volker.raschek/helm-gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for ServiceAccount configuration (#451)

Browse Source 
### Description of the change

This adds a new values object `serviceAccount`, that allows creating a dedicated ServiceAccount with the Helm Release into the cluster. It supports all common options like labels, annotations, name override (or referring to an externally created ServiceAccount), auto-mount token, image pull secrets.

It supersedes the stale PR #357.

### Benefits

Users can deploy Gitea with more fine-tuned security settings.

### Applicable issues

- related to #448

### Additional information

I've bumped the helm-unittest plugin in the CI build, to be able to use the `exists` and `notExists` feature in the new tests.

### Checklist

- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/451
Reviewed-by: pat-s <pat-s@noreply.gitea.com>
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
This commit is contained in:
justusbunsi
2023-05-31 08:47:58 +00:00
committed by pat-s
parent 0ca013647d
commit 5e5496f15d
9 changed files with 173 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
unittests/serviceaccount/basic.yaml Normal file
View File

@ -0,0 +1,82 @@
suite: ServiceAccount template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/serviceaccount.yaml
tests:
- it: skips rendering by default
asserts:
- hasDocuments:
count: 0
- it: renders default ServiceAccount object with serviceAccount.create=true
set:
serviceAccount.create: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests
- equal:
path: automountServiceAccountToken
value: false
- notExists:
path: imagePullSecrets
- notExists:
path: metadata.annotations
- it: allows for adding custom labels
set:
serviceAccount:
create: true
labels:
custom: label
asserts:
- equal:
path: metadata.labels.custom
value: label
- it: allows for adding custom annotations
set:
serviceAccount:
create: true
annotations:
myCustom: annotation
asserts:
- equal:
path: metadata.annotations.myCustom
value: annotation
- it: allows to override the generated name
set:
serviceAccount:
create: true
name: provided-serviceaccount-name
asserts:
- equal:
path: metadata.name
value: provided-serviceaccount-name
- it: allows to mount the token
set:
serviceAccount:
create: true
automountServiceAccountToken: true
asserts:
- equal:
path: automountServiceAccountToken
value: true
- it: allows to reference image pull secrets
set:
serviceAccount:
create: true
imagePullSecrets:
- name: testing-image-pull-secret
- name: another-pull-secret
asserts:
- contains:
path: imagePullSecrets
content:
name: testing-image-pull-secret
- contains:
path: imagePullSecrets
content:
name: another-pull-secret

32
unittests/serviceaccount/reference.yaml Normal file
View File

@ -0,0 +1,32 @@
suite: ServiceAccount template (reference)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/serviceaccount.yaml
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: does not modify the StatefulSet by default
template: templates/gitea/statefulset.yaml
asserts:
- notExists:
path: spec.serviceAccountName
- it: adds the reference to the StatefulSet with serviceAccount.create=true
template: templates/gitea/statefulset.yaml
set:
serviceAccount.create: true
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: gitea-unittests
- it: allows referencing an externally created ServiceAccount to the StatefulSet
template: templates/gitea/statefulset.yaml
set:
serviceAccount:
create: false # explicitly set to define rendering behavior
name: "externally-existing-serviceaccount"
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: externally-existing-serviceaccount