You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by zh...@apache.org on 2022/09/02 14:11:10 UTC
[apisix-helm-chart] branch master updated: feat: support creating ServiceAccount and RBAC (#278)

This is an automated email from the ASF dual-hosted git repository.

zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new 2ebd372  feat: support creating ServiceAccount and RBAC (#278)
2ebd372 is described below

commit 2ebd372eff42ccf3e874cc016f00851e18b1ca79
Author: Lim Zhi Xuan <zh...@gmail.com>
AuthorDate: Fri Sep 2 22:11:04 2022 +0800

    feat: support creating ServiceAccount and RBAC (#278)
    
    Co-authored-by: ZhiXuanLim <zh...@ipa.sige.la>
---
 charts/apisix/templates/_pod.tpl                |  1 +
 charts/apisix/templates/clusterrole.yaml        | 26 +++++++++++++++++
 charts/apisix/templates/clusterrolebinding.yaml | 30 +++++++++++++++++++
 charts/apisix/templates/configmap.yaml          |  6 ++++
 charts/apisix/templates/serviceaccount.yaml     | 29 +++++++++++++++++++
 charts/apisix/values.yaml                       | 38 +++++++++++++++++++++----
 6 files changed, 125 insertions(+), 5 deletions(-)

diff --git a/charts/apisix/templates/_pod.tpl b/charts/apisix/templates/_pod.tpl
index efd85f9..766cb72 100644
--- a/charts/apisix/templates/_pod.tpl
+++ b/charts/apisix/templates/_pod.tpl
@@ -12,6 +12,7 @@ spec:
   imagePullSecrets:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+  serviceAccountName: {{ include "apisix.serviceAccountName" . }}
   securityContext: {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: {{ .Chart.Name }}
diff --git a/charts/apisix/templates/clusterrole.yaml b/charts/apisix/templates/clusterrole.yaml
new file mode 100644
index 0000000..3f31216
--- /dev/null
+++ b/charts/apisix/templates/clusterrole.yaml
@@ -0,0 +1,26 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "apisix.fullname" . }}
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["list", "watch"]
+{{- end }}
diff --git a/charts/apisix/templates/clusterrolebinding.yaml b/charts/apisix/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..47b5057
--- /dev/null
+++ b/charts/apisix/templates/clusterrolebinding.yaml
@@ -0,0 +1,30 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "apisix.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "apisix.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "apisix.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml
index ee78a14..50ba24c 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -170,6 +170,12 @@ data:
       worker_rlimit_nofile: {{ default "20480" .Values.nginx.workerRlimitNofile }}     # the number of files a worker process can open, should be larger than worker_connections
       event:
         worker_connections: {{ default "10620" .Values.nginx.workerConnections  }}
+      {{- with .Values.nginx.envs }}
+      envs:
+      {{- range $env := . }}
+        - {{ $env }}
+      {{- end }}
+      {{- end }}
       http:
         enable_access_log: {{ .Values.logs.enableAccessLog }}
         {{- if .Values.logs.enableAccessLog }}
diff --git a/charts/apisix/templates/serviceaccount.yaml b/charts/apisix/templates/serviceaccount.yaml
new file mode 100644
index 0000000..db33356
--- /dev/null
+++ b/charts/apisix/templates/serviceaccount.yaml
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "apisix.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "apisix.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index 5cff5eb..81043e8 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -121,6 +121,14 @@ apisix:
 nameOverride: ""
 fullnameOverride: ""
 
+serviceAccount:
+  create: false
+  annotations: {}
+  name: ""
+
+rbac:
+  create: false
+
 gateway:
   type: NodePort
   # If you want to keep the client source IP, you can set this to Local.
@@ -191,6 +199,7 @@ nginx:
   workerConnections: "10620"
   workerProcesses: auto
   enableCPUAffinity: true
+  envs: []
 
 # APISIX plugins to be enabled
 plugins:
@@ -288,15 +297,17 @@ extraVolumeMounts: []
 
 discovery:
   enabled: false
-  registry:
+  registry: {}
     # Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
     # reference:
-    # https://apisix.apache.org/docs/apisix/discovery#configuration-for-eureka
-    # https://apisix.apache.org/docs/apisix/discovery/dns#service-discovery-via-dns
-    # https://apisix.apache.org/docs/apisix/discovery/consul_kv#configuration-for-consul-kv
-    # https://apisix.apache.org/docs/apisix/discovery/nacos#configuration-for-nacos
+    # https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
+    # https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
+    # https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
+    # https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
+    # https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
     #
     # an eureka example:
+    # ```
     # eureka:
     #   host:
     #     - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
@@ -308,6 +319,23 @@ discovery:
     #     connect: 2000
     #     send: 2000
     #     read: 5000
+    # ```
+    #
+    # the minimal Kubernetes example:
+    # ```
+    # kubernetes: {}
+    # ```
+    #
+    # The prerequisites for the above minimal Kubernetes example:
+    #  1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
+    #     It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
+    #  2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
+    #     This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
+    #  3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
+    #     nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
+    #      - KUBERNETES_SERVICE_HOST
+    #      - KUBERNETES_SERVICE_PORT
+    #     This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
 
 # access log and error log configuration
 logs: