Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

Commit

Permalink
[stable/kong] No unnecessary ServiceAccount creation when IngressCont…
Browse files Browse the repository at this point in the history 
…roller and podSecurityPolicy are disabled (#19110)

* No unnecessary ServiceAccount creation

* when IngressController and podSecurityPolicy are disabled
Signed-off-by: Emeline Logeart <elogeart@talend.com>

* [stable/kong] create temporary pre-upgrade SA

Create a temporary ServiceAccount via pre-upgrade hooks if configuration
requires one.

The pre-upgrade migrations Job uses a ServiceAccount if the ingress
controller or PodSecurityPolicy are enabled, but the standard
ServiceAccount is not created until pre-upgrade hooks complete.

This creates a circular dependency if upgrading a release that did not
create the ServiceAccount during the initial install. This commit
addresses that by creating an additional pre-upgrade hook to create and
then delete an equivalent ServiceAccount.

Signed-off-by: Travis Raines <traines@konghq.com>
  • Loading branch information
@elogeart @k8s-ci-robot
elogeart authored and k8s-ci-robot committed Nov 27, 2019
1 parent 2b429d0 commit bf12a71
Show file tree
Hide file tree
Showing 7 changed files with 42 additions and 1 deletion.
2 changes: 1 addition & 1 deletion stable/kong/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,5 @@ maintainers:
name: kong
sources:
- https://github.com/Kong/kong
version: 0.27.1
version: 0.27.2
appVersion: 1.3
14 changes: 14 additions & 0 deletions stable/kong/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,13 @@ You can can learn about kong ingress custom resource definitions [here](https://


## Changelog
### 0.27.2

#### Fixes

- Do not create a ServiceAccount if it is not necessary.
- If a configuration change requires creating a ServiceAccount, create a temporary ServiceAccount to allow pre-upgrade tasks to complete before the regular ServiceAccount is created.

### 0.27.1

#### Documentation updates
Expand All @@ -415,6 +422,13 @@ You can can learn about kong ingress custom resource definitions [here](https://
- DB-less mode is enabled by default.
- Kong is installed as an Ingress Controller for the cluster by default.

### 0.25.0

#### New features

- Add support for PodSecurityPolicy
- Require creation of a ServiceAccount

### 0.24.0

#### Breaking changes
Expand Down
2 changes: 2 additions & 0 deletions stable/kong/templates/controller-service-account.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -8,3 +9,4 @@ metadata:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- end -}}
2 changes: 2 additions & 0 deletions stable/kong/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ spec:
release: {{ .Release.Name }}
component: app
spec:
{{- if or .Values.ingressController.enabled .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
Expand Down
2 changes: 2 additions & 0 deletions stable/kong/templates/migrations-post-upgrade.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ spec:
release: "{{ .Release.Name }}"
component: post-upgrade-migrations
spec:
{{- if .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
Expand Down
19 changes: 19 additions & 0 deletions stable/kong/templates/migrations-pre-upgrade.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ spec:
release: "{{ .Release.Name }}"
component: pre-upgrade-migrations
spec:
{{- if .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
Expand Down Expand Up @@ -80,3 +82,20 @@ spec:
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
{{- end }}

{{- if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ .Release.namespace }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
app: {{ template "kong.name" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- end -}}
2 changes: 2 additions & 0 deletions stable/kong/templates/migrations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ spec:
release: "{{ .Release.Name }}"
component: init-migrations
spec:
{{- if .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
Expand Down

0 comments on commit bf12a71

Please sign in to comment.