add service account to registry service (#1923)

* add service account to registry service * add service account template * update registry service account configuration * cleanup values * disable sa creation by default * update base test cases for registry sa * fix pre-commit * update registry test cases * update valid spec path * fix test cases * test case complete
astronomer · Aug 21, 2023 · 9f9255d · 9f9255d
1 parent d5b72a4
commit 9f9255d
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 0 deletions.
diff --git a/charts/astronomer/templates/_helpers.yaml b/charts/astronomer/templates/_helpers.yaml
@@ -131,6 +131,14 @@
 {{ printf "%s-houston-bootstrapper" .Release.Name }}
 {{- end }}
 
+{{ define "registry.ServiceAccount" -}}
+{{- if .Values.registry.serviceAccount.name -}}
+{{ printf "%s-%s" .Release.Name .Values.registry.serviceAccount.name }}
+{{- else -}}
+{{ printf "%s-registry" .Release.Name }}
+{{- end }}
+{{- end }}
+
 {{- define "registry.gcsVolume" }}
 - name: gcs-keyfile
   secret:

diff --git a/charts/astronomer/templates/registry/registry-serviceaccount.yaml b/charts/astronomer/templates/registry/registry-serviceaccount.yaml
@@ -0,0 +1,15 @@
+################################
+## Registry ServiceAccount
+#################################
+{{- if .Values.registry.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "registry.ServiceAccount" . }}
+  labels:
+    release: {{ .Release.Name }}
+    chart: {{ .Chart.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+{{- toYaml .Values.registry.serviceAccount.annotations | nindent 4 }}
+{{- end -}}
diff --git a/charts/astronomer/templates/registry/registry-statefulset.yaml b/charts/astronomer/templates/registry/registry-statefulset.yaml
@@ -45,6 +45,9 @@ spec:
       annotations:
         checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-configmap.yaml") . | sha256sum }}
     spec:
+{{- if .Values.registry.serviceAccount.create }}
+      serviceAccountName: {{ template "registry.ServiceAccount" . }}
+{{- end }}
       nodeSelector:
 {{ toYaml (default .Values.global.platformNodePool.nodeSelector .Values.nodeSelector) | indent 8 }}
       affinity:

diff --git a/charts/astronomer/values.yaml b/charts/astronomer/values.yaml
@@ -288,6 +288,15 @@ registry:
 
   extraEnv: []
 
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: false
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+
   persistence:
     # Enable persistent storage
     enabled: true

diff --git a/tests/chart_tests/test_astronomer_registry.py b/tests/chart_tests/test_astronomer_registry.py
@@ -47,3 +47,99 @@ def test_astronomer_registry_statefulset_with_custom_env(self, kube_version):
         assert doc["apiVersion"] == "apps/v1"
         assert doc["metadata"]["name"] == "release-name-registry"
         assert extra_env in doc["spec"]["template"]["spec"]["containers"][0]["env"]
+
+    def test_astronomer_registry_statefulset_with_serviceaccount_enabled_defaults(
+        self, kube_version
+    ):
+        """Test that helm renders statefulset and serviceAccount template for astronomer
+        registry with SA enabled."""
+        annotation = {
+            "eks.amazonaws.com/role-arn": "custom-role",
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            values={
+                "astronomer": {
+                    "registry": {
+                        "serviceAccount": {"create": True, "annotations": annotation}
+                    }
+                }
+            },
+            show_only=[
+                "charts/astronomer/templates/registry/registry-statefulset.yaml",
+                "charts/astronomer/templates/registry/registry-serviceaccount.yaml",
+            ],
+        )
+        assert len(docs) == 2
+        doc = docs[0]
+        assert doc["kind"] == "StatefulSet"
+        assert doc["apiVersion"] == "apps/v1"
+        assert doc["metadata"]["name"] == "release-name-registry"
+        assert (
+            doc["spec"]["template"]["spec"]["serviceAccountName"]
+            == "release-name-registry"
+        )
+
+        doc = docs[1]
+        assert doc["kind"] == "ServiceAccount"
+        assert doc["apiVersion"] == "v1"
+        assert doc["metadata"]["name"] == "release-name-registry"
+        assert annotation == doc["metadata"]["annotations"]
+
+    def test_astronomer_registry_statefulset_with_serviceaccount_enabled_with_custom_name(
+        self, kube_version
+    ):
+        """Test that helm renders statefulset and serviceAccount template for astronomer
+        registry with SA enabled with custom name."""
+        annotation = {
+            "eks.amazonaws.com/role-arn": "custom-role",
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            values={
+                "astronomer": {
+                    "registry": {
+                        "serviceAccount": {
+                            "create": True,
+                            "name": "customregistrysa",
+                            "annotations": annotation,
+                        }
+                    }
+                }
+            },
+            show_only=[
+                "charts/astronomer/templates/registry/registry-statefulset.yaml",
+                "charts/astronomer/templates/registry/registry-serviceaccount.yaml",
+            ],
+        )
+        assert len(docs) == 2
+        doc = docs[0]
+        assert doc["kind"] == "StatefulSet"
+        assert doc["apiVersion"] == "apps/v1"
+        assert doc["metadata"]["name"] == "release-name-registry"
+        assert (
+            doc["spec"]["template"]["spec"]["serviceAccountName"]
+            == "release-name-customregistrysa"
+        )
+
+        doc = docs[1]
+        assert doc["kind"] == "ServiceAccount"
+        assert doc["apiVersion"] == "v1"
+        assert doc["metadata"]["name"] == "release-name-customregistrysa"
+        assert annotation == doc["metadata"]["annotations"]
+
+    def test_astronomer_registry_statefulset_with_serviceaccount_disabled(
+        self, kube_version
+    ):
+        """Test that helm renders statefulset template for astronomer
+        registry with SA disabled."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={},
+            show_only=[
+                "charts/astronomer/templates/registry/registry-statefulset.yaml",
+                "charts/astronomer/templates/registry/registry-serviceaccount.yaml",
+            ],
+        )
+        assert len(docs) == 1
+        assert "serviceAccountName" not in docs[0]["spec"]["template"]["spec"]