From fa02860faf591c53310d30c3489a4e2a707b28f1 Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Tue, 28 Dec 2021 16:12:07 +0100 Subject: [PATCH 1/6] feat: Custom service account creation and management --- helm/superset/templates/_helpers.tpl | 11 +++++++++++ helm/superset/templates/deployment-worker.yaml | 4 ++-- helm/superset/templates/deployment.yaml | 4 ++-- helm/superset/values.yaml | 5 +++++ 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/helm/superset/templates/_helpers.tpl b/helm/superset/templates/_helpers.tpl index 579fd5a7eae6c..eef1b09c2c409 100644 --- a/helm/superset/templates/_helpers.tpl +++ b/helm/superset/templates/_helpers.tpl @@ -42,6 +42,17 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create the name of the service account to use +*/}} +{{- define "superset.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (include "superset.fullname" .) .Values.serviceAccountName -}} +{{- else -}} +{{- default "default" .Values.serviceAccountName -}} +{{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/helm/superset/templates/deployment-worker.yaml b/helm/superset/templates/deployment-worker.yaml index e91601337b212..8a86349cb9068 100644 --- a/helm/superset/templates/deployment-worker.yaml +++ b/helm/superset/templates/deployment-worker.yaml @@ -54,8 +54,8 @@ spec: app: {{ template "superset.name" . }}-worker release: {{ .Release.Name }} spec: - {{- if .Values.serviceAccountName }} - serviceAccountName: {{ .Values.serviceAccountName }} + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} diff --git a/helm/superset/templates/deployment.yaml b/helm/superset/templates/deployment.yaml index b5f039481221e..10de683b3b184 100644 --- a/helm/superset/templates/deployment.yaml +++ b/helm/superset/templates/deployment.yaml @@ -57,8 +57,8 @@ spec: app: {{ template "superset.name" . }} release: {{ .Release.Name }} spec: - {{- if .Values.serviceAccountName }} - serviceAccountName: {{ .Values.serviceAccountName }} + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index 03ddc0d61e4b8..c843fd18cb551 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -25,6 +25,11 @@ replicaCount: 1 # Runn containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure runAsUser: 0 +# Create custom service account for Superset. If create: true and name is not provided, superset.fullname will be used. +# serviceAccountName: superset +serviceAccount: + create: false + # Install additional packages and do any other bootstrap configuration in this script # For production clusters it's recommended to build own image with this step done in CI bootstrapScript: | From be299ebbe335714ff218afd4e2d2ccf4f08cdf15 Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Tue, 28 Dec 2021 17:26:18 +0100 Subject: [PATCH 2/6] bump helm chart version --- helm/superset/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml index 25c81adf6bcbe..36c46fac717a4 100644 --- a/helm/superset/Chart.yaml +++ b/helm/superset/Chart.yaml @@ -22,7 +22,7 @@ maintainers: - name: craig-rueda email: craig@craigrueda.com url: https://github.com/craig-rueda -version: 0.5.1 +version: 0.5.2 dependencies: - name: postgresql version: 10.2.0 From 372fed158346767d24305dd185bed448a295107d Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Wed, 29 Dec 2021 13:51:00 +0100 Subject: [PATCH 3/6] add custom service account in init-job --- helm/superset/templates/init-job.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm/superset/templates/init-job.yaml b/helm/superset/templates/init-job.yaml index d69e83062e405..483ced8d3702b 100644 --- a/helm/superset/templates/init-job.yaml +++ b/helm/superset/templates/init-job.yaml @@ -31,6 +31,9 @@ spec: {{ toYaml .Values.init.podAnnotations | nindent 8 }} {{- end }} spec: + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} + {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} {{- if .Values.init.initContainers }} From 45d05ff7af71e2a8ee19530c1ac945cdfd1724f3 Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Wed, 29 Dec 2021 15:40:55 +0100 Subject: [PATCH 4/6] service account creation template --- helm/superset/templates/service-account.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100755 helm/superset/templates/service-account.yaml diff --git a/helm/superset/templates/service-account.yaml b/helm/superset/templates/service-account.yaml new file mode 100755 index 0000000000000..2157042e10aaf --- /dev/null +++ b/helm/superset/templates/service-account.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ if .Values.serviceAccountName }}{{ .Values.serviceAccountName }}{{ else }}{{ include "superset.fullname" . }}{{ end }} + labels: + app.kubernetes.io/name: {{ include "superset.name" . }} + helm.sh/chart: {{ include "superset.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if semverCompare "> 1.6" .Capabilities.KubeVersion.GitVersion }} + kubernetes.io/cluster-service: "true" + {{- end }} + addonmanager.kubernetes.io/mode: Reconcile +{{- end -}} From dedd6d5c38678d5ae38808cb5bd21b5838c02fe0 Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Thu, 30 Dec 2021 11:45:03 +0100 Subject: [PATCH 5/6] changed service account creation template --- helm/superset/templates/service-account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/superset/templates/service-account.yaml b/helm/superset/templates/service-account.yaml index 2157042e10aaf..0e9b71b646d15 100755 --- a/helm/superset/templates/service-account.yaml +++ b/helm/superset/templates/service-account.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ if .Values.serviceAccountName }}{{ .Values.serviceAccountName }}{{ else }}{{ include "superset.fullname" . }}{{ end }} + name: {{ include "superset.serviceAccountName" . }} labels: app.kubernetes.io/name: {{ include "superset.name" . }} helm.sh/chart: {{ include "superset.chart" . }} From f023c4034c4b3c59407ebe05d7fce6271fefca59 Mon Sep 17 00:00:00 2001 From: wiktor2200 Date: Mon, 3 Jan 2022 09:00:17 +0100 Subject: [PATCH 6/6] add license --- helm/superset/templates/service-account.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/helm/superset/templates/service-account.yaml b/helm/superset/templates/service-account.yaml index 0e9b71b646d15..dd6084d78fa59 100755 --- a/helm/superset/templates/service-account.yaml +++ b/helm/superset/templates/service-account.yaml @@ -1,3 +1,19 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount