From 6a80de6dd394dfe68d8b070e5abab1396fb701d5 Mon Sep 17 00:00:00 2001 From: Romain Caire Date: Mon, 30 Oct 2023 17:03:37 +0100 Subject: [PATCH 1/2] feat: add service account configuration for hydra janitor cronjob --- helm/charts/hydra/templates/_helpers.tpl | 11 +++++++++++ .../hydra/templates/janitor-cron-job-rbac.yaml | 16 ++++++++++++++++ .../hydra/templates/janitor-cron-job.yaml | 2 ++ helm/charts/hydra/values.yaml | 18 ++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 helm/charts/hydra/templates/janitor-cron-job-rbac.yaml diff --git a/helm/charts/hydra/templates/_helpers.tpl b/helm/charts/hydra/templates/_helpers.tpl index c3baef9b5..d1bb5edfc 100644 --- a/helm/charts/hydra/templates/_helpers.tpl +++ b/helm/charts/hydra/templates/_helpers.tpl @@ -172,6 +172,17 @@ Create the name of the service account for the Job to use {{- end }} {{- end }} +{{/* +Create the name of the service account for the Job to use +*/}} +{{- define "hydra.cronjob.janitor.serviceAccountName" -}} +{{- if .Values.cronjob.janitor.serviceAccount.create }} +{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }} +{{- else }} +{{- include "hydra.serviceAccountName" . }} +{{- end }} +{{- end }} + {{/* Checksum annotations generated from configmaps and secrets */}} diff --git a/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml new file mode 100644 index 000000000..dcb2aa4a1 --- /dev/null +++ b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cronjob.janitor.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "hydra.labels" . | nindent 4 }} + {{- with .Values.cronjob.janitor.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra/templates/janitor-cron-job.yaml b/helm/charts/hydra/templates/janitor-cron-job.yaml index ab514a9db..2f3f54486 100644 --- a/helm/charts/hydra/templates/janitor-cron-job.yaml +++ b/helm/charts/hydra/templates/janitor-cron-job.yaml @@ -46,6 +46,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 12 }} {{- end }} + serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }} volumes: - name: {{ include "hydra.name" . }}-config-volume configMap: diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index c2395f53c..f808566d6 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -539,6 +539,24 @@ cronjob: # -- Configure node affinity affinity: {} + # -- Set automounting of the SA token + automountServiceAccountToken: true + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + # -- Configure the containers' SecurityContext for the janitor cronjob securityContext: capabilities: From 4c8b3af693c5b75a9ea6be00afa35affe7889fa7 Mon Sep 17 00:00:00 2001 From: Romain Caire Date: Tue, 31 Oct 2023 15:10:13 +0100 Subject: [PATCH 2/2] Add docs --- helm/charts/hydra/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index a2b3a6245..193189d9b 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -32,6 +32,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob | object | `{"janitor":{"affinity":{},"annotations":{},"customArgs":[],"extraContainers":"","extraEnv":[],"extraInitContainers":"","labels":{},"nodeSelector":{},"podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"resources":{"limits":{},"requests":{}},"schedule":"0 */1 * * *","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100},"tolerations":[]}}` | CronJob configuration | | cronjob.janitor.affinity | object | `{}` | Configure node affinity | | cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations | +| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | | cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value | | cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. | | cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO value: BAR | @@ -44,6 +45,10 @@ A Helm chart for deploying ORY Hydra in Kubernetes | cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | | cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran | | cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob | +| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | +| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | cronjob.janitor.tolerations | list | `[]` | Configure node tolerations | | deployment.annotations | object | `{}` | Set custom deployment level annotations | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |