[WS-3148] Service Accounts configuration for cms and proxy

websight-io · Apr 22, 2024 · 6615319 · 6615319
1 parent 5d4b9fa
commit 6615319
Show file tree

Hide file tree

Showing 10 changed files with 287 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -79,6 +79,9 @@ The command removes all the Kubernetes components associated with the chart and
 | cms.readinessProbe.timeoutSeconds | int | `10` |  |
 | cms.replicas | int | `1` | number of replicas, mind that `tar` persistence mode will create a StatefulSet, while `mongo` will create a Deployment |
 | cms.resources | object | `{}` | container's resources settings |
+| cms.serviceAccount.automountServiceAccountToken | bool | `true` | automount service account token |
+| cms.serviceAccount.create | bool | `true` | create service account |
+| cms.serviceAccount.name | string | `nil` | service account name, if the name is not set, then a name is generated using the cms's fullname template |
 | cms.updateStrategy | object | `{}` | update strategy, works only for `mongo` persistence mode |
 | proxy.enabled | bool | `false` | enables proxy |
 | proxy.env | list | `[]` | environment variables |
@@ -93,6 +96,9 @@ The command removes all the Kubernetes components associated with the chart and
 | proxy.readinessProbe.enabled | bool | `true` | enables pods readiness probe |
 | proxy.replicas | int | `1` | number of replicas |
 | proxy.resources | object | `{}` | container's resources settings |
+| proxy.serviceAccount.automountServiceAccountToken | bool | `true` | automount service account token |
+| proxy.serviceAccount.create | bool | `true` | create service account |
+| proxy.serviceAccount.name | string | `nil` | service account name, if the name is not set, then a name is generated using the proxy's fullname template |
 | proxy.sites | object | `[]` | site configuration, see the `examples/luna-proxy` for more details |
 | proxy.updateStrategy | object | `{}` | update strategy |
 

diff --git a/websight-cms/templates/_helpers.tpl b/websight-cms/templates/_helpers.tpl
@@ -50,18 +50,6 @@ app.kubernetes.io/name: {{ include "websight-cms.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "websight-cms.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "websight-cms.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-
 {{/*
 Create a default fully qualified component name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -82,6 +70,20 @@ Usage:
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the component-type shared service account to use.
+
+Usage:
+{{ include "websight-cms.component.serviceAccountName" (dict "componentName" "component-name" "serviceAccount" saObject "context" $) }}
+*/}}
+{{- define "websight-cms.component.serviceAccountName" -}}
+{{- if .serviceAccount.create -}}
+    {{ .serviceAccount.name | default (include "websight-cms.component.fullname" (dict "componentName" .componentName "context" .context)) }}
+{{- else -}}
+    {{ .serviceAccount.name | default "default" }}
+{{- end -}}
+{{- end }}
+
 {{/*
 Metadata labels for CMS component
 Usage:

diff --git a/websight-cms/templates/cms/cms-deployment.yaml b/websight-cms/templates/cms/cms-deployment.yaml
@@ -21,6 +21,7 @@ spec:
       {{- if .Values.cms.imagePullSecrets }}
       imagePullSecrets: {{- .Values.cms.imagePullSecrets | toYaml | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "websight-cms.component.serviceAccountName" (dict "componentName" "cms" "serviceAccount" .Values.cms.serviceAccount "context" $) }}
       containers:
         - name: cms
           image: "{{ .Values.cms.image.repository }}:{{ default .Chart.AppVersion .Values.cms.image.tag }}"

diff --git a/websight-cms/templates/cms/cms-serviceaccount.yaml b/websight-cms/templates/cms/cms-serviceaccount.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.cms.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.cms.serviceAccount.name | default (include "websight-cms.component.fullname" (dict "componentName" "cms" "context" $)) }}
+  labels:
+    {{- include "websight-cms.component.labels" (dict "componentName" "cms" "context" $) | nindent 4 }}
+automountServiceAccountToken: {{ .Values.cms.serviceAccount.automountServiceAccountToken }}
+{{- end }}
diff --git a/websight-cms/templates/cms/cms-statefulset.yaml b/websight-cms/templates/cms/cms-statefulset.yaml
@@ -18,6 +18,7 @@ spec:
       {{- if .Values.cms.imagePullSecrets }}
       imagePullSecrets: {{- .Values.cms.imagePullSecrets | toYaml | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "websight-cms.component.serviceAccountName" (dict "componentName" "cms" "serviceAccount" .Values.cms.serviceAccount "context" $) }}
       containers:
         - name: cms
           image: "{{ .Values.cms.image.repository }}:{{ default .Chart.AppVersion .Values.cms.image.tag }}"

diff --git a/websight-cms/templates/proxy/proxy-deployment.yaml b/websight-cms/templates/proxy/proxy-deployment.yaml
@@ -21,6 +21,7 @@ spec:
       {{- if .Values.proxy.imagePullSecrets }}
       imagePullSecrets: {{- .Values.proxy.imagePullSecrets | toYaml | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "websight-cms.component.serviceAccountName" (dict "componentName" "proxy" "serviceAccount" .Values.proxy.serviceAccount "context" $) }}
       containers:
         - name: nginx
           image: "{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}"

diff --git a/websight-cms/templates/proxy/proxy-serviceaccount.yaml b/websight-cms/templates/proxy/proxy-serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.proxy.enabled -}}
+{{- if .Values.proxy.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.proxy.serviceAccount.name | default (include "websight-cms.component.fullname" (dict "componentName" "proxy" "context" $)) }}
+  labels:
+    {{- include "websight-cms.component.labels" (dict "componentName" "proxy" "context" $) | nindent 4 }}
+automountServiceAccountToken: {{ .Values.proxy.serviceAccount.automountServiceAccountToken }}
+{{- end }}
+{{- end }}
diff --git a/websight-cms/tests/unit/cms-serviceaccount-test.yaml b/websight-cms/tests/unit/cms-serviceaccount-test.yaml
@@ -0,0 +1,150 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+
+suite: test cms service account configuration
+release:
+  name: test
+tests:
+  # @Test
+  - it: create service account with default name and default values and bind it to the statefulset pod
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/cms/cms-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: test-websight-cms-cms
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: test-websight-cms-cms
+        template: templates/cms/cms-statefulset.yaml
+  # @Test
+  - it: create service account with default name and default values and bind it to the deployment pod
+    set:
+      cms:
+        persistence:
+          mode: mongo
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/cms/cms-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: test-websight-cms-cms
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: test-websight-cms-cms
+        template: templates/cms/cms-deployment.yaml
+  # @Test
+  - it: create service account with custom name and default values and bind it to the statefulset pod
+    set:
+      cms:
+        serviceAccount:
+          name: custom-name
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/cms/cms-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: custom-name
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/cms/cms-statefulset.yaml
+  # @Test
+  - it: create service account with custom name and default values and bind it to the deployment pod
+    set:
+      cms:
+        serviceAccount:
+          name: custom-name
+        persistence:
+          mode: mongo
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/cms/cms-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: custom-name
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/cms/cms-deployment.yaml
+  # @Test
+  - it: when create is disabled and service account name not set, service account should not be created and default binding should be present on the statefulset pod
+    set:
+      cms:
+        serviceAccount:
+          create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+        template: templates/cms/cms-statefulset.yaml
+  # @Test
+  - it: when create is disabled and service account name not set, service account should not be created and default binding should be present on the deployment pod
+    set:
+      cms:
+        serviceAccount:
+          create: false
+        persistence:
+          mode: mongo
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+        template: templates/cms/cms-deployment.yaml
+  # @Test
+  - it: when create is disabled and service account name is set, service account should not be created and custom binding should be present on the statefulset pod
+    set:
+      cms:
+        serviceAccount:
+          create: false
+          name: custom-name
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/cms/cms-statefulset.yaml
+  # @Test
+  - it: when create is disabled and service account name is set, service account should not be created and custom binding should be present on the deployment pod
+    set:
+      cms:
+        serviceAccount:
+          create: false
+          name: custom-name
+        persistence:
+          mode: mongo
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/cms/cms-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/cms/cms-deployment.yaml
diff --git a/websight-cms/tests/unit/proxy-serviceaccount-test.yaml b/websight-cms/tests/unit/proxy-serviceaccount-test.yaml
@@ -0,0 +1,80 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+
+suite: test proxy service account configuration
+release:
+  name: test
+tests:
+  # @Test
+  - it: create service account with default name and default values and bind it to the pod
+    set:
+      proxy:
+        enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: test-websight-cms-proxy
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: test-websight-cms-proxy
+        template: templates/proxy/proxy-deployment.yaml
+  # @Test
+  - it: create service account with custom name and default values and bind it to the pod
+    set:
+      proxy:
+        enabled: true
+        serviceAccount:
+          name: custom-name
+    asserts:
+      - hasDocuments:
+          count: 1
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - isKind:
+          of: ServiceAccount
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: metadata.name
+          value: custom-name
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/proxy/proxy-deployment.yaml
+  # @Test
+  - it: when create is disabled and service account name not set, service account should not be created and default binding should be present on the pod
+    set:
+      proxy:
+        enabled: true
+        serviceAccount:
+          create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+        template: templates/proxy/proxy-deployment.yaml
+
+  # @Test
+  - it: when create is disabled and service account name is set, service account should not be created and custom binding should be present on the pod
+    set:
+      proxy:
+        enabled: true
+        serviceAccount:
+          create: false
+          name: custom-name
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: templates/proxy/proxy-serviceaccount.yaml
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: custom-name
+        template: templates/proxy/proxy-deployment.yaml
diff --git a/websight-cms/values.yaml b/websight-cms/values.yaml
@@ -88,6 +88,13 @@ cms:
       cookie:
         expires: 172800
         maxAge: 172800
+  serviceAccount:
+    # -- create service account
+    create: true
+    # -- service account name, if the name is not set, then a name is generated using the cms's fullname template
+    name:
+    # -- automount service account token
+    automountServiceAccountToken: true
 
 # WebSight CMS proxy configuration
 proxy:
@@ -138,3 +145,10 @@ proxy:
     annotations: {}
   # -- (object) site configuration, see the `examples/luna-proxy` for more details
   sites: []
+  serviceAccount:
+    # -- create service account
+    create: true
+    # -- service account name, if the name is not set, then a name is generated using the proxy's fullname template
+    name:
+    # -- automount service account token
+    automountServiceAccountToken: true