Make Signalilo service account configurable (#454)

Add support to deploy a separate service account for Signalilo. Optionally, the service account name can be specified. Co-authored-by: Jürgen Kirschbaum <juergen.kirschbaum@kvb.de>
appuio · Feb 9, 2023 · 2d3ae1b · 2d3ae1b
1 parent e42bc1d
commit 2d3ae1b
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ helm repo add appuio https://charts.appuio.ch
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/prometheus-blackbox-exporter-0.3.1/total)](https://github.com/appuio/charts/releases/tag/prometheus-blackbox-exporter-0.3.1) | [prometheus-blackbox-exporter](appuio/prometheus-blackbox-exporter/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/redis-1.3.5/total)](https://github.com/appuio/charts/releases/tag/redis-1.3.5) | [redis](appuio/redis/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/secret-1.1.0/total)](https://github.com/appuio/charts/releases/tag/secret-1.1.0) | [secret](appuio/secret/README.md) |
-| [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/signalilo-0.10.1/total)](https://github.com/appuio/charts/releases/tag/signalilo-0.10.1) | [signalilo](appuio/signalilo/README.md) |
+| [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/signalilo-0.11.0/total)](https://github.com/appuio/charts/releases/tag/signalilo-0.11.0) | [signalilo](appuio/signalilo/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/snappass-0.2.15/total)](https://github.com/appuio/charts/releases/tag/snappass-0.2.15) | [snappass](appuio/snappass/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/stardog-0.15.0/total)](https://github.com/appuio/charts/releases/tag/stardog-0.15.0) | [stardog](appuio/stardog/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/appuio/charts/stardog-userrole-operator-0.1.1/total)](https://github.com/appuio/charts/releases/tag/stardog-userrole-operator-0.1.1) | [stardog-userrole-operator](appuio/stardog-userrole-operator/README.md) |

diff --git a/appuio/signalilo/Chart.yaml b/appuio/signalilo/Chart.yaml
@@ -7,7 +7,7 @@ keywords:
   - alertmanager
   - webhook
   - icinga2
-version: 0.10.1
+version: 0.11.0
 appVersion: v0.12.0
 sources:
   - https://git.vshn.net/vshn/signalilo

diff --git a/appuio/signalilo/README.gotmpl.md b/appuio/signalilo/README.gotmpl.md
@@ -35,6 +35,9 @@ Parameter | Description | Default
 `extraEnvVars` | Extra Signalilo configuration (see values.yaml for optional configuration values, and their defaults) | `[]`
 `extraVolumes` | Extra Signalilo extra volumes | `[]`
 `extraVolumeMounts` | Extra Signalilo extra volume mounts | `[]`
+`serviceAccount.annotations` | Annotations to add to the service account | `{}`
+`serviceAccount.create` | Specifies whether a service account should be created | `true`
+`serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""`
 `securityContext.enabled` | Enable security context for the pod | `false`
 `securityContext.runAsUser` | User to run the pod as | `999`
 `securityContext.fsGroup` | fs group to use for the pod | `999`

diff --git a/appuio/signalilo/README.md b/appuio/signalilo/README.md
@@ -1,6 +1,6 @@
 # signalilo
 
-![Version: 0.10.1](https://img.shields.io/badge/Version-0.10.1-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
+![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
 
 Alertmanager to Icinga2 bridge
 
@@ -49,6 +49,9 @@ Parameter | Description | Default
 `extraEnvVars` | Extra Signalilo configuration (see values.yaml for optional configuration values, and their defaults) | `[]`
 `extraVolumes` | Extra Signalilo extra volumes | `[]`
 `extraVolumeMounts` | Extra Signalilo extra volume mounts | `[]`
+`serviceAccount.annotations` | Annotations to add to the service account | `{}`
+`serviceAccount.create` | Specifies whether a service account should be created | `true`
+`serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""`
 `securityContext.enabled` | Enable security context for the pod | `false`
 `securityContext.runAsUser` | User to run the pod as | `999`
 `securityContext.fsGroup` | fs group to use for the pod | `999`

diff --git a/appuio/signalilo/templates/_helpers.tpl b/appuio/signalilo/templates/_helpers.tpl
@@ -38,3 +38,34 @@ Create image pull secret.
 {{- define "signalilo.imagePullSecret" -}}
 {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" ( required "Please specify the Docker registry" .Values.image.registry) (printf "%s:%s" (required "Please specify the Docker user name" .Values.image.username) ( required "Please specify the Docker password" .Values.image.password) | b64enc) | b64enc }}
 {{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "signalilo.labels" -}}
+helm.sh/chart: {{ include "signalilo.chart" . }}
+{{ include "signalilo.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "signalilo.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "signalilo.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "signalilo.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "signalilo.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/appuio/signalilo/templates/deployment.yaml b/appuio/signalilo/templates/deployment.yaml
@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/tokens-secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
     spec:
+      serviceAccountName: {{ include "signalilo.serviceAccountName" . }}
       {{- if .Values.securityContext.enabled }}
       securityContext:
         fsGroup: {{ .Values.securityContext.fsGroup }}

diff --git a/appuio/signalilo/templates/serviceaccount.yaml b/appuio/signalilo/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "signalilo.serviceAccountName" . }}
+  labels:
+    {{- include "signalilo.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+{{- end }}
diff --git a/appuio/signalilo/values.yaml b/appuio/signalilo/values.yaml
@@ -54,6 +54,15 @@ extraVolumes: []
 # Extra volumeMounts for the Signalilo deployment. Optional.
 extraVolumeMounts: []
 
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # Annotations to add to the service account
+  annotations: {}
+
 securityContext:
   enabled: false
   runAsUser: 999