diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 6c1d5bfb..67acc634 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -122,3 +122,20 @@ Enables FlowForge Telemetry ### Ingress - `ingress.annotations` ingress annotations (default is `{}`). This value is also applied to Editor instances created by FlowForge. - `ingress.className` ingress class name (default is `"""`). This value is also applied to Editor instances created by FlowForge. + +### Editors IAM + Provision default service account for Editors if `editors.serviceAccount.create` is `true`. + +- `editors.serviceAccount.create` flag, indicates whether default Editors service account is going to be provisioned. +- `editors.serviceAccount.annotations` k8s service account annotations. +- `editors.serviceAccount.name` name of the service account for Editors. + +Example for AWS: +```yaml +editors: + serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME} + create: true + name: editors +``` diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml index a4b1a606..28f02a2d 100644 --- a/helm/flowforge/templates/broker.yaml +++ b/helm/flowforge/templates/broker.yaml @@ -131,7 +131,13 @@ metadata: labels: app: flowforge-broker annotations: + {{- if .Values.ingress.annotations }} + {{- toYaml .Values.ingress.annotations | nindent 4 }} + {{- end }} spec: + {{- if $.Values.ingress.className }} + ingressClassName: {{ $.Values.ingress.className }} + {{- end }} rules: - host: mqtt.{{ .Values.forge.domain }} http: diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml index 870c2e89..f10a14a3 100644 --- a/helm/flowforge/templates/deployment.yaml +++ b/helm/flowforge/templates/deployment.yaml @@ -36,6 +36,10 @@ spec: - name: INGRESS_CLASS_NAME value: {{ .Values.ingress.className }} {{- end }} + {{- if .Values.editors.serviceAccount }} + - name: EDITOR_SERVICE_ACCOUNT + value: {{ .Values.editors.serviceAccount.name }} + {{- end }} {{- if .Values.forge.projectDeploymentTolerations }} - name: DEPLOYMENT_TOLERATIONS value: {{ .Values.forge.projectDeploymentTolerations | toJson | quote }} diff --git a/helm/flowforge/templates/service-account.yaml b/helm/flowforge/templates/service-account.yaml index 2b244db4..a9ec261f 100644 --- a/helm/flowforge/templates/service-account.yaml +++ b/helm/flowforge/templates/service-account.yaml @@ -9,11 +9,27 @@ metadata: eks.amazonaws.com/sts-regional-endpoints: "true" {{- end }} {{- end }} + + +{{- if .Values.editors.serviceAccount.create }} --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.editors.serviceAccount.name }} + namespace: {{ .Values.forge.projectNamespace }} + {{- with .Values.editors.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: create-pod + name: {{ .Release.Name }}-create-pod rules: - apiGroups: [""] resources: ["pods", "pods/log", "pods/exec", "pods/status"] @@ -45,5 +61,5 @@ subjects: namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: create-pod + name: {{ .Release.Name }}-create-pod apiGroup: rbac.authorization.k8s.io diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index d0f5d070..34d2b7c6 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -116,6 +116,28 @@ "projectSelector": { "type": "object" }, + "projectDeploymentTolerations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": ["effect", "key", "operator", "value"] + }, + "default": [] + }, "managementSelector": { "type": "object" }, @@ -309,6 +331,29 @@ "type": "string" } } + }, + "editors": { + "type": "object", + "properties": { + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "minProperties": 0 + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string", + "description": "Name of service account (scope of uniqueness is a 'Projects' namespace)" + } + }, + "required": ["annotations", "name"] + } + }, + "required": ["serviceAccount"] } }, "required": [ diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index a464fa61..dca54c37 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -7,12 +7,11 @@ forge: projectNamespace: flowforge projectSelector: role: projects - projectDeploymentTolerations: [] -# - key: purpose -# operator: Equal -# value: flowforge-projects -# effect: NoSchedule + # - key: purpose + # operator: Equal + # value: flowforge-projects + # effect: NoSchedule managementSelector: role: management telemetry: @@ -32,17 +31,31 @@ forge: type: postgres host: flowforge-postgresql username: forge - password: Zai1Wied + password: "" database: ff-context support: enabled: false + domain: "" + entryPoint: "" + environment: {} + image: "" + registry: "" + postgresql: postgresqlPostgresPassword: Moomiet0 postgresqlUsername: forge postgresqlPassword: Zai1Wied postgresqlDatabase: flowforge + global: + storageClass: default ingress: annotations: {} className: "" + +editors: + serviceAccount: + create: true + annotations: {} + name: editors \ No newline at end of file