drone Allow using a non-default kubernetes service account #31
Conversation
This will permit users to select a custom kubernetes service account via helm chart values, instead of using the built in 'default' ksa. If the serviceAccount.create boolean is set to true, a new helm chart 'serviceaccounts.yaml' is produced which describes the KSA to be created, and annotated with the users desired annotations. If no overrides are provided, the default values.yaml will select the kubernetes service account named 'default', which is the same net effect seen via the drone helm chart today.
|
It looks like the CI linting system is out of commission, it's failing for other PR's on the bitnami charts URL. |
james-mcgoodwin
changed the title
CI fails to pass because values.yaml contains an invalid null string.
Running 'helm lint ./drone' fails
Even calling helm lint with an additional
'-f ./drone/ci/test-values.yaml' still fails to validate values.yaml
$ helm lint ./drone/ -f ./drone/ci/test-values.yaml
==> Linting ./drone/
[ERROR] values.yaml: - env.DRONE_SERVER_HOST: String length must be greater than or equal to 3
Error: 1 chart(s) linted, 1 chart(s) failed
I have updated values.yaml with the example string used in the drone
documentation page for the DRONE_SERVER_HOST value:
https://readme.drone.io/server/reference/drone-server-host/
|
Popping this commit message out since it changes a default value in values.yaml:
|
cognifloyd
left a comment
cognifloyd
left a comment
There was a problem hiding this comment.
This needs to be updated with master.
| serviceAccount: {{ .Values.serviceAccount.name }} | ||
| serviceAccountName: {{ .Values.serviceAccount.name }} |
There was a problem hiding this comment.
| serviceAccount: {{ .Values.serviceAccount.name }} | |
| serviceAccountName: {{ .Values.serviceAccount.name }} | |
| serviceAccountName: {{ .Values.serviceAccount.name }} |
I think you only need serviceAccountName.
| metadata: | ||
| name: {{ .Values.serviceAccount.name }} | ||
| annotations: | ||
| {{ toYaml .Values.serviceAccount.annotations | indent 4 }} |
There was a problem hiding this comment.
I like using nindent to keep the template indentation aligned with the yaml indentation.
| {{ toYaml .Values.serviceAccount.annotations | indent 4 }} | |
| {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} |
| "serviceAccount": { | ||
| "$id": "#/properties/serviceAccount", | ||
| "type": "object", | ||
| "required": [ | ||
| "name", | ||
| "create" | ||
| ], | ||
| "properties": { | ||
| "name": { | ||
| "$id": "#/properties/serviceAccount/name", | ||
| "type": "string" | ||
| }, | ||
| "create": { | ||
| "$id": "#/properties/serviceAccount/create", | ||
| "type": "boolean" | ||
| } | ||
| } | ||
| }, |
There was a problem hiding this comment.
whitespacing is inconsistent. You've got tabs and a trailing space.
Also, I recommend adding annotations here as well.
| "serviceAccount": { | |
| "$id": "#/properties/serviceAccount", | |
| "type": "object", | |
| "required": [ | |
| "name", | |
| "create" | |
| ], | |
| "properties": { | |
| "name": { | |
| "$id": "#/properties/serviceAccount/name", | |
| "type": "string" | |
| }, | |
| "create": { | |
| "$id": "#/properties/serviceAccount/create", | |
| "type": "boolean" | |
| } | |
| } | |
| }, | |
| "serviceAccount": { | |
| "$id": "#/properties/serviceAccount", | |
| "type": "object", | |
| "required": [ | |
| "name", | |
| "create" | |
| ], | |
| "properties": { | |
| "name": { | |
| "$id": "#/properties/serviceAccount/properties/name", | |
| "type": "string" | |
| }, | |
| "create": { | |
| "$id": "#/properties/serviceAccount/properties/create", | |
| "type": "boolean" | |
| }, | |
| "annotations": { | |
| "$id": "#/properties/serviceAccount/properties/annotations", | |
| "type": "object" | |
| } | |
| } | |
| }, |
|
would like this to use a sa with server for eks irsa for s3 access. |
We need this for the same reason. Helm create generates all the service account goodness one needs, it shouldn't have been removed to begin with. @jeanlucmongrain can you get the conflicts resolved and then we can we can try to get this merged? |
|
@jimsheldon - can we get someone to look at this PR please |
|
I'll be looking into this asap. Can someone fix the conflict? Thanks |
|
Thanks guys. If |
|
@jimsheldon try #76 |
|
#76 has been merged, closing this out |
6 participants
This PR lets the user choose to not use the built in 'default' Kubernetes service account in the namespace drone is being deployed to.
Our use case for this is we create specific KSA's for each of our services, while optionally attaching it to GCPs Workload Identity system via annotations.
If left unchanged by the user, the default KSA will still be used and no new KSA will be generated.
If the user overrides the serviceAccount: object they can do the following:
Note that annotations will not be applied to any KSA if the create bool is false.
I feel like this PR dove tales with the Allow custom webserver port PR.
My ultimate goal is a drone running with out root (using port 8080), with a KSA that we choose (named predictably 'drone')