From 67a195f89ccafb1f8e6bd4f632a284f9e3696543 Mon Sep 17 00:00:00 2001 From: AlexB Date: Thu, 20 Mar 2025 10:43:07 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(helm)=20add=20serviceAccountName=20pa?= =?UTF-8?q?rameter=20for=20services?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for specifying custom service accounts in all Kubernetes resources in our Helm charts to enable workload identity federation with managed cloud services (PostgreSQL, Redis, etc.). This allows deployments to authenticate to cloud resources without embedding credentials in secrets. --- CHANGELOG.md | 1 + src/helm/impress/README.md | 3 +++ .../impress/templates/backend_deployment.yaml | 3 +++ .../backend_job_createsuperuser.yaml | 3 +++ .../templates/backend_job_migrate.yaml | 3 +++ .../templates/celery_worker_deployment.yaml | 3 +++ .../templates/frontend_deployment.yaml | 3 +++ .../templates/yprovider_deployment.yaml | 3 +++ src/helm/impress/values.yaml | 19 ++++++++++++++----- 9 files changed, 36 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89a4e8fe..9f783d4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to ### Added +- ✨(helm) Service Account support for K8s Resources in Helm Charts #778 - ✨(backend) allow masking documents from the list view #1171 - ✨(frontend) subdocs can manage link reach #1190 - ✨(frontend) add duplicate action to doc tree #1175 diff --git a/src/helm/impress/README.md b/src/helm/impress/README.md index 175bd3cf..d5bcd226 100644 --- a/src/helm/impress/README.md +++ b/src/helm/impress/README.md @@ -135,6 +135,7 @@ | `backend.extraVolumeMounts` | Additional volumes to mount on the backend. | `[]` | | `backend.extraVolumes` | Additional volumes to mount on the backend. | `[]` | | `backend.pdb.enabled` | Enable pdb on backend | `true` | +| `backend.serviceAccountName` | Optional service account name to use for backend pods | `nil` | | `backend.themeCustomization.enabled` | Enable theme customization | `false` | | `backend.themeCustomization.file_content` | Content of the theme customization file. Must be a json object. | `""` | | `backend.themeCustomization.mount_path` | Path where the customization file will be mounted in the backend deployment. | `/app/impress/configuration/theme` | @@ -198,6 +199,7 @@ | `frontend.extraVolumeMounts` | Additional volumes to mount on the frontend. | `[]` | | `frontend.extraVolumes` | Additional volumes to mount on the frontend. | `[]` | | `frontend.pdb.enabled` | Enable pdb on frontend | `true` | +| `frontend.serviceAccountName` | Optional service account name to use for frontend pods | `nil` | ### posthog @@ -280,3 +282,4 @@ | `yProvider.extraVolumeMounts` | Additional volumes to mount on the yProvider. | `[]` | | `yProvider.extraVolumes` | Additional volumes to mount on the yProvider. | `[]` | | `yProvider.pdb.enabled` | Enable pdb on yProvider | `true` | +| `yProvider.serviceAccountName` | Optional service account name to use for yProvider pods | `nil` | diff --git a/src/helm/impress/templates/backend_deployment.yaml b/src/helm/impress/templates/backend_deployment.yaml index bb2ff68d..a60b791d 100644 --- a/src/helm/impress/templates/backend_deployment.yaml +++ b/src/helm/impress/templates/backend_deployment.yaml @@ -30,6 +30,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.backend.serviceAccountName }} + serviceAccountName: {{ .Values.backend.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.backend.shareProcessNamespace }} containers: {{- with .Values.backend.sidecars }} diff --git a/src/helm/impress/templates/backend_job_createsuperuser.yaml b/src/helm/impress/templates/backend_job_createsuperuser.yaml index be159c0f..0096483c 100644 --- a/src/helm/impress/templates/backend_job_createsuperuser.yaml +++ b/src/helm/impress/templates/backend_job_createsuperuser.yaml @@ -29,6 +29,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.backend.serviceAccountName }} + serviceAccountName: {{ .Values.backend.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.backend.shareProcessNamespace }} containers: {{- with .Values.backend.sidecars }} diff --git a/src/helm/impress/templates/backend_job_migrate.yaml b/src/helm/impress/templates/backend_job_migrate.yaml index 00ff9529..99e58ba1 100644 --- a/src/helm/impress/templates/backend_job_migrate.yaml +++ b/src/helm/impress/templates/backend_job_migrate.yaml @@ -29,6 +29,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.backend.serviceAccountName }} + serviceAccountName: {{ .Values.backend.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.backend.shareProcessNamespace }} containers: {{- with .Values.backend.sidecars }} diff --git a/src/helm/impress/templates/celery_worker_deployment.yaml b/src/helm/impress/templates/celery_worker_deployment.yaml index 956a4e67..3fc278b0 100644 --- a/src/helm/impress/templates/celery_worker_deployment.yaml +++ b/src/helm/impress/templates/celery_worker_deployment.yaml @@ -30,6 +30,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.backend.serviceAccountName }} + serviceAccountName: {{ .Values.backend.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.backend.shareProcessNamespace }} containers: {{- with .Values.backend.sidecars }} diff --git a/src/helm/impress/templates/frontend_deployment.yaml b/src/helm/impress/templates/frontend_deployment.yaml index 187506aa..584d2645 100644 --- a/src/helm/impress/templates/frontend_deployment.yaml +++ b/src/helm/impress/templates/frontend_deployment.yaml @@ -30,6 +30,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.frontend.serviceAccountName }} + serviceAccountName: {{ .Values.frontend.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.frontend.shareProcessNamespace }} containers: {{- with .Values.frontend.sidecars }} diff --git a/src/helm/impress/templates/yprovider_deployment.yaml b/src/helm/impress/templates/yprovider_deployment.yaml index 15020d8d..c920037c 100644 --- a/src/helm/impress/templates/yprovider_deployment.yaml +++ b/src/helm/impress/templates/yprovider_deployment.yaml @@ -30,6 +30,9 @@ spec: imagePullSecrets: - name: {{ include "impress.secret.dockerconfigjson.name" (dict "fullname" (include "impress.fullname" .) "imageCredentials" $.Values.image.credentials) }} {{- end}} + {{- if .Values.yProvider.serviceAccountName }} + serviceAccountName: {{ .Values.yProvider.serviceAccountName }} + {{- end }} shareProcessNamespace: {{ .Values.yProvider.shareProcessNamespace }} containers: {{- with .Values.yProvider.sidecars }} diff --git a/src/helm/impress/values.yaml b/src/helm/impress/values.yaml index c2e1c08a..f063e478 100644 --- a/src/helm/impress/values.yaml +++ b/src/helm/impress/values.yaml @@ -236,8 +236,8 @@ backend: targetPort: 8000 annotations: {} - ## @param backend.migrate.command backend migrate command - ## @param backend.migrate.restartPolicy backend migrate job restart policy + ## @param backend.migrate.command backend migrate command + ## @param backend.migrate.restartPolicy backend migrate job restart policy migrate: command: - /bin/sh @@ -254,8 +254,8 @@ backend: python manage.py migrate --no-input restartPolicy: Never - ## @param backend.createsuperuser.command backend migrate command - ## @param backend.createsuperuser.restartPolicy backend migrate job restart policy + ## @param backend.createsuperuser.command backend migrate command + ## @param backend.createsuperuser.restartPolicy backend migrate job restart policy createsuperuser: command: - "/bin/sh" @@ -282,7 +282,7 @@ backend: name: "" command: [] restartPolicy: Never - annotations: + annotations: argocd.argoproj.io/hook: PostSync # List of cronjob to add @@ -344,6 +344,9 @@ backend: pdb: enabled: true + ## @param backend.serviceAccountName Optional service account name to use for backend pods + serviceAccountName: null + ## @param backend.themeCustomization.enabled Enable theme customization ## @param backend.themeCustomization.file_content Content of the theme customization file. Must be a json object. ## @param backend.themeCustomization.mount_path Path where the customization file will be mounted in the backend deployment. @@ -480,6 +483,9 @@ frontend: pdb: enabled: true + ## @param frontend.serviceAccountName Optional service account name to use for frontend pods + serviceAccountName: null + ## @section posthog posthog: @@ -652,3 +658,6 @@ yProvider: ## @param yProvider.pdb.enabled Enable pdb on yProvider pdb: enabled: true + + ## @param yProvider.serviceAccountName Optional service account name to use for yProvider pods + serviceAccountName: null