From bf4536ce6070abaabdfe527f1a0479aef4189710 Mon Sep 17 00:00:00 2001 From: jim-barber-he <38272327+jim-barber-he@users.noreply.github.com> Date: Fri, 26 Jun 2020 16:48:16 +0800 Subject: [PATCH] Add ServiceAccount annotations (#686) Co-authored-by: Julien Mailleret <8582351+jmlrt@users.noreply.github.com> --- apm-server/README.md | 1 + apm-server/templates/serviceaccount.yaml | 4 ++++ apm-server/tests/apmserver_test.py | 14 ++++++++++++++ apm-server/values.yaml | 4 ++++ elasticsearch/templates/serviceaccount.yaml | 4 ++++ elasticsearch/tests/elasticsearch_test.py | 16 ++++++++++++++++ elasticsearch/values.yaml | 1 + filebeat/README.md | 1 + filebeat/templates/serviceaccount.yaml | 4 ++++ filebeat/tests/filebeat_test.py | 14 ++++++++++++++ filebeat/values.yaml | 4 ++++ logstash/templates/serviceaccount.yaml | 4 ++++ logstash/tests/logstash_test.py | 16 ++++++++++++++++ logstash/values.yaml | 1 + metricbeat/README.md | 1 + metricbeat/templates/serviceaccount.yaml | 4 ++++ metricbeat/tests/metricbeat_test.py | 14 ++++++++++++++ metricbeat/values.yaml | 4 ++++ 18 files changed, 111 insertions(+) diff --git a/apm-server/README.md b/apm-server/README.md index 28c855ba3..0a844f0cb 100644 --- a/apm-server/README.md +++ b/apm-server/README.md @@ -112,6 +112,7 @@ as a reference. They are also used in the automated testing of this chart. | `resources` | Allows you to set the [resources][] for the `Deployment` | see [values.yaml][] | | `secretMounts` | Allows you easily mount a secret as a file inside the `Deployment`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `serviceAccount` | Custom [serviceAccount][] that APM Server will use during execution. By default will use the `serviceAccount` created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `service` | Configurable [service][] to expose the APM Server service. See [values.yaml][] for an example | see [values.yaml][] | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing APM Server pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | diff --git a/apm-server/templates/serviceaccount.yaml b/apm-server/templates/serviceaccount.yaml index 683838131..c03750aa7 100644 --- a/apm-server/templates/serviceaccount.yaml +++ b/apm-server/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "apm.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "apm.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/apm-server/tests/apmserver_test.py b/apm-server/tests/apmserver_test.py index cb89d880e..2ce3b70b1 100644 --- a/apm-server/tests/apmserver_test.py +++ b/apm-server/tests/apmserver_test.py @@ -258,6 +258,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/apm-server/values.yaml b/apm-server/values.yaml index 6bfbdb871..8f66b9a28 100755 --- a/apm-server/values.yaml +++ b/apm-server/values.yaml @@ -110,6 +110,10 @@ resources: # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # A list of secrets and their paths to mount inside the pod secretMounts: [] # - name: elastic-certificate-pem diff --git a/elasticsearch/templates/serviceaccount.yaml b/elasticsearch/templates/serviceaccount.yaml index c85e37554..801d1cf90 100644 --- a/elasticsearch/templates/serviceaccount.yaml +++ b/elasticsearch/templates/serviceaccount.yaml @@ -8,6 +8,10 @@ metadata: {{- else }} name: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + annotations: + {{- with .Values.rbac.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py index 449dc9920..57026daa3 100755 --- a/elasticsearch/tests/elasticsearch_test.py +++ b/elasticsearch/tests/elasticsearch_test.py @@ -524,6 +524,22 @@ def test_adding_pod_annotations(): ) +def test_adding_serviceaccount_annotations(): + config = """ +rbac: + create: true + serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][uname]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 1d558e10c..1fd915fda 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -96,6 +96,7 @@ volumeClaimTemplate: rbac: create: false + serviceAccountAnnotations: {} serviceAccountName: "" podSecurityPolicy: diff --git a/filebeat/README.md b/filebeat/README.md index 15eef3875..1d3a045d2 100644 --- a/filebeat/README.md +++ b/filebeat/README.md @@ -120,6 +120,7 @@ as a reference. They are also used in the automated testing of this chart. | `resources` | Allows you to set the [resources][] for the `DaemonSet` | see [values.yaml][] | | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `serviceAccount` | Custom [serviceAccount][] that Filebeat will use during execution. By default will use the service account created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate` | diff --git a/filebeat/templates/serviceaccount.yaml b/filebeat/templates/serviceaccount.yaml index f398a58a9..8c0fcc60c 100644 --- a/filebeat/templates/serviceaccount.yaml +++ b/filebeat/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "filebeat.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "filebeat.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/filebeat/tests/filebeat_test.py b/filebeat/tests/filebeat_test.py index a3eaff7c4..7c8dc0ad0 100644 --- a/filebeat/tests/filebeat_test.py +++ b/filebeat/tests/filebeat_test.py @@ -296,6 +296,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/filebeat/values.yaml b/filebeat/values.yaml index 3597a7047..1075b46aa 100755 --- a/filebeat/values.yaml +++ b/filebeat/values.yaml @@ -106,6 +106,10 @@ resources: # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # A list of secrets and their paths to mount inside the pod # This is useful for mounting certificates for security other sensitive values secretMounts: [] diff --git a/logstash/templates/serviceaccount.yaml b/logstash/templates/serviceaccount.yaml index 8302d1403..4508878b8 100644 --- a/logstash/templates/serviceaccount.yaml +++ b/logstash/templates/serviceaccount.yaml @@ -8,6 +8,10 @@ metadata: {{- else }} name: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + annotations: + {{- with .Values.rbac.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "logstash.fullname" . }}" chart: "{{ .Chart.Name }}" diff --git a/logstash/tests/logstash_test.py b/logstash/tests/logstash_test.py index 55d838c1b..07bd7c877 100755 --- a/logstash/tests/logstash_test.py +++ b/logstash/tests/logstash_test.py @@ -350,6 +350,22 @@ def test_adding_pod_annotations(): ) +def test_adding_serviceaccount_annotations(): + config = """ +rbac: + create: true + serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/logstash/values.yaml b/logstash/values.yaml index 1f40c4e3b..50e19544f 100755 --- a/logstash/values.yaml +++ b/logstash/values.yaml @@ -70,6 +70,7 @@ volumeClaimTemplate: rbac: create: false + serviceAccountAnnotations: {} serviceAccountName: "" podSecurityPolicy: diff --git a/metricbeat/README.md b/metricbeat/README.md index 759674cb6..188d5bd4e 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -132,6 +132,7 @@ as a reference. They are also used in the automated testing of this chart. | `readinessProbe` | Parameters to pass to readiness [probe][] checks for values such as timeouts and thresholds | see [values.yaml][] | | `replicas` | The replica count for the Metricbeat deployment talking to kube-state-metrics | `1` | | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | | `updateStrategy` | The [updateStrategy][] for the DaemonSet By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate` | diff --git a/metricbeat/templates/serviceaccount.yaml b/metricbeat/templates/serviceaccount.yaml index 233064669..227534fa2 100644 --- a/metricbeat/templates/serviceaccount.yaml +++ b/metricbeat/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "metricbeat.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "metricbeat.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 1e0e407d2..fae116de9 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -975,6 +975,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_env_from(): config = """ daemonset: diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index dd0a3f683..f34440136 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -224,6 +224,10 @@ podAnnotations: {} # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # How long to wait for metricbeat pods to stop gracefully terminationGracePeriod: 30