Avoid name collisions for the default serviceAccount

elastic · Crazybus · May 9, 2019 · May 3, 2019 · May 3, 2019 · May 3, 2019
commit 64a99179b3bd95f958e94dd855da7793afd5be1a
diff --git a/filebeat/README.md b/filebeat/README.md
@@ -55,7 +55,7 @@ helm install --name filebeat elastic/filebeat --version 7.0.1-alpha1 --set image
 | `livenessProbe`          | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds.                                                                                            | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
 | `readinessProbe`         | Parameters to pass to [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds.                                                                                           | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
 | `resources`              | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the `DaemonSet`                                                                                                                                        | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi`                         |
-| `serviceAccount`         | The [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) that Filebeat will use during execution                                                                                                                                   | `filebeat`                                                                                                                |
+| `serviceAccount`         | Custom [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) that Filebeat will use during execution. By default will use the service account created by this chart.                                                                | `""`                                                                                                                      |
 | `secretMounts`           | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml](./values.yaml) for an example                                                                                                              | `[]`                                                                                                                      |
 | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown                                                                                                                                                                                         | `30`                                                                                                                      |
 | `tolerations`            | Configurable [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)                                                                                                                                                                                 | `[]`                                                                                                                      |

diff --git a/filebeat/templates/_helpers.tpl b/filebeat/templates/_helpers.tpl
@@ -14,3 +14,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Use the fullname if the serviceAccount value is not set
+*/}}
+{{- define "serviceAccount" -}}
+{{- if .Values.serviceAccount }}
+{{- .Values.serviceAccount -}}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
diff --git a/filebeat/templates/clusterrole.yaml b/filebeat/templates/clusterrole.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ .Values.serviceAccount }}-cluster-role
+  name: {{ template "serviceAccount" . }}-cluster-role
   labels:
     app: "{{ template "fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

diff --git a/filebeat/templates/clusterrolebinding.yaml b/filebeat/templates/clusterrolebinding.yaml
@@ -2,18 +2,18 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Values.serviceAccount }}-cluster-role-binding
+  name: {{ template "serviceAccount" . }}-cluster-role-binding
   labels:
     app: "{{ template "fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}
 roleRef:
   kind: ClusterRole
-  name: {{ .Values.serviceAccount }}-cluster-role
+  name: {{ template "serviceAccount" . }}-cluster-role
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.serviceAccount }}
+  name: {{ template "serviceAccount" . }}
   namespace: {{ .Release.Namespace }}
 {{- end -}}
diff --git a/filebeat/templates/daemonset.yaml b/filebeat/templates/daemonset.yaml
@@ -36,7 +36,7 @@ spec:
       tolerations:
 {{ toYaml . | indent 6 }}
       {{- end }}
-      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccountName: {{ template "serviceAccount" . }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
       volumes:
       {{- range .Values.secretMounts }}
@@ -68,7 +68,7 @@ spec:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
       {{- end }}
       containers:
-      - name: "{{ template "name" . }}"
+      - name: "filebeat"
         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
         imagePullPolicy: "{{ .Values.imagePullPolicy }}"
         args:

diff --git a/filebeat/templates/serviceaccount.yaml b/filebeat/templates/serviceaccount.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.serviceAccount }}
+  name: {{ template "serviceAccount" . }}
   labels:
     app: "{{ template "fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

diff --git a/filebeat/tests/filebeat_test.py b/filebeat/tests/filebeat_test.py
@@ -33,6 +33,8 @@ def test_defaults():
 
     assert r['daemonset'][name]['spec']['updateStrategy']['type'] == 'RollingUpdate'
 
+    assert r['daemonset'][name]['spec']['template']['spec']['serviceAccountName'] == name
+
 
 def test_adding_envs():
     config = '''
@@ -133,3 +135,41 @@ def test_adding_in_filebeat_config():
     assert {'mountPath': '/usr/share/filebeat/other-config.yml', 'name': project + '-config', 'subPath': 'other-config.yml', 'readOnly': True} in d['containers'][0]['volumeMounts']
 
     assert 'configChecksum' in r['daemonset'][name]['spec']['template']['metadata']['annotations']
+
+
+def test_adding_a_secret_mount():
+    config = '''
+secretMounts:
+  - name: elastic-certificates
+    secretName: elastic-certificates
+    path: /usr/share/filebeat/config/certs
+'''
+    r = helm_template(config)
+    s = r['daemonset'][name]['spec']['template']['spec']
+    assert s['containers'][0]['volumeMounts'][0] == {
+        'mountPath': '/usr/share/filebeat/config/certs',
+        'name': 'elastic-certificates'
+    }
+    assert s['volumes'][0] == {
+        'name': 'elastic-certificates',
+        'secret': {
+            'secretName': 'elastic-certificates'
+        }
+    }
+
+
+def test_adding_a_extra_volume_with_volume_mount():
+    config = '''
+extraVolumes: |
+  - name: extras
+    emptyDir: {}
+extraVolumeMounts: |
+  - name: extras
+    mountPath: /usr/share/extras
+    readOnly: true
+'''
+    r = helm_template(config)
+    extraVolume = r['daemonset'][name]['spec']['template']['spec']['volumes']
+    assert {'name': 'extras', 'emptyDir': {}} in extraVolume
+    extraVolumeMounts = r['daemonset'][name]['spec']['template']['spec']['containers'][0]['volumeMounts']
+    assert {'name': 'extras', 'mountPath': '/usr/share/extras', 'readOnly': True} in extraVolumeMounts
diff --git a/filebeat/values.yaml b/filebeat/values.yaml
@@ -74,8 +74,8 @@ resources:
     cpu: "1000m"
     memory: "200Mi"
 
-# Service account that the pod will use
-serviceAccount: filebeat
+# Custom service account override that the pod will use
+serviceAccount: ""
 
 # A list of secrets and their paths to mount inside the pod
 # This is useful for mounting certificates for security other sensitive values