DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375)

Browse source 
Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>
This commit is contained in:
Reddysekhar Gaduputi 2024-05-29 10:51:35 +05:30
parent 7f94aee0be
commit 3ba71ecb48
8 changed files with 26 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
charts/ingress-nginx/README.md
View file

@ -269,12 +269,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.rbac.create | bool | `true` | | | controller.admissionWebhooks.rbac | object | `{"create":true}` | Create RBAC for admission webhook patch job or not |
| controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | | | controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.admissionWebhooks.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount for admission webhook patch job |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |

11
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create the name of the admission webhook job service account to use
*/}}
{{- define "ingress-nginx.admissionWebhooks.serviceAccountName" -}}
{{- if .Values.controller.admissionWebhooks.serviceAccount.create -}}
{{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.admissionWebhooks.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/* {{/*
Create a default fully qualified admission webhook secret creation job name. Create a default fully qualified admission webhook secret creation job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View file

@ -18,6 +18,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -66,7 +66,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }} {{- end }}
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -68,7 +68,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }} {{- end }}
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View file

@ -19,6 +19,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

5
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View file

@ -1,8 +1,8 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@ -13,4 +13,5 @@ metadata:
{{- with .Values.controller.admissionWebhooks.patch.labels }} {{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.serviceAccount.automountServiceAccountToken }}
{{- end }} {{- end }}

6
charts/ingress-nginx/values.yaml
View file

@ -754,8 +754,14 @@ controller:
labels: {} labels: {}
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# -- Create RBAC for admission webhook patch job or not
rbac: rbac:
create: true create: true
# -- ServiceAccount for admission webhook patch job
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""