diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 40003dd10..9e7a62a1b 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -269,12 +269,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | -| controller.admissionWebhooks.rbac.create | bool | `true` | | +| controller.admissionWebhooks.rbac | object | `{"create":true}` | Create RBAC for admission webhook patch job or not | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | | controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | | | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | +| controller.admissionWebhooks.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount for admission webhook patch job | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 9ac2dc569..aeed83534 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create the name of the admission webhook job service account to use +*/}} +{{- define "ingress-nginx.admissionWebhooks.serviceAccountName" -}} +{{- if .Values.controller.admissionWebhooks.serviceAccount.create -}} + {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.admissionWebhooks.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified admission webhook secret creation job name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 67442a2c9..0cef12dea 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -18,6 +18,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 0a21f856a..a3e1443ca 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -66,7 +66,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index ce9985aa5..4a772c6ae 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -68,7 +68,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index d41706c8f..7e8873e82 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -19,6 +19,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 91bbf22bb..12b0b5863 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade @@ -13,4 +13,5 @@ metadata: {{- with .Values.controller.admissionWebhooks.patch.labels }} {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index bab43576b..929cf11e4 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -754,8 +754,14 @@ controller: labels: {} # -- Use an existing PSP instead of creating one existingPsp: "" + # -- Create RBAC for admission webhook patch job or not rbac: create: true + # -- ServiceAccount for admission webhook patch job + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true service: annotations: {} # clusterIP: ""