Add dedicated ServiceAccount configuration
What does this MR do?
Adds a new serviceAccount configuration block to allow creation of the ServiceAccount independently from RBAC resources (Role and RoleBinding).
The changes are implemented in a backwards compatible way to prevent breaking changes. However some config values were deprecated and probably should be removed when moving this Chart to v1.0.0.
Why was this MR needed?
If an existing ServiceAccount should be used for the runner (e.g. when using EKS with CDK where ServiceAccounts can be created with a simple construct), rbac.create currently has to be set to false, which would then not create the necessary Role and RoleBinding.
Also it is currently not possible to define the name of the ServiceAccount when rbac.create=true.
What's the best way to test this MR?
Using a local helm install --dry-run with and without the changes, it is possible to see the diff of the resulting K8s manifests.
I created several "test cases" to validate that the changes work as expected:
Check changes for default values
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
No Changes
Check changes for rbac.create=true and serviceAccount.create=true
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only quote changes
--- 1.yaml 2023-07-09 20:22:18
+++ 2.yaml 2023-07-09 20:22:18
@@ -11,7 +11,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
labels:
app: gitlab-runner
@@ -178,7 +178,7 @@
name: gitlab-runner
subjects:
- kind: ServiceAccount
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
---
# Source: gitlab-runner/templates/deployment.yaml
@@ -213,7 +213,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: gitlab-runner
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleeding
Check changes for rbac.create=true
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only additional note with deprecation warning
--- 1.yaml 2023-07-09 20:24:45
+++ 2.yaml 2023-07-09 20:24:45
@@ -300,3 +300,9 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
+## Please set `serviceAccount.create` to either `true` or `false`. ##
+## For backwards compatibility a service account will be created. ##
+#############################################################################################Check changes for rbac.create=false with serviceAcountName set
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.serviceAccountName=testServiceAccountName gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.serviceAccountName=testServiceAccountName gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only additional note with deprecation warning
--- 1.yaml 2023-07-09 20:26:17
+++ 2.yaml 2023-07-09 20:26:17
@@ -252,3 +252,8 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountName`. ##
+## Please use `serviceAccount.name` instead. ##
+#############################################################################################Check changes for rbac.create=true and serviceAccount.create=false
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set serviceAccount.create=false gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=false gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
ServiceAccount is not being created
--- 1.yaml 2023-07-09 20:27:34
+++ 2.yaml 2023-07-09 20:27:34
@@ -6,18 +6,6 @@
TEST SUITE: None
HOOKS:
MANIFEST:
----
-# Source: gitlab-runner/templates/service-account.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: gitlab-runner
- namespace: "default"
- labels:
- app: gitlab-runner
- chart: gitlab-runner-0.55.0-beta
- release: "gitlab-runner"
- heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1Check changes for rbac.create=false and serviceAccount.create=true
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=false gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=false --set serviceAccount.create=true gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only ServiceAccount is being created (no Role and RoleBinding)
--- 1.yaml 2023-07-09 20:28:36
+++ 2.yaml 2023-07-09 20:28:36
@@ -6,6 +6,18 @@
TEST SUITE: None
HOOKS:
MANIFEST:
+---
+# Source: gitlab-runner/templates/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "gitlab-runner"
+ namespace: "default"
+ labels:
+ app: gitlab-runner
+ chart: gitlab-runner-0.55.0-beta
+ release: "gitlab-runner"
+ heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1
@@ -165,7 +177,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: ""
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleedingCheck changes for rbac.create=false and serviceAccount.create=true and serviceAccount.name
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=false --set rbac.serviceAccountName=test-sa gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=false --set serviceAccount.create=true --set serviceAccount.name=test-sa gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
ServiceAccount is created with the specified name
--- 1.yaml 2023-07-09 20:30:43
+++ 2.yaml 2023-07-09 20:30:43
@@ -6,6 +6,18 @@
TEST SUITE: None
HOOKS:
MANIFEST:
+---
+# Source: gitlab-runner/templates/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "test-sa"
+ namespace: "default"
+ labels:
+ app: gitlab-runner
+ chart: gitlab-runner-0.55.0-beta
+ release: "gitlab-runner"
+ heritage: "Helm"
---
# Source: gitlab-runner/templates/configmap.yaml
apiVersion: v1Check (deprecated) ServiceAccount configs
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only additional notes
--- 1.yaml 2023-07-09 20:31:47
+++ 2.yaml 2023-07-09 20:31:47
@@ -304,3 +304,19 @@
gitlab/gitlab-runner
Runner namespace "default" was found in runners.config template.
+
+#############################################################################################
+## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
+## Please set `serviceAccount.create` to either `true` or `false`. ##
+## For backwards compatibility a service account will be created. ##
+#############################################################################################
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.serviceAccountAnnotations`. ##
+## Please use `serviceAccount.annotations` instead. ##
+#############################################################################################
+
+#############################################################################################
+## WARNING: You have set the deprecated field `rbac.imagePullSecrets`. ##
+## Please use `serviceAccount.imagePullSecrets` instead. ##
+#############################################################################################Check new ServiceAccount configs
rm -f 1.yaml 2.yaml
git checkout main
helm install --dry-run --set rbac.create=true --set rbac.serviceAccountAnnotations.hello=world --set "rbac.imagePullSecrets[0]=secret1" gitlab-runner . > 1.yaml
git checkout service-account-configuration
helm install --dry-run --set rbac.create=true --set serviceAccount.create=true --set serviceAccount.annotations.hello=world --set "serviceAccount.imagePullSecrets[0]=secret1" gitlab-runner . > 2.yaml
diff -u 1.yaml 2.yamlResult
Only quote changes
--- 1.yaml 2023-07-09 20:32:57
+++ 2.yaml 2023-07-09 20:32:57
@@ -13,7 +13,7 @@
metadata:
annotations:
hello: "world"
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
labels:
app: gitlab-runner
@@ -182,7 +182,7 @@
name: gitlab-runner
subjects:
- kind: ServiceAccount
- name: gitlab-runner
+ name: "gitlab-runner"
namespace: "default"
---
# Source: gitlab-runner/templates/deployment.yaml
@@ -217,7 +217,7 @@
fsGroup: 65533
runAsUser: 100
terminationGracePeriodSeconds: 3600
- serviceAccountName: gitlab-runner
+ serviceAccountName: "gitlab-runner"
containers:
- name: gitlab-runner
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-bleeding