DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375)

Browse source 
Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>
This commit is contained in:
Reddysekhar Gaduputi 2024-05-29 10:51:35 +05:30
parent 7f94aee0be
commit 3ba71ecb48
8 changed files with 26 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
charts/ingress-nginx/README.md
View file

@ -269,12 +269,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.rbac.create | bool | `true` | |
| controller.admissionWebhooks.rbac | object | `{"create":true}` | Create RBAC for admission webhook patch job or not |
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.admissionWebhooks.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount for admission webhook patch job |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |

11
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the admission webhook job service account to use
*/}}
{{- define "ingress-nginx.admissionWebhooks.serviceAccountName" -}}
{{- if .Values.controller.admissionWebhooks.serviceAccount.create -}}
{{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.admissionWebhooks.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook secret creation job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View file

@ -18,6 +18,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -66,7 +66,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -68,7 +68,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View file

@ -19,6 +19,6 @@ roleRef:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

5
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View file

@ -1,8 +1,8 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@ -13,4 +13,5 @@ metadata:
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.serviceAccount.automountServiceAccountToken }}
{{- end }}

6
charts/ingress-nginx/values.yaml
View file

@ -754,8 +754,14 @@ controller:
labels: {}
# -- Use an existing PSP instead of creating one
existingPsp: ""
# -- Create RBAC for admission webhook patch job or not
rbac:
create: true
# -- ServiceAccount for admission webhook patch job
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
service:
annotations: {}
# clusterIP: ""