Support custom service account name (#52)

This PR enables users to override service account for all deployed resources ## Test plan ### Initial deployment ```sh kind create cluster ``` `override.yaml` ```yml storageClass: create: false # Disable if you have your own existing storage class name: standard sourcegraph: localDevMode: true ``` ```sh helm upgrade --install -n sourcegraph -f charts/sourcegraph/override.yaml sourcegraph charts/sourcegraph/ ``` ### Enable SA Updated `override.yaml` ```yml storageClass: create: false # Disable if you have your own existing storage class name: standard sourcegraph: localDevMode: true codeInsightsDB: serviceAccount: create: true codeIntelDB: serviceAccount: create: true githubProxy: serviceAccount: create: true gitserver: serviceAccount: create: true indexedSearch: serviceAccount: create: true minio: serviceAccount: create: true pgsql: serviceAccount: create: true preciseCodeIntel: serviceAccount: create: true redisCache: serviceAccount: create: true redisStore: serviceAccount: create: true repoUpdater: serviceAccount: create: true searcher: serviceAccount: create: true symbols: serviceAccount: create: true syntectServer: serviceAccount: create: true tracing: serviceAccount: create: true worker: serviceAccount: create: true ``` ```sh helm diff -n sourcegraph -f charts/sourcegraph/override.yaml sourcegraph charts/sourcegraph/ ``` - Verify rendered manifest is expected - Verify sourcegraph server still works fix https://github.com/sourcegraph/sourcegraph/issues/31889
sourcegraph · Mar 2, 2022 · fac583b · fac583b
1 parent 8da42c5
commit fac583b
Show file tree

Hide file tree

Showing 39 changed files with 312 additions and 9 deletions.
diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md
diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl
@@ -41,7 +41,16 @@ Create the name of the service account to use
 {{- define "sourcegraph.serviceAccountName" -}}
 {{- $top := index . 0 }}
 {{- $service := index . 1 }}
-{{- default $service (index $top.Values $service "serviceAccount" "name") }}
+{{- $defaultServiceAccountName := ((snakecase $service) | replace "_" "-") }}
+{{- default $defaultServiceAccountName (index $top.Values $service "serviceAccount" "name") }}
+{{- end }}
+
+{{- define "sourcegraph.renderServiceAccountName" -}}
+{{- $top := index . 0 }}
+{{- $service := index . 1 }}
+{{- if or (index $top.Values $service "serviceAccount" "create") (index $top.Values $service "serviceAccount" "name") }}
+serviceAccountName: {{ include "sourcegraph.serviceAccountName" (list $top $service) }}
+{{- end }}
 {{- end }}
 
 {{/*

diff --git a/charts/sourcegraph/templates/cadvisor/cadvisor.DaemonSet.yaml b/charts/sourcegraph/templates/cadvisor/cadvisor.DaemonSet.yaml
@@ -42,7 +42,7 @@ spec:
         deploy: sourcegraph
         app: cadvisor
     spec:
-      serviceAccountName: {{ include "sourcegraph.serviceAccountName" (list . "cadvisor") }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "cadvisor") | trim | nindent 6 }}
       containers:
       - name: cadvisor
         image: {{ include "sourcegraph.image" (list . "cadvisor" ) }}

diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Deployment.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Deployment.yaml
@@ -94,6 +94,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       terminationGracePeriodSeconds: 120
+      {{- include "sourcegraph.renderServiceAccountName" (list . "codeInsightsDB") | trim | nindent 6 }}
       volumes:
       - name: disk
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.ServiceAccount.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.codeInsightsDB.enabled .Values.codeInsightsDB.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: codeinsights-db
+  name: {{ include "sourcegraph.serviceAccountName" (list . "codeInsightsDB") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Deployment.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Deployment.yaml
@@ -127,6 +127,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "codeIntelDB") | trim | nindent 6 }}
       volumes:
       - name: disk
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.ServiceAccount.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.codeIntelDB.enabled .Values.codeIntelDB.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: codeintel-db
+  name: {{ include "sourcegraph.serviceAccountName" (list . "codeIntelDB") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.Deployment.yaml
@@ -133,7 +133,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "frontend") | trim | nindent 6 }}
       volumes:
       - emptyDir: {}
         name: cache-ssd

diff --git a/charts/sourcegraph/templates/github-proxy/github-proxy.Deployment.yaml b/charts/sourcegraph/templates/github-proxy/github-proxy.Deployment.yaml
@@ -85,6 +85,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "githubProxy") | trim | nindent 6 }}
       volumes:
       {{- if .Values.githubProxy.extraVolumes }}
       {{- toYaml .Values.githubProxy.extraVolumes | nindent 6 }}

diff --git a/charts/sourcegraph/templates/github-proxy/github-proxy.ServiceAccount.yaml b/charts/sourcegraph/templates/github-proxy/github-proxy.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.githubProxy.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: github-proxy
+  name: {{ include "sourcegraph.serviceAccountName" (list . "githubProxy") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/gitserver/gitserver.ServiceAccount.yaml b/charts/sourcegraph/templates/gitserver/gitserver.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.gitserver.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: gitserver
+  name: {{ include "sourcegraph.serviceAccountName" (list . "gitserver") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/gitserver/gitserver.StatefulSet.yaml b/charts/sourcegraph/templates/gitserver/gitserver.StatefulSet.yaml
@@ -90,6 +90,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "gitserver") | trim | nindent 6 }}
       volumes:
       - name: repos
       {{- if .Values.gitserver.sshSecret }}

diff --git a/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml b/charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml
@@ -77,7 +77,7 @@ spec:
         {{- end }}
         securityContext:
           {{- toYaml .Values.grafana.containerSecurityContext | nindent 10 }}
-      serviceAccountName: grafana
+      {{- include "sourcegraph.renderServiceAccountName" (list . "grafana") | trim | nindent 6 }}
       {{- if .Values.grafana.extraContainers }}
         {{- toYaml .Values.grafana.extraContainers | nindent 6 }}
       {{- end }}

diff --git a/charts/sourcegraph/templates/indexed-search/indexed-search.ServiceAccount.yaml b/charts/sourcegraph/templates/indexed-search/indexed-search.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.indexedSearch.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: indexed-search
+  name: {{ include "sourcegraph.serviceAccountName" (list . "indexedSearch") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/indexed-search/indexed-search.StatefulSet.yaml b/charts/sourcegraph/templates/indexed-search/indexed-search.StatefulSet.yaml
@@ -112,6 +112,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "indexedSearch") | trim | nindent 6 }}
       volumes:
       - name: data
       {{- if .Values.indexedSearch.extraVolumes }}

diff --git a/charts/sourcegraph/templates/jaeger/jaeger.Deployment.yaml b/charts/sourcegraph/templates/jaeger/jaeger.Deployment.yaml
@@ -96,6 +96,7 @@ spec:
       {{- with .Values.sourcegraph.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "tracing") | trim | nindent 6 }}
       {{- end }}
       volumes:
       {{- if .Values.tracing.extraVolumes }}

diff --git a/charts/sourcegraph/templates/jaeger/jaeger.ServiceAccount.yaml b/charts/sourcegraph/templates/jaeger/jaeger.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.tracing.enabled .Values.tracing.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: tracing
+  name: {{ include "sourcegraph.serviceAccountName" (list . "tracing") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/minio/minio.Deployment.yaml b/charts/sourcegraph/templates/minio/minio.Deployment.yaml
@@ -97,6 +97,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "minio") | trim | nindent 6 }}
       volumes:
       - name: minio-data
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/minio/minio.ServiceAccount.yaml b/charts/sourcegraph/templates/minio/minio.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.minio.enabled .Values.minio.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: minio
+  name: {{ include "sourcegraph.serviceAccountName" (list . "minio") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/pgsql/pgsql.Deployment.yaml b/charts/sourcegraph/templates/pgsql/pgsql.Deployment.yaml
@@ -131,6 +131,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "pgsql") | trim | nindent 6 }}
       volumes:
       - name: disk
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/pgsql/pgsql.ServiceAccount.yaml b/charts/sourcegraph/templates/pgsql/pgsql.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.pgsql.enabled .Values.pgsql.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: pgsql
+  name: {{ include "sourcegraph.serviceAccountName" (list . "pgsql") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/precise-code-intel/worker.Deployment.yaml b/charts/sourcegraph/templates/precise-code-intel/worker.Deployment.yaml
@@ -104,6 +104,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "preciseCodeIntel") | trim | nindent 6 }}
       volumes:
       {{- if .Values.preciseCodeIntel.extraVolumes }}
       {{- toYaml .Values.preciseCodeIntel.extraVolumes | nindent 6 }}

diff --git a/charts/sourcegraph/templates/precise-code-intel/worker.ServiceAccount.yaml b/charts/sourcegraph/templates/precise-code-intel/worker.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.preciseCodeIntel.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: precise-code-intel
+  name: {{ include "sourcegraph.serviceAccountName" (list . "preciseCodeIntel") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml b/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml
@@ -94,7 +94,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: prometheus
+      {{- include "sourcegraph.renderServiceAccountName" (list . "prometheus") | trim | nindent 6 }}
       volumes:
       - name: data
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/redis/redis-cache.Deployment.yaml b/charts/sourcegraph/templates/redis/redis-cache.Deployment.yaml
@@ -110,6 +110,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "redisCache") | trim | nindent 6 }}
       volumes:
       - name: redis-data
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/redis/redis-cache.ServiceAccount.yaml b/charts/sourcegraph/templates/redis/redis-cache.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.redisCache.enabled .Values.redisCache.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: redis
+  name: {{ include "sourcegraph.serviceAccountName" (list . "redisCache") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/redis/redis-store.Deployment.yaml b/charts/sourcegraph/templates/redis/redis-store.Deployment.yaml
@@ -110,6 +110,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "redisStore") | trim | nindent 6 }}
       volumes:
       - name: redis-data
         persistentVolumeClaim:

diff --git a/charts/sourcegraph/templates/redis/redis-store.ServiceAccount.yaml b/charts/sourcegraph/templates/redis/redis-store.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.redisStore.enabled .Values.redisStore.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: redis
+  name: {{ include "sourcegraph.serviceAccountName" (list . "redisStore") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/repo-updater/repo-updater.Deployment.yaml b/charts/sourcegraph/templates/repo-updater/repo-updater.Deployment.yaml
@@ -104,6 +104,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "repoUpdater") | trim | nindent 6 }}
       volumes:
       {{- if .Values.repoUpdater.extraVolumes }}
       {{- toYaml .Values.repoUpdater.extraVolumes | nindent 6 }}

diff --git a/charts/sourcegraph/templates/repo-updater/repo-updater.ServiceAccount.yaml b/charts/sourcegraph/templates/repo-updater/repo-updater.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.repoUpdater.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: repo-updater
+  name: {{ include "sourcegraph.serviceAccountName" (list . "repoUpdater") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/searcher/searcher.Deployment.yaml b/charts/sourcegraph/templates/searcher/searcher.Deployment.yaml
@@ -111,6 +111,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "searcher") | trim | nindent 6 }}
       volumes:
       - emptyDir: {}
         name: cache-ssd

diff --git a/charts/sourcegraph/templates/searcher/searcher.ServiceAccount.yaml b/charts/sourcegraph/templates/searcher/searcher.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.searcher.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: searcher
+  name: {{ include "sourcegraph.serviceAccountName" (list . "searcher") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/symbols/symbols.Deployment.yaml b/charts/sourcegraph/templates/symbols/symbols.Deployment.yaml
@@ -115,6 +115,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "symbols") | trim | nindent 6 }}
       volumes:
       - emptyDir: {}
         name: cache-ssd

diff --git a/charts/sourcegraph/templates/symbols/symbols.ServiceAccount.yaml b/charts/sourcegraph/templates/symbols/symbols.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.symbols.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: symbols
+  name: {{ include "sourcegraph.serviceAccountName" (list . "symbols") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/syntect-server/syntect-server.Deployment.yaml b/charts/sourcegraph/templates/syntect-server/syntect-server.Deployment.yaml
@@ -94,6 +94,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "syntectServer") | trim | nindent 6 }}
       volumes:
       {{- if .Values.syntectServer.extraVolumes }}
       {{- toYaml .Values.syntectServer.extraVolumes | nindent 6 }}

diff --git a/charts/sourcegraph/templates/syntect-server/syntect-server.ServiceAccount.yaml b/charts/sourcegraph/templates/syntect-server/syntect-server.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.syntectServer.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: syntect-server
+  name: {{ include "sourcegraph.serviceAccountName" (list . "syntectServer") }}
+{{- end }}
diff --git a/charts/sourcegraph/templates/worker/worker.Deployment.yaml b/charts/sourcegraph/templates/worker/worker.Deployment.yaml
@@ -104,6 +104,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "sourcegraph.renderServiceAccountName" (list . "worker") | trim | nindent 6 }}
       volumes:
       {{- if .Values.worker.extraVolumes }}
       {{- toYaml .Values.worker.extraVolumes | nindent 6 }}

diff --git a/charts/sourcegraph/templates/worker/worker.ServiceAccount.yaml b/charts/sourcegraph/templates/worker/worker.ServiceAccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.worker.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    category: rbac
+    deploy: sourcegraph
+    app.kubernetes.io/component: worker
+  name: {{ include "sourcegraph.serviceAccountName" (list . "worker") }}
+{{- end }}