You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by zh...@apache.org on 2022/09/02 14:11:10 UTC
[apisix-helm-chart] branch master updated: feat: support creating ServiceAccount and RBAC (#278)
This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 2ebd372 feat: support creating ServiceAccount and RBAC (#278)
2ebd372 is described below
commit 2ebd372eff42ccf3e874cc016f00851e18b1ca79
Author: Lim Zhi Xuan <zh...@gmail.com>
AuthorDate: Fri Sep 2 22:11:04 2022 +0800
feat: support creating ServiceAccount and RBAC (#278)
Co-authored-by: ZhiXuanLim <zh...@ipa.sige.la>
---
charts/apisix/templates/_pod.tpl | 1 +
charts/apisix/templates/clusterrole.yaml | 26 +++++++++++++++++
charts/apisix/templates/clusterrolebinding.yaml | 30 +++++++++++++++++++
charts/apisix/templates/configmap.yaml | 6 ++++
charts/apisix/templates/serviceaccount.yaml | 29 +++++++++++++++++++
charts/apisix/values.yaml | 38 +++++++++++++++++++++----
6 files changed, 125 insertions(+), 5 deletions(-)
diff --git a/charts/apisix/templates/_pod.tpl b/charts/apisix/templates/_pod.tpl
index efd85f9..766cb72 100644
--- a/charts/apisix/templates/_pod.tpl
+++ b/charts/apisix/templates/_pod.tpl
@@ -12,6 +12,7 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 4 }}
{{- end }}
+ serviceAccountName: {{ include "apisix.serviceAccountName" . }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 4 }}
containers:
- name: {{ .Chart.Name }}
diff --git a/charts/apisix/templates/clusterrole.yaml b/charts/apisix/templates/clusterrole.yaml
new file mode 100644
index 0000000..3f31216
--- /dev/null
+++ b/charts/apisix/templates/clusterrole.yaml
@@ -0,0 +1,26 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "apisix.fullname" . }}
+rules:
+ - apiGroups: [""]
+ resources: ["endpoints"]
+ verbs: ["list", "watch"]
+{{- end }}
diff --git a/charts/apisix/templates/clusterrolebinding.yaml b/charts/apisix/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..47b5057
--- /dev/null
+++ b/charts/apisix/templates/clusterrolebinding.yaml
@@ -0,0 +1,30 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "apisix.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "apisix.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ include "apisix.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml
index ee78a14..50ba24c 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -170,6 +170,12 @@ data:
worker_rlimit_nofile: {{ default "20480" .Values.nginx.workerRlimitNofile }} # the number of files a worker process can open, should be larger than worker_connections
event:
worker_connections: {{ default "10620" .Values.nginx.workerConnections }}
+ {{- with .Values.nginx.envs }}
+ envs:
+ {{- range $env := . }}
+ - {{ $env }}
+ {{- end }}
+ {{- end }}
http:
enable_access_log: {{ .Values.logs.enableAccessLog }}
{{- if .Values.logs.enableAccessLog }}
diff --git a/charts/apisix/templates/serviceaccount.yaml b/charts/apisix/templates/serviceaccount.yaml
new file mode 100644
index 0000000..db33356
--- /dev/null
+++ b/charts/apisix/templates/serviceaccount.yaml
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "apisix.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "apisix.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index 5cff5eb..81043e8 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -121,6 +121,14 @@ apisix:
nameOverride: ""
fullnameOverride: ""
+serviceAccount:
+ create: false
+ annotations: {}
+ name: ""
+
+rbac:
+ create: false
+
gateway:
type: NodePort
# If you want to keep the client source IP, you can set this to Local.
@@ -191,6 +199,7 @@ nginx:
workerConnections: "10620"
workerProcesses: auto
enableCPUAffinity: true
+ envs: []
# APISIX plugins to be enabled
plugins:
@@ -288,15 +297,17 @@ extraVolumeMounts: []
discovery:
enabled: false
- registry:
+ registry: {}
# Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
# reference:
- # https://apisix.apache.org/docs/apisix/discovery#configuration-for-eureka
- # https://apisix.apache.org/docs/apisix/discovery/dns#service-discovery-via-dns
- # https://apisix.apache.org/docs/apisix/discovery/consul_kv#configuration-for-consul-kv
- # https://apisix.apache.org/docs/apisix/discovery/nacos#configuration-for-nacos
+ # https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
+ # https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
+ # https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
+ # https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
+ # https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
#
# an eureka example:
+ # ```
# eureka:
# host:
# - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
@@ -308,6 +319,23 @@ discovery:
# connect: 2000
# send: 2000
# read: 5000
+ # ```
+ #
+ # the minimal Kubernetes example:
+ # ```
+ # kubernetes: {}
+ # ```
+ #
+ # The prerequisites for the above minimal Kubernetes example:
+ # 1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
+ # It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
+ # 2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
+ # This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
+ # 3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
+ # nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
+ # - KUBERNETES_SERVICE_HOST
+ # - KUBERNETES_SERVICE_PORT
+ # This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
# access log and error log configuration
logs: