From 820d2fd80ec8990e5ab4bea60f51e873255c3eeb Mon Sep 17 00:00:00 2001 From: Sunny Yip Date: Fri, 26 Apr 2024 16:03:37 -0400 Subject: [PATCH] properly disable service account Signed-off-by: Sunny Yip --- charts/guac/README.md | 22 ++++--- charts/guac/schema.json | 57 +++++++++++++++---- .../guac/templates/collectsub-deployment.yaml | 1 + charts/guac/templates/collectsub-sa.yaml | 17 ++++++ .../guac/templates/depsdev-collector-sa.yaml | 7 ++- charts/guac/templates/graphql-server-sa.yaml | 7 ++- charts/guac/templates/guacrest-sa.yaml | 7 ++- charts/guac/templates/ingestor-sa.yaml | 7 ++- .../templates/oci-collector-deployment.yaml | 1 + charts/guac/templates/oci-collector-sa.yaml | 17 ++++++ .../templates/osv-certifier-deployment.yaml | 1 + charts/guac/templates/osv-certifier-sa.yaml | 17 ++++++ charts/guac/values.yaml | 30 ++++++---- 13 files changed, 157 insertions(+), 34 deletions(-) create mode 100644 charts/guac/templates/collectsub-sa.yaml create mode 100644 charts/guac/templates/oci-collector-sa.yaml create mode 100644 charts/guac/templates/osv-certifier-sa.yaml diff --git a/charts/guac/README.md b/charts/guac/README.md index 834e2f4..b0a1d95 100644 --- a/charts/guac/README.md +++ b/charts/guac/README.md @@ -111,6 +111,7 @@ This section contains parameters for configuring the different GUAC components. | `guac.ociCollector.env` | Environment variables for OCI Collector. | `[]` | | `guac.ociCollector.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | | `guac.ociCollector.tolerations` | | `[]` | +| `guac.ociCollector.serviceAccount.annotations` | - OCI Collector service account annotations | `{}` | | `guac.ociCollector.resources` | - [map] resource requests or limits of the ociCollector deployment | `{}` | | `guac.depsDevCollector.enabled` | String Whether to deploy Deps.Dev Collector | `true` | | `guac.depsDevCollector.name` | String Name of the Deps.Dev Collector component. | `depsdev-collector` | @@ -130,6 +131,8 @@ This section contains parameters for configuring the different GUAC components. | `guac.osvCertifier.env` | Environment variables for OSV Certifier Collector. | `[]` | | `guac.osvCertifier.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | | `guac.osvCertifier.tolerations` | | `[]` | +| `guac.osvCertifier.serviceAccount.annotations` | - OSV Certifier service account annotations | `{}` | +| `guac.osvCertifier.resources` | - [map] resource requests or limits of the OSV Certifier deployment | `{}` | | `guac.ingestor.enabled` | String Whether to deploy Ingestor | `true` | | `guac.ingestor.name` | String Name of the ingestor component. | `ingestor` | | `guac.ingestor.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | @@ -140,18 +143,19 @@ This section contains parameters for configuring the different GUAC components. | `guac.ingestor.serviceAccount.annotations` | - Ingestor service account annotations | `{}` | | `guac.ingestor.tolerations` | | `[]` | | `guac.ingestor.resources` | - [map] resource requests or limits of the ingestor deployment | `{}` | -| `guac.collectSub.enabled` | String Whether to deploy Collector Sub | `true` | -| `guac.collectSub.name` | String Name of the Collector Sub component. | `collectsub` | +| `guac.collectSub.enabled` | String Whether to deploy CollectSub | `true` | +| `guac.collectSub.name` | String Name of the CollectSub component. | `collectsub` | | `guac.collectSub.annotations.reloader.stakater.com/auto` | Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) | `""` | -| `guac.collectSub.replicas` | Number of replicas for Collector Sub deployment | `1` | -| `guac.collectSub.image.command` | Command for the Collector Sub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | -| `guac.collectSub.env` | Environment variables for Collector Sub. | `[]` | -| `guac.collectSub.image.ports[0].containerPort` | Port the Collector Sub container listens on | `2782` | -| `guac.collectSub.svcPorts[0].protocol` | Protocol used at Collector Sub | `TCP` | -| `guac.collectSub.svcPorts[0].port` | Port the Collector Sub service listens on | `2782` | -| `guac.collectSub.svcPorts[0].targetPort` | Port the Collector Sub container listens on | `2782` | +| `guac.collectSub.replicas` | Number of replicas for CollectSub deployment | `1` | +| `guac.collectSub.image.command` | Command for the CollectSub image. It is not recommended to override this. | `["sh","-c","/opt/guac/guaccsub"]` | +| `guac.collectSub.env` | Environment variables for CollectSub. | `[]` | +| `guac.collectSub.image.ports[0].containerPort` | Port the CollectSub container listens on | `2782` | +| `guac.collectSub.svcPorts[0].protocol` | Protocol used at CollectSub | `TCP` | +| `guac.collectSub.svcPorts[0].port` | Port the CollectSub service listens on | `2782` | +| `guac.collectSub.svcPorts[0].targetPort` | Port the CollectSub container listens on | `2782` | | `guac.collectSub.nodeSelector` | - sets the node selector for where to run the deployment | `{}` | | `guac.collectSub.tolerations` | | `[]` | +| `guac.collectSub.serviceAccount.annotations` | - CollectSub service account annotations | `{}` | | `guac.collectSub.resources` | - [map] resource requests or limits of the collectSub deployment | `{}` | | `guac.graphqlServer.enabled` | String Whether to deploy GraphQL Server | `true` | | `guac.graphqlServer.name` | String Name of the GraphQL Server component. | `graphql-server` | diff --git a/charts/guac/schema.json b/charts/guac/schema.json index a94a625..cc22866 100644 --- a/charts/guac/schema.json +++ b/charts/guac/schema.json @@ -105,6 +105,16 @@ "default": [], "items": {} }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "description": "- OCI Collector service account annotations", + "default": {} + } + } + }, "resources": { "type": "object", "description": "- [map] resource requests or limits of the ociCollector deployment", @@ -232,6 +242,21 @@ "description": "", "default": [], "items": {} + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "description": "- OSV Certifier service account annotations", + "default": {} + } + } + }, + "resources": { + "type": "object", + "description": "- [map] resource requests or limits of the OSV Certifier deployment", + "default": {} } } }, @@ -309,17 +334,17 @@ "properties": { "enabled": { "type": "boolean", - "description": "String Whether to deploy Collector Sub", + "description": "String Whether to deploy CollectSub", "default": true }, "name": { "type": "string", - "description": "String Name of the Collector Sub component.", + "description": "String Name of the CollectSub component.", "default": "collectsub" }, "replicas": { "type": "number", - "description": "Number of replicas for Collector Sub deployment", + "description": "Number of replicas for CollectSub deployment", "default": 1 }, "image": { @@ -327,7 +352,7 @@ "properties": { "command": { "type": "array", - "description": "Command for the Collector Sub image. It is not recommended to override this.", + "description": "Command for the CollectSub image. It is not recommended to override this.", "default": [ "sh", "-c", @@ -339,13 +364,13 @@ }, "ports": { "type": "array", - "description": "Port the Collector Sub container listens on", + "description": "Port the CollectSub container listens on", "items": { "type": "object", "properties": { "containerPort": { "type": "number", - "description": "Port the Collector Sub container listens on" + "description": "Port the CollectSub container listens on" } } } @@ -354,27 +379,27 @@ }, "env": { "type": "array", - "description": "Environment variables for Collector Sub.", + "description": "Environment variables for CollectSub.", "default": [], "items": {} }, "svcPorts": { "type": "array", - "description": "Protocol used at Collector Sub", + "description": "Protocol used at CollectSub", "items": { "type": "object", "properties": { "protocol": { "type": "string", - "description": "Protocol used at Collector Sub" + "description": "Protocol used at CollectSub" }, "port": { "type": "number", - "description": "Port the Collector Sub service listens on" + "description": "Port the CollectSub service listens on" }, "targetPort": { "type": "number", - "description": "Port the Collector Sub container listens on" + "description": "Port the CollectSub container listens on" } } } @@ -390,6 +415,16 @@ "default": [], "items": {} }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "description": "- CollectSub service account annotations", + "default": {} + } + } + }, "resources": { "type": "object", "description": "- [map] resource requests or limits of the collectSub deployment", diff --git a/charts/guac/templates/collectsub-deployment.yaml b/charts/guac/templates/collectsub-deployment.yaml index b00fed5..f84344b 100644 --- a/charts/guac/templates/collectsub-deployment.yaml +++ b/charts/guac/templates/collectsub-deployment.yaml @@ -28,6 +28,7 @@ spec: app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} spec: + serviceAccountName: {{ .Values.guac.collectSub.name }} containers: - name: {{ .Values.guac.collectSub.name }} {{- if .Values.guac.guacImage.digest }} diff --git a/charts/guac/templates/collectsub-sa.yaml b/charts/guac/templates/collectsub-sa.yaml new file mode 100644 index 0000000..2723199 --- /dev/null +++ b/charts/guac/templates/collectsub-sa.yaml @@ -0,0 +1,17 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.collectSub.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.guac.collectSub.name }} +{{- if .Values.guac.collectSub.annotations }} + annotations: +{{ toYaml .Values.guac.collectSub.serviceAccount.annotations | indent 4 }} +{{- end }} + labels: + {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.collectSub.name }} + app.kubernetes.io/component: {{ .Values.guac.collectSub.name }} +{{- end }} diff --git a/charts/guac/templates/depsdev-collector-sa.yaml b/charts/guac/templates/depsdev-collector-sa.yaml index b9b5665..75b52a1 100644 --- a/charts/guac/templates/depsdev-collector-sa.yaml +++ b/charts/guac/templates/depsdev-collector-sa.yaml @@ -1,3 +1,7 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.depsDevCollector.enabled }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -9,4 +13,5 @@ metadata: labels: {{- include "guac.labels" . | nindent 4 }} app.kubernetes.io/name: {{ .Values.guac.depsDevCollector.name }} - app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} \ No newline at end of file + app.kubernetes.io/component: {{ .Values.guac.depsDevCollector.name }} +{{- end }} diff --git a/charts/guac/templates/graphql-server-sa.yaml b/charts/guac/templates/graphql-server-sa.yaml index 6850e79..19febbd 100644 --- a/charts/guac/templates/graphql-server-sa.yaml +++ b/charts/guac/templates/graphql-server-sa.yaml @@ -1,3 +1,7 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.graphqlServer.enabled }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -9,4 +13,5 @@ metadata: labels: {{- include "guac.labels" . | nindent 4 }} app.kubernetes.io/name: {{ .Values.guac.graphqlServer.name }} - app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} \ No newline at end of file + app.kubernetes.io/component: {{ .Values.guac.graphqlServer.name }} +{{- end }} diff --git a/charts/guac/templates/guacrest-sa.yaml b/charts/guac/templates/guacrest-sa.yaml index a0ad0f7..3dabb80 100644 --- a/charts/guac/templates/guacrest-sa.yaml +++ b/charts/guac/templates/guacrest-sa.yaml @@ -1,3 +1,7 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.restApi.enabled }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -9,4 +13,5 @@ metadata: labels: {{- include "guac.labels" . | nindent 4 }} app.kubernetes.io/name: {{ .Values.guac.restApi.name }} - app.kubernetes.io/component: {{ .Values.guac.restApi.name }} \ No newline at end of file + app.kubernetes.io/component: {{ .Values.guac.restApi.name }} +{{- end }} diff --git a/charts/guac/templates/ingestor-sa.yaml b/charts/guac/templates/ingestor-sa.yaml index 6205c37..5895e9b 100644 --- a/charts/guac/templates/ingestor-sa.yaml +++ b/charts/guac/templates/ingestor-sa.yaml @@ -1,3 +1,7 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.ingestor.enabled }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -9,4 +13,5 @@ metadata: labels: {{- include "guac.labels" . | nindent 4 }} app.kubernetes.io/name: {{ .Values.guac.ingestor.name }} - app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} \ No newline at end of file + app.kubernetes.io/component: {{ .Values.guac.ingestor.name }} +{{- end }} diff --git a/charts/guac/templates/oci-collector-deployment.yaml b/charts/guac/templates/oci-collector-deployment.yaml index b7fbac8..1e16868 100644 --- a/charts/guac/templates/oci-collector-deployment.yaml +++ b/charts/guac/templates/oci-collector-deployment.yaml @@ -28,6 +28,7 @@ spec: app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} spec: + serviceAccountName: {{ .Values.guac.ociCollector.name }} containers: - name: {{ .Values.guac.ociCollector.name }} {{- if .Values.guac.guacImage.digest }} diff --git a/charts/guac/templates/oci-collector-sa.yaml b/charts/guac/templates/oci-collector-sa.yaml new file mode 100644 index 0000000..5782db2 --- /dev/null +++ b/charts/guac/templates/oci-collector-sa.yaml @@ -0,0 +1,17 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.ociCollector.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.guac.ociCollector.name }} +{{- if .Values.guac.ociCollector.annotations }} + annotations: +{{ toYaml .Values.guac.ociCollector.serviceAccount.annotations | indent 4 }} +{{- end }} + labels: + {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.ociCollector.name }} + app.kubernetes.io/component: {{ .Values.guac.ociCollector.name }} +{{- end }} diff --git a/charts/guac/templates/osv-certifier-deployment.yaml b/charts/guac/templates/osv-certifier-deployment.yaml index fd88747..e7d4488 100644 --- a/charts/guac/templates/osv-certifier-deployment.yaml +++ b/charts/guac/templates/osv-certifier-deployment.yaml @@ -28,6 +28,7 @@ spec: app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} spec: + serviceAccountName: {{ .Values.guac.osvCertifier.name }} containers: - name: {{ .Values.guac.osvCertifier.name }} {{- if .Values.guac.guacImage.digest }} diff --git a/charts/guac/templates/osv-certifier-sa.yaml b/charts/guac/templates/osv-certifier-sa.yaml new file mode 100644 index 0000000..6e411c6 --- /dev/null +++ b/charts/guac/templates/osv-certifier-sa.yaml @@ -0,0 +1,17 @@ +# Copyright Kusari, Inc. and contributors +# Licensed under the MIT license. See LICENSE file in the project root for details. +{{ if .Values.guac.osvCertifier.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.guac.osvCertifier.name }} +{{- if .Values.guac.osvCertifier.annotations }} + annotations: +{{ toYaml .Values.guac.osvCertifier.serviceAccount.annotations | indent 4 }} +{{- end }} + labels: + {{- include "guac.labels" . | nindent 4 }} + app.kubernetes.io/name: {{ .Values.guac.osvCertifier.name }} + app.kubernetes.io/component: {{ .Values.guac.osvCertifier.name }} +{{- end }} diff --git a/charts/guac/values.yaml b/charts/guac/values.yaml index c16f4d2..b7e3fa8 100644 --- a/charts/guac/values.yaml +++ b/charts/guac/values.yaml @@ -24,6 +24,7 @@ imagePullSecrets: ## @param guac.ociCollector.env Environment variables for OCI Collector. ## @param guac.ociCollector.nodeSelector - sets the node selector for where to run the deployment ## @param guac.ociCollector.tolerations +## @param guac.ociCollector.serviceAccount.annotations - OCI Collector service account annotations ## @param guac.ociCollector.resources - [map] resource requests or limits of the ociCollector deployment ## @param guac.depsDevCollector.enabled String Whether to deploy Deps.Dev Collector ## @param guac.depsDevCollector.name String Name of the Deps.Dev Collector component. @@ -43,6 +44,8 @@ imagePullSecrets: ## @param guac.osvCertifier.env Environment variables for OSV Certifier Collector. ## @param guac.osvCertifier.nodeSelector - sets the node selector for where to run the deployment ## @param guac.osvCertifier.tolerations +## @param guac.osvCertifier.serviceAccount.annotations - OSV Certifier service account annotations +## @param guac.osvCertifier.resources - [map] resource requests or limits of the OSV Certifier deployment ## @param guac.ingestor.enabled String Whether to deploy Ingestor ## @param guac.ingestor.name String Name of the ingestor component. ## @param guac.ingestor.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) @@ -53,18 +56,19 @@ imagePullSecrets: ## @param guac.ingestor.serviceAccount.annotations - Ingestor service account annotations ## @param guac.ingestor.tolerations ## @param guac.ingestor.resources - [map] resource requests or limits of the ingestor deployment -## @param guac.collectSub.enabled String Whether to deploy Collector Sub -## @param guac.collectSub.name String Name of the Collector Sub component. +## @param guac.collectSub.enabled String Whether to deploy CollectSub +## @param guac.collectSub.name String Name of the CollectSub component. ## @param guac.collectSub.annotations.reloader.stakater.com/auto [string] Boolean for deploying [stakater/Reloader] (https://github.com/stakater/Reloader) -## @param guac.collectSub.replicas Number of replicas for Collector Sub deployment -## @param guac.collectSub.image.command Command for the Collector Sub image. It is not recommended to override this. -## @param guac.collectSub.env Environment variables for Collector Sub. -## @param guac.collectSub.image.ports[0].containerPort Port the Collector Sub container listens on -## @param guac.collectSub.svcPorts[0].protocol Protocol used at Collector Sub -## @param guac.collectSub.svcPorts[0].port Port the Collector Sub service listens on -## @param guac.collectSub.svcPorts[0].targetPort Port the Collector Sub container listens on +## @param guac.collectSub.replicas Number of replicas for CollectSub deployment +## @param guac.collectSub.image.command Command for the CollectSub image. It is not recommended to override this. +## @param guac.collectSub.env Environment variables for CollectSub. +## @param guac.collectSub.image.ports[0].containerPort Port the CollectSub container listens on +## @param guac.collectSub.svcPorts[0].protocol Protocol used at CollectSub +## @param guac.collectSub.svcPorts[0].port Port the CollectSub service listens on +## @param guac.collectSub.svcPorts[0].targetPort Port the CollectSub container listens on ## @param guac.collectSub.nodeSelector - sets the node selector for where to run the deployment ## @param guac.collectSub.tolerations +## @param guac.collectSub.serviceAccount.annotations - CollectSub service account annotations ## @param guac.collectSub.resources - [map] resource requests or limits of the collectSub deployment ## @param guac.graphqlServer.enabled String Whether to deploy GraphQL Server ## @param guac.graphqlServer.name String Name of the GraphQL Server component. @@ -172,6 +176,8 @@ guac: env: [] nodeSelector: {} tolerations: [] + serviceAccount: + annotations: {} resources: {} # requests: # cpu: "0.25" @@ -206,7 +212,9 @@ guac: env: [] nodeSelector: {} tolerations: [] - # resources: + serviceAccount: + annotations: {} + resources: {} # requests: # cpu: "0.25" # memory: "0.5G" @@ -246,6 +254,8 @@ guac: targetPort: 2782 nodeSelector: {} tolerations: [] + serviceAccount: + annotations: {} resources: {} # requests: # cpu: "0.2"