Skip to content

Commit

Permalink
feat: Helm - custom service account creation and management (#17880)
Browse files Browse the repository at this point in the history
* feat: Custom service account creation and management

* bump helm chart version

* add custom service account in init-job

* service account creation template

* changed service account creation template

* add license
  • Loading branch information
wiktor2200 authored Jan 4, 2022
1 parent 6e59a51 commit 6991417
Show file tree
Hide file tree
Showing 7 changed files with 55 additions and 5 deletions.
2 changes: 1 addition & 1 deletion helm/superset/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ maintainers:
- name: craig-rueda
email: craig@craigrueda.com
url: https://github.com/craig-rueda
version: 0.5.1
version: 0.5.2
dependencies:
- name: postgresql
version: 10.2.0
Expand Down
11 changes: 11 additions & 0 deletions helm/superset/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,17 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "superset.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{- default (include "superset.fullname" .) .Values.serviceAccountName -}}
{{- else -}}
{{- default "default" .Values.serviceAccountName -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
Expand Down
4 changes: 2 additions & 2 deletions helm/superset/templates/deployment-worker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ spec:
app: {{ template "superset.name" . }}-worker
release: {{ .Release.Name }}
spec:
{{- if .Values.serviceAccountName }}
serviceAccountName: {{ .Values.serviceAccountName }}
{{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }}
serviceAccountName: {{ template "superset.serviceAccountName" . }}
{{- end }}
securityContext:
runAsUser: {{ .Values.runAsUser }}
Expand Down
4 changes: 2 additions & 2 deletions helm/superset/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,8 @@ spec:
app: {{ template "superset.name" . }}
release: {{ .Release.Name }}
spec:
{{- if .Values.serviceAccountName }}
serviceAccountName: {{ .Values.serviceAccountName }}
{{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }}
serviceAccountName: {{ template "superset.serviceAccountName" . }}
{{- end }}
securityContext:
runAsUser: {{ .Values.runAsUser }}
Expand Down
3 changes: 3 additions & 0 deletions helm/superset/templates/init-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ spec:
{{ toYaml .Values.init.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }}
serviceAccountName: {{ template "superset.serviceAccountName" . }}
{{- end }}
securityContext:
runAsUser: {{ .Values.runAsUser }}
{{- if .Values.init.initContainers }}
Expand Down
31 changes: 31 additions & 0 deletions helm/superset/templates/service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "superset.serviceAccountName" . }}
labels:
app.kubernetes.io/name: {{ include "superset.name" . }}
helm.sh/chart: {{ include "superset.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if semverCompare "> 1.6" .Capabilities.KubeVersion.GitVersion }}
kubernetes.io/cluster-service: "true"
{{- end }}
addonmanager.kubernetes.io/mode: Reconcile
{{- end -}}
5 changes: 5 additions & 0 deletions helm/superset/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ replicaCount: 1
# Runn containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure
runAsUser: 0

# Create custom service account for Superset. If create: true and name is not provided, superset.fullname will be used.
# serviceAccountName: superset
serviceAccount:
create: false

# Install additional packages and do any other bootstrap configuration in this script
# For production clusters it's recommended to build own image with this step done in CI
bootstrapScript: |
Expand Down

0 comments on commit 6991417

Please sign in to comment.