Fabian Schneider (2403d8b1) at 10 Mar 19:03
Add unit tests for ServiceAccount, Role and RoleBinding
... and 259 more commits
Sure, I can continue working on this. Seems like the changes would still work, but to be sure I'll rebase the branch and maybe add some unit tests. After that the MR should be ready for review again.
Fabian Schneider (794f9cd4) at 29 Aug 08:20
Add dedicated ServiceAccount configuration
... and 25 more commits
Adds a new serviceAccount
configuration block to allow creation of the ServiceAccount
independently from RBAC resources (Role
and RoleBinding
).
The changes are implemented in a backwards compatible way to prevent breaking changes. However some config values were deprecated and probably should be removed when moving this Chart to v1.0.0.
If an existing ServiceAccount
should be used for the runner (e.g. when using EKS with CDK where ServiceAccounts
can be created with a simple construct), rbac.create
currently has to be set to false
, which would then not create the necessary Role
and RoleBinding
.
Also it is currently not possible to define the name of the ServiceAccount
when rbac.create=true
.
Using a local helm install --dry-run
with and without the changes, it is possible to see the diff of the resulting K8s manifests.
I created several "test cases" to validate that the changes work as expected:
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
No Changes
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only quote changes
--- 1.yaml 2023-07-09 20:22:18
+++ 2.yaml 2023-07-09 20:22:18
@@ -11,7 +11,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
labels:
app: gitlab-runner
@@ -178,7 +178,7 @@
name: gitlab-runner
subjects:
- kind: ServiceAccount
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
---
# Source: gitlab-runner/templates/deployment.yaml
@@ -213,7 +213,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: gitlab-runner
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleeding
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only additional note with deprecation warning
--- 1.yaml 2023-07-09 20:24:45
+++ 2.yaml 2023-07-09 20:24:45
@@ -300,3 +300,9 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
+## Please set `serviceAccount.create` to either `true` or `false`. ##
+## For backwards compatibility a service account will be created. ##
+#############################################################################################
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.serviceAccountName=testServiceAccountName gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.serviceAccountName=testServiceAccountName gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only additional note with deprecation warning
--- 1.yaml 2023-07-09 20:26:17
+++ 2.yaml 2023-07-09 20:26:17
@@ -252,3 +252,8 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountName`. ##
+## Please use `serviceAccount.name` instead. ##
+#############################################################################################
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set serviceAccount.create=false gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=false gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
ServiceAccount is not being created
--- 1.yaml 2023-07-09 20:27:34
+++ 2.yaml 2023-07-09 20:27:34
@@ -6,18 +6,6 @@
TEST SUITE: None
HOOKS:
MANIFEST:
----
-# Source: gitlab-runner/templates/service-account.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: gitlab-runner
- namespace: "default"
- labels:
- app: gitlab-runner
- chart: gitlab-runner-0.55.0-beta
- release: "gitlab-runner"
- heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=false gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=false --set serviceAccount.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only ServiceAccount is being created (no Role and RoleBinding)
--- 1.yaml 2023-07-09 20:28:36
+++ 2.yaml 2023-07-09 20:28:36
@@ -6,6 +6,18 @@
TEST SUITE: None
HOOKS:
MANIFEST:
+---
+# Source: gitlab-runner/templates/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "gitlab-runner"
+ namespace: "default"
+ labels:
+ app: gitlab-runner
+ chart: gitlab-runner-0.55.0-beta
+ release: "gitlab-runner"
+ heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1
@@ -165,7 +177,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: ""
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleeding
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=false --set rbac.serviceAccountName=test-sa gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=false --set serviceAccount.create=true --set serviceAccount.name=test-sa gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
ServiceAccount is created with the specified name
--- 1.yaml 2023-07-09 20:30:43
+++ 2.yaml 2023-07-09 20:30:43
@@ -6,6 +6,18 @@
TEST SUITE: None
HOOKS:
MANIFEST:
+---
+# Source: gitlab-runner/templates/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "test-sa"
+ namespace: "default"
+ labels:
+ app: gitlab-runner
+ chart: gitlab-runner-0.55.0-beta
+ release: "gitlab-runner"
+ heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only additional notes
--- 1.yaml 2023-07-09 20:31:47
+++ 2.yaml 2023-07-09 20:31:47
@@ -304,3 +304,19 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
+## Please set `serviceAccount.create` to either `true` or `false`. ##
+## For backwards compatibility a service account will be created. ##
+#############################################################################################
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountAnnotations`. ##
+## Please use `serviceAccount.annotations` instead. ##
+#############################################################################################
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.imagePullSecrets`. ##
+## Please use `serviceAccount.imagePullSecrets` instead. ##
+#############################################################################################
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true --set serviceAccount.annotations.hello=world --set "serviceAccount.imagePullSecrets[0]=secret1" gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yaml
Result
Only quote changes
--- 1.yaml 2023-07-09 20:32:57
+++ 2.yaml 2023-07-09 20:32:57
@@ -13,7 +13,7 @@
metadata:
annotations:
hello: "world"
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
labels:
app: gitlab-runner
@@ -182,7 +182,7 @@
name: gitlab-runner
subjects:
- kind: ServiceAccount
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
---
# Source: gitlab-runner/templates/deployment.yaml
@@ -217,7 +217,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: gitlab-runner
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleeding
Fabian Schneider (5c947fd2) at 09 Jul 18:01
Add dedicated ServiceAccount configuration
@gitlab-org/quality/contributor-success Could you please create a community fork of the GitLab Runner Helm Chart repository?