort: 8080 + useTLS: false + podSecurityContext: {} + securityContext: {} + persistentVolumeClaims: + enabled: false + processExporter: + enabled: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: "" + + - it: should set serviceAccountName when serviceAccount.name is provided + set: + statefulset.enabled: true + replicaCount: 1 + image: + repository: "test/app" + tag: "v1.0.0" + pullPolicy: "IfNotPresent" + service: + port: 80 + applicationPort: 8080 + useTLS: false + podSecurityContext: {} + securityContext: {} + persistentVolumeClaims: + enabled: false + processExporter: + enabled: false + serviceAccount: + name: "my-service-account" + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: "my-service-account" + # Additional TLS Secrets Integration Tests - it: should handle additionalTLSSecrets in StatefulSet set: diff --git a/charts/iap/tests/test-values.yaml b/charts/iap/tests/test-values.yaml index 69a5c83..794fed8 100644 --- a/charts/iap/tests/test-values.yaml +++ b/charts/iap/tests/test-values.yaml @@ -42,9 +42,6 @@ image: # -- The secrets object used to pull the image from the repo imagePullSecrets: [] -serviceAccount: - name: - # The issuer to be used if using cert-manager to generate the TLS certificates issuer: # -- Toggle to use the issuer object or not diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index 0e3d943..0fc9e4c 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -87,7 +87,8 @@ external-dns: # The image name will depend on the entitlement that has been granted. image: # -- The image repository - repository: 497639811223.dkr.ecr.us-east-2.amazonaws.com/itential-platform-ecm-gm + # -- Contact Itential to get the correct image repository for your entitlement. + repository: # -- The image pull policy pullPolicy: IfNotPresent # -- The image tag @@ -97,7 +98,10 @@ image: imagePullSecrets: [] serviceAccount: - name: + # -- The name of the service account to assign to the StatefulSet pods. + # -- When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). + # -- When left empty, Kubernetes will use the default service account in the namespace. + name: "" # The issuer to be used if using cert-manager to generate the TLS certificates issuer: @@ -195,10 +199,17 @@ service: ingress: # -- The ingress object can be disabled and will not be created with this set to false enabled: true - # -- The name of this Kubernetes ingress object + # -- The name of this Kubernetes ingress object. name: "iap-ingress" - # -- The ingress controller class name - className: "alb" + # -- The ingress controller class name tells Kubernetes which ingress controller should + # -- handle this ingress object. If left empty, the cluster's default IngressClass + # -- (if configured) will be used. + # -- Common options + # -- alb - AWS Application Load Balancer (AWS Load Balancer Controller) + # -- gce - Google Cloud GKE HTTP(S) Load Balancer + # -- azure/application-gateway - Azure Application Gateway Ingress Controller (AGIC) + # -- haproxy - HAProxy ingress controller + className: "" # -- The ingress controller path type pathType: Prefix # Load balancer configuration @@ -226,23 +237,6 @@ ingress: # -- The annotations for this ingress object. These are passed into the template as is and will # render as you see here. Itential leveraged AWS ALB but others should work. annotations: - alb.ingress.kubernetes.io/backend-protocol: "HTTPS" - alb.ingress.kubernetes.io/healthcheck-path: "/health/status" - alb.ingress.kubernetes.io/healthcheck-port: "3443" - alb.ingress.kubernetes.io/healthcheck-protocol: "HTTPS" - alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15" - alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5" - alb.ingress.kubernetes.io/healthy-threshold-count: "2" - # Include port 8080 if using Gateway Manager with IAG5, otherwise remove it - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443},{"HTTPS": 8080}]' - alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60 - alb.ingress.kubernetes.io/load-balancer-name: "itential-iap-lb" - alb.ingress.kubernetes.io/scheme: "internet-facing" - alb.ingress.kubernetes.io/success-codes: "200" - alb.ingress.kubernetes.io/target-type: "ip" - alb.ingress.kubernetes.io/unhealthy-threshold-count: "2" - alb.ingress.kubernetes.io/websocket-paths: "/ws" - alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=3600 # TLS is terminated at the statefulset pod by design. tls: [] @@ -451,7 +445,7 @@ env: # ITENTIAL_MONGO_URL: "" # -- Instruct the MongoDB driver to use TLS protocols when connecting to the database. - ITENTIAL_MONGO_TLS_ENABLED: "false" + ITENTIAL_MONGO_TLS_ENABLED: "true" # -- If true, disables the validation checks for TLS certificates on other servers in the cluster # and allows the use of invalid or self-signed certificates to connect.