From c47f4a6f2f1a5e643a055c9bcf1cf4eb6b0cac7a Mon Sep 17 00:00:00 2001 From: Christopher Tate Date: Mon, 27 Feb 2023 22:10:53 -0700 Subject: [PATCH] Adding features like serviceAccountName for OpenShift security constraints - Fix a bug with postgresql.enabled value - Add optional serviceAccount to deployment for required security on OpenShift - Add docs for the new serviceAccount values - Allow customizing the postgresqlDatabase value and PGDATABASE environment variable on the betydb container - Allow disabling the creation of a betydb Secret in order to use an ExternalSecret from a vault instead - Remove the conflicting PGDATABASE in the init container that points to the bety database - Removing the PG_TABLE=sessions and PG_DATABASE=bety environment variable - When the PG_TABLE=sessions environment variable is set, the check-postgresql init container fails. When the deployment fails, the argocd application never completes and enters the post-install phase. The load-db Job depends on the post-install hook running, so the bety database is never created. - Remove post-install helm hook from load-db Job so that the bety database gets created for the Deployment - Added string around the -r 0 parameter of the command parent 9cc554112c075c1a994205d50c08e0366afb00d7 author Christopher Tate 1677561053 -0700 committer Christopher Tate 1680705101 -0600 gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8gjca+F8TU1M4A3jZbVOLA7tOVIFAmQthk0ACgkQZbVOLA7t OVIK1AgA1wYe2xmMRpyz/qQfGH7UpdoLv+az9JReXlW2+cda41VYaQahcEUSuRy3 c3iJynk5uoaO9QcR8gKGThmuO6kZYpJceyaPGP/ms+KBT+rgN9XFcUPQIGjuRIoj OplUx9IqKPrTqVLb7H448QHNDq+oST43vvmzxmXei5KSHSxq6Vrjgiqe+3UoyjdM HidKEaIYddajhpbzGiHZ96klIq5TNiU+q1xsuTzT5fsFkiPzwrpom5H5MlQ31EGg CeKpBPtG7qNI3zrK3gi9//4n8BlYqh14ncr/7Ju5MxP9bjIHyL22ksasMYL3HMxu ggwyLGRQmhbpsXoRHVbxelyi381a7w== =pmxl -----END PGP SIGNATURE----- --- Chart.lock | 4 ++-- Chart.yaml | 2 +- README.md | 8 ++++++++ templates/_helpers.tpl | 19 +++++++++++++++++++ templates/deployment.yaml | 7 +++---- templates/hooks/load-db.yaml | 2 +- templates/secrets.yaml | 2 ++ templates/serviceAccount.yaml | 12 ++++++++++++ values.yaml | 23 +++++++++++++++++++++++ 9 files changed, 71 insertions(+), 8 deletions(-) create mode 100644 templates/serviceAccount.yaml diff --git a/Chart.lock b/Chart.lock index 4d62d201..730362d4 100644 --- a/Chart.lock +++ b/Chart.lock @@ -2,5 +2,5 @@ dependencies: - name: postgresql repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami version: 8.9.9 -digest: sha256:526629d1646df6a72d4414adc89f3728f0e97e37a4e8ac65036c51e06361c7bb -generated: "2022-06-22T22:35:06.775527-05:00" +digest: sha256:9bf0731393755a97be066c786f40dd92f7a640137658a129a37c29cedd7d6560 +generated: "2023-02-27T22:24:29.970340243-07:00" diff --git a/Chart.yaml b/Chart.yaml index 2a163901..b2819c47 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -36,7 +36,7 @@ dependencies: - name: postgresql version: ~8.9 repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami - condition: postgres.enabled + condition: postgresql.enabled annotations: artifacthub.io/links: | diff --git a/README.md b/README.md index 32488c9e..cafcea36 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,14 @@ The following table lists the configurable parameters of the Bety chart and thei | `betyPassword` | Password value for bety.password | `bety` | | `betyDatabase` | Name of the database for bety.database | `bety` | +### OpenShift/Kubernetes parameters + +| Parameter | Description | Default | +|-----------------------------------|----------------------------------------------------------|--------------------------------| +| `serviceAccount.enabled` | Enable creation and use of a deployment service account | false | +| `serviceAccount.name` | Add a serviceAccountName to the deployment | `` | +| `serviceAccount.annotations` | Add annotations to the serviceAccount | {} | + ### Ingress parameters | Parameter | Description | Default | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e239785c..b7ddca04 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -24,6 +24,23 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default service account name. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "serviceAccount.fullname" -}} +{{- if .Values.serviceAccount.name -}} +{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -74,6 +91,8 @@ Environment variables for PostgreSQL value: {{ include "betydb.postgresqlHost" . | quote }} - name: PGPORT value: {{ include "betydb.postgresqlPort" . | quote }} +- name: PGDATABASE + value: {{ .Values.postgresql.postgresqlDatabase | default "postgres" | quote }} - name: PGUSER value: {{ .Values.postgresql.postgresqlUsername | default "postgres" | quote }} - name: PGPASSWORD diff --git a/templates/deployment.yaml b/templates/deployment.yaml index b9027786..3c457ea2 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -42,10 +42,6 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "betydb.postgresqlEnv" . | nindent 12 }} - - name: PGDATABASE - value: {{ .Values.betyDatabase | quote }} - - name: PG_TABLE - value: "sessions" containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -100,6 +96,9 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ include "serviceAccount.fullname" . | quote }} + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/templates/hooks/load-db.yaml b/templates/hooks/load-db.yaml index e6e244db..19dfe1d4 100644 --- a/templates/hooks/load-db.yaml +++ b/templates/hooks/load-db.yaml @@ -49,7 +49,7 @@ spec: - -m - ${LOCAL_SERVER} - -r - - 0 + - '0' - -w - {{ .Values.dburl | quote }} {{- else }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 70d0e937..999aa540 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalSecret }} apiVersion: v1 kind: Secret metadata: @@ -11,3 +12,4 @@ data: {{- end }} betyPassword: {{ .Values.betyPassword | b64enc | quote }} secretKey: {{ .Values.secretKey | b64enc | quote }} +{{- end }} diff --git a/templates/serviceAccount.yaml b/templates/serviceAccount.yaml new file mode 100644 index 00000000..97486121 --- /dev/null +++ b/templates/serviceAccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "serviceAccount.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} + annotations: + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index 13d48931..27760144 100644 --- a/values.yaml +++ b/values.yaml @@ -39,6 +39,11 @@ betyDatabase: bety ## changed users will not be able to login with their existing passwords. secretKey: thisisnotasecret +## Set to true if you will be managing the `betydb` secret with external secrets. +## The `betydb` secret includes `betyPassword`, `postgresqlPassword`, +## and `secretKey`. +externalSecret: false + ## dbtag is the tag of the database to load. Normally will use latest to ## make sure latest tag is loaded, this might not work with an older database. ## set this to "" to not load the database @@ -107,6 +112,9 @@ postgresql: ## not saved in the database. postgresqlPassword: supersecret + ## postgresqlDatabase postgresql database to connect to load the database + postgresqlDatabase: postgres + # need more space persistence: size: 20Gi @@ -169,6 +177,21 @@ resources: {} ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} +serviceAccount: + + # Specifies whether a service account should be added to the deployment + enabled: false + + # Specifies whether a service account should be created + create: false + + # Annotations to add to the service account + annotations: {} + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## Tolerations ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: []