Skip to content

Commit

Permalink
Merge pull request #621 from statisticsnorway/helm-chart-service-acco…
Browse files Browse the repository at this point in the history
…unt-refactor

Helm chart: Own service accounts for API and Web
  • Loading branch information
garronej authored Oct 23, 2023
2 parents 744a3d2 + bc2be84 commit 09d72b9
Show file tree
Hide file tree
Showing 8 changed files with 38 additions and 33 deletions.
2 changes: 1 addition & 1 deletion helm-chart/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 5.3.5
version: 6.0.0
4 changes: 2 additions & 2 deletions helm-chart/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Onyxia is distributed as a [Helm](https://helm.sh/) Package.
## Installation

Theses instructions are just the gist for a comprehensive, step-by-step, installation guide
These instructions are just the gist for a comprehensive, step-by-step, installation guide
please refer to [the installation guide](https://docs.onyxia.sh).

```bash
Expand Down Expand Up @@ -60,7 +60,7 @@ EOF
helm install keycloak codecentric/keycloak -f keycloak-values.yaml
```

After that, you should should be able to select *onyxia* as *Login Theme*.
After that, you should be able to select *onyxia* as *Login Theme*.

![image](https://github.com/InseeFrLab/onyxia/assets/6702424/e53ac4cf-1787-406d-b360-e61de41d2607)

Expand Down
12 changes: 6 additions & 6 deletions helm-chart/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -108,17 +108,17 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{/*Create the name of the service account to use*/}}

{{- define "onyxia.api.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "onyxia.api.fullname" .) .Values.serviceAccount.name }}
{{- if .Values.api.serviceAccount.create -}}
{{ default (include "onyxia.api.fullname" .) .Values.api.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{ default "default" .Values.api.serviceAccount.name }}
{{- end -}}
{{- end -}}

{{- define "onyxia.web.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "onyxia.web.fullname" .) .Values.serviceAccount.name }}
{{- if .Values.web.serviceAccount.create -}}
{{ default (include "onyxia.web.fullname" .) .Values.web.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{ default "default" .Values.web.serviceAccount.name }}
{{- end -}}
{{- end -}}
6 changes: 3 additions & 3 deletions helm-chart/templates/cluster-role-binding.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.serviceAccount.clusterAdmin -}}
{{- if .Values.api.serviceAccount.create -}}
{{- if .Values.api.serviceAccount.clusterAdmin -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -9,7 +9,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ default "cluster-admin" .Values.serviceAccount.existingClusterRole }}
name: {{ default "cluster-admin" .Values.api.serviceAccount.existingClusterRole }}
subjects:
- kind: ServiceAccount
name: {{ include "onyxia.api.serviceAccountName" . }}
Expand Down
4 changes: 2 additions & 2 deletions helm-chart/templates/rolebinding-namespace-admin.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.serviceAccount.create -}}
{{- if not .Values.serviceAccount.clusterAdmin -}}
{{- if .Values.api.serviceAccount.create -}}
{{- if not .Values.api.serviceAccount.clusterAdmin -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand Down
4 changes: 2 additions & 2 deletions helm-chart/templates/serviceaccount-api.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.api.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "onyxia.api.serviceAccountName" . }}
labels:
{{- include "onyxia.api.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
{{- with .Values.api.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
Expand Down
4 changes: 2 additions & 2 deletions helm-chart/templates/serviceaccount-web.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.web.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "onyxia.web.serviceAccountName" . }}
labels:
{{- include "onyxia.web.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
{{- with .Values.web.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
Expand Down
35 changes: 20 additions & 15 deletions helm-chart/values.yaml
Original file line number Diff line number Diff line change
@@ -1,21 +1,6 @@
imagePullSecrets: []
hostAliases: []

serviceAccount:
# Specifies whether a service account should be created
create: true
# If true, the created service account is bound to a ClusterRole (default : cluster-admin) ;
# if false, it is instead bound to the admin Role, and thus scoped to the namespace
clusterAdmin: false
# Existing ClusterRole to use for the CRB if clusterAdmin is set to true
# existingClusterRole: ""
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:


ingress:
enabled: false
# The name of the Ingress Class associated with this ingress
Expand Down Expand Up @@ -89,6 +74,17 @@ web:
affinity: {}
env:

serviceAccount:
# Specifies whether a service account should be created
create: true
# If true, the created service account is bound to a ClusterRole (default : cluster-admin) ;
# if false, it is instead bound to the admin Role, and thus scoped to the namespace
clusterAdmin: false
# Annotations to add to the service account
annotations: { }
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:

api:
name: api
Expand Down Expand Up @@ -162,3 +158,12 @@ api:
# "type": "helm",
# }
# ]

serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: { }
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:

0 comments on commit 09d72b9

Please sign in to comment.