Add ServiceAccount annotations (#686)

Co-authored-by: Julien Mailleret <8582351+jmlrt@users.noreply.github.com>
elastic · Jun 26, 2020 · 3185a55 · 3185a55
1 parent 3b56aaa
commit 3185a55
Show file tree

Hide file tree

Showing 18 changed files with 111 additions and 0 deletions.
diff --git a/apm-server/README.md b/apm-server/README.md
@@ -99,6 +99,7 @@ as a reference. They are also used in the automated testing of this chart.
 | `resources`              | Allows you to set the [resources][] for the `Deployment`                                                                                                   | see [values.yaml][]                |
 | `secretMounts`           | Allows you easily mount a secret as a file inside the `Deployment`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]`                               |
 | `serviceAccount`         | Custom [serviceAccount][] that APM Server will use during execution. By default will use the `serviceAccount` created by this chart                        | `""`                               |
+| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart.                                                                            | `{}`
 | `service`                | Configurable [service][] to expose the APM Server service. See [values.yaml][] for an example                                                              | see [values.yaml][]                |
 | `terminationGracePeriod` | Termination period (in seconds) to wait before killing APM Server pod process on pod shutdown                                                              | `30`                               |
 | `tolerations`            | Configurable [tolerations][]                                                                                                                               | `[]`                               |

diff --git a/apm-server/templates/serviceaccount.yaml b/apm-server/templates/serviceaccount.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "apm.serviceAccount" . }}
+  annotations:
+    {{- with .Values.serviceAccountAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     app: "{{ template "apm.fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

diff --git a/apm-server/tests/apmserver_test.py b/apm-server/tests/apmserver_test.py
@@ -258,6 +258,20 @@ def test_adding_pod_labels():
     )
 
 
+def test_adding_serviceaccount_annotations():
+    config = """
+serviceAccountAnnotations:
+  eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+"""
+    r = helm_template(config)
+    assert (
+        r["serviceaccount"][name]["metadata"]["annotations"][
+            "eks.amazonaws.com/role-arn"
+        ]
+        == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount"
+    )
+
+
 def test_adding_a_node_selector():
     config = """
 nodeSelector:

diff --git a/apm-server/values.yaml b/apm-server/values.yaml
@@ -110,6 +110,10 @@ resources:
 # Custom service account override that the pod will use
 serviceAccount: ""
 
+# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set.
+serviceAccountAnnotations: {}
+  # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+
 # A list of secrets and their paths to mount inside the pod
 secretMounts: []
 #  - name: elastic-certificate-pem

diff --git a/elasticsearch/templates/serviceaccount.yaml b/elasticsearch/templates/serviceaccount.yaml
@@ -8,6 +8,10 @@ metadata:
   {{- else }}
   name: {{ .Values.rbac.serviceAccountName | quote }}
   {{- end }}
+  annotations:
+    {{- with .Values.rbac.serviceAccountAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}

diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py
@@ -576,6 +576,22 @@ def test_adding_pod_annotations():
     )
 
 
+def test_adding_serviceaccount_annotations():
+    config = """
+rbac:
+  create: true
+  serviceAccountAnnotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+"""
+    r = helm_template(config)
+    assert (
+        r["serviceaccount"][uname]["metadata"]["annotations"][
+            "eks.amazonaws.com/role-arn"
+        ]
+        == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount"
+    )
+
+
 def test_adding_a_node_selector():
     config = """
 nodeSelector:

diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
@@ -96,6 +96,7 @@ volumeClaimTemplate:
 
 rbac:
   create: false
+  serviceAccountAnnotations: {}
   serviceAccountName: ""
 
 podSecurityPolicy:

diff --git a/filebeat/README.md b/filebeat/README.md
@@ -102,6 +102,7 @@ as a reference. They are also used in the automated testing of this chart.
 | `resources`              | Allows you to set the [resources][] for the `DaemonSet`                                                                                                                         | see [values.yaml][]                |
 | `secretMounts`           | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example                       | `[]`                               |
 | `serviceAccount`         | Custom [serviceAccount][] that Filebeat will use during execution. By default will use the service account created by this chart                                                | `""`                               |
+| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart.                                                                                                 | `{}`
 | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown                                                                                     | `30`                               |
 | `tolerations`            | Configurable [tolerations][]                                                                                                                                                    | `[]`                               |
 | `updateStrategy`         | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate`                    |

diff --git a/filebeat/templates/serviceaccount.yaml b/filebeat/templates/serviceaccount.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "filebeat.serviceAccount" . }}
+  annotations:
+    {{- with .Values.serviceAccountAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     app: "{{ template "filebeat.fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

diff --git a/filebeat/tests/filebeat_test.py b/filebeat/tests/filebeat_test.py
@@ -296,6 +296,20 @@ def test_adding_pod_labels():
     )
 
 
+def test_adding_serviceaccount_annotations():
+    config = """
+serviceAccountAnnotations:
+  eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+"""
+    r = helm_template(config)
+    assert (
+        r["serviceaccount"][name]["metadata"]["annotations"][
+            "eks.amazonaws.com/role-arn"
+        ]
+        == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount"
+    )
+
+
 def test_adding_a_node_selector():
     config = """
 nodeSelector:

diff --git a/filebeat/values.yaml b/filebeat/values.yaml
@@ -110,6 +110,10 @@ resources:
 # Custom service account override that the pod will use
 serviceAccount: ""
 
+# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set.
+serviceAccountAnnotations: {}
+  # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+
 # A list of secrets and their paths to mount inside the pod
 # This is useful for mounting certificates for security other sensitive values
 secretMounts: []

diff --git a/logstash/templates/serviceaccount.yaml b/logstash/templates/serviceaccount.yaml
@@ -8,6 +8,10 @@ metadata:
   {{- else }}
   name: {{ .Values.rbac.serviceAccountName | quote }}
   {{- end }}
+  annotations:
+    {{- with .Values.rbac.serviceAccountAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     app: "{{ template "logstash.fullname" . }}"
     chart: "{{ .Chart.Name }}"

diff --git a/logstash/tests/logstash_test.py b/logstash/tests/logstash_test.py
@@ -350,6 +350,22 @@ def test_adding_pod_annotations():
     )
 
 
+def test_adding_serviceaccount_annotations():
+    config = """
+rbac:
+  create: true
+  serviceAccountAnnotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+"""
+    r = helm_template(config)
+    assert (
+        r["serviceaccount"][name]["metadata"]["annotations"][
+            "eks.amazonaws.com/role-arn"
+        ]
+        == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount"
+    )
+
+
 def test_adding_a_node_selector():
     config = """
 nodeSelector:

diff --git a/logstash/values.yaml b/logstash/values.yaml
@@ -70,6 +70,7 @@ volumeClaimTemplate:
 
 rbac:
   create: false
+  serviceAccountAnnotations: {}
   serviceAccountName: ""
 
 podSecurityPolicy:

diff --git a/metricbeat/README.md b/metricbeat/README.md
@@ -115,6 +115,7 @@ as a reference. They are also used in the automated testing of this chart.
 | `readinessProbe`               | Parameters to pass to readiness [probe][] checks for values such as timeouts and thresholds                                                                                  | see [values.yaml][]                  |
 | `replicas`                     | The replica count for the Metricbeat deployment talking to kube-state-metrics                                                                                                | `1`                                  |
 | `serviceAccount`               | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart                                           | `""`                                 |
+| `serviceAccountAnnotations`    | Annotations to be added to the ServiceAccount that is created by this chart.                                                                                                 | `{}`
 | `terminationGracePeriod`       | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown                                                                                | `30`                                 |
 | `updateStrategy`               | The [updateStrategy][] for the DaemonSet By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate`                      |
 

diff --git a/metricbeat/templates/serviceaccount.yaml b/metricbeat/templates/serviceaccount.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "metricbeat.serviceAccount" . }}
+  annotations:
+    {{- with .Values.serviceAccountAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   labels:
     app: "{{ template "metricbeat.fullname" . }}"
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"

diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py
@@ -975,6 +975,20 @@ def test_adding_pod_labels():
     )
 
 
+def test_adding_serviceaccount_annotations():
+    config = """
+serviceAccountAnnotations:
+  eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+"""
+    r = helm_template(config)
+    assert (
+        r["serviceaccount"][name]["metadata"]["annotations"][
+            "eks.amazonaws.com/role-arn"
+        ]
+        == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount"
+    )
+
+
 def test_adding_env_from():
     config = """
 daemonset:

diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml
@@ -224,6 +224,10 @@ podAnnotations: {}
 # Custom service account override that the pod will use
 serviceAccount: ""
 
+# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set.
+serviceAccountAnnotations: {}
+  # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount
+
 # How long to wait for metricbeat pods to stop gracefully
 terminationGracePeriod: 30