diff --git a/charts/backingservices/charts/constellation-messaging/README.md b/charts/backingservices/charts/constellation-messaging/README.md index f8cce4735..5192a8c7d 100644 --- a/charts/backingservices/charts/constellation-messaging/README.md +++ b/charts/backingservices/charts/constellation-messaging/README.md @@ -39,6 +39,7 @@ Complete information on the design of the service including architecture, scalab | `ingress.tls.secretName` | Specify the Kubernetes secret you created in which you store your SSL certificate for your deployment. | | `ingress.annotations` | Specify additional annotations to add to the ingress. | | `ingress.domain` | Specify your custom domain. | +| `serviceAccount` | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. | ```yaml enabled: true diff --git a/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml b/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml index 30cd37a69..0cfd64dfa 100644 --- a/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml +++ b/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml @@ -23,6 +23,9 @@ spec: {{ toYaml .Values.podLabels | nindent 8 }} {{- end }} spec: +{{- if (.Values.serviceAccount).name }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} imagePullSecrets: - name: {{ include "backingservicesRegistrySecret" ( dict "root" .Values "defaultname" "constellation-messaging" ) }} {{ if .Values.docker.imagePullSecretNames }} diff --git a/charts/backingservices/charts/constellation-messaging/templates/messaging-sa.yaml b/charts/backingservices/charts/constellation-messaging/templates/messaging-sa.yaml new file mode 100644 index 000000000..95731793d --- /dev/null +++ b/charts/backingservices/charts/constellation-messaging/templates/messaging-sa.yaml @@ -0,0 +1,8 @@ +{{- if and (.Values.serviceAccount).create (.Values.serviceAccount).name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/backingservices/charts/constellation/README.md b/charts/backingservices/charts/constellation/README.md index 145f7cca7..1310be597 100644 --- a/charts/backingservices/charts/constellation/README.md +++ b/charts/backingservices/charts/constellation/README.md @@ -67,6 +67,7 @@ The values.yaml file provides configuration options to define the values for the | `docker.constellation.image` | Specify the image version. | | `docker.messaging.imagePullPolicy` | Specify the image pull policy configurations for the image. | | `serviceAccountName` | Specify a custom [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pods of your deployment. | +| `serviceAccount` | Alternative way to specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. | | `affinity` | Specify the pod affinity so that pods are restricted to run on particular node(s), or to prefer to run on particular nodes. | | `tolerations` | Specify pod tolerations so that it is allowed to run on node(s) with particular taints. diff --git a/charts/backingservices/charts/constellation/templates/clln-deployment.yaml b/charts/backingservices/charts/constellation/templates/clln-deployment.yaml index c8cd886e4..ade6db807 100644 --- a/charts/backingservices/charts/constellation/templates/clln-deployment.yaml +++ b/charts/backingservices/charts/constellation/templates/clln-deployment.yaml @@ -26,7 +26,9 @@ spec: {{ toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: - {{- if .Values.serviceAccountName }} + {{- if (.Values.serviceAccount).name }} + serviceAccountName: {{ .Values.serviceAccount.name }} + {{- else if .Values.serviceAccountName }} serviceAccountName: {{ .Values.serviceAccountName }} {{- end }} {{- if .Values.customerAssetVolumeClaimName }} diff --git a/charts/backingservices/charts/constellation/templates/clln-sa.yaml b/charts/backingservices/charts/constellation/templates/clln-sa.yaml new file mode 100644 index 000000000..98fcb6d1c --- /dev/null +++ b/charts/backingservices/charts/constellation/templates/clln-sa.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.serviceAccount).create (or (.Values.serviceAccount).name .Values.serviceAccountName) -}} +apiVersion: v1 +kind: ServiceAccount +metadata: +{{- if (.Values.serviceAccount).name }} + name: {{ .Values.serviceAccount.name | quote }} +{{- else }} + name: {{ .Values.serviceAccountName | quote }} +{{- end }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/backingservices/charts/srs/README.md b/charts/backingservices/charts/srs/README.md index 1dd01b6f1..be3881742 100644 --- a/charts/backingservices/charts/srs/README.md +++ b/charts/backingservices/charts/srs/README.md @@ -115,6 +115,8 @@ To deploy Pega Platform with the SRS backing service, the SRS helm chart require | `k8sProvider` | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`]. | `enableSecureCryptoMode` | Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false. | `javaOpts` | Use this parameter to configure values for Java options. +| `serviceAccount` | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. | + ### Enabling security between SRS and Elasticsearch Enabling a secure connection between SRS and your Elasticsearch service depends on the method you chose to deploy the Elasticsearch cluster. diff --git a/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml b/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml index cab510202..fd883f063 100644 --- a/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml +++ b/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml @@ -23,6 +23,9 @@ spec: - name: {{ . }} {{- end -}} {{ end }} +{{- if (.Values.serviceAccount).name }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} {{- if .Values.srsRuntime.securityContext }} securityContext: {{ toYaml .Values.srsRuntime.securityContext | indent 8 }} diff --git a/charts/backingservices/charts/srs/templates/srsservice_sa.yaml b/charts/backingservices/charts/srs/templates/srsservice_sa.yaml new file mode 100644 index 000000000..95731793d --- /dev/null +++ b/charts/backingservices/charts/srs/templates/srsservice_sa.yaml @@ -0,0 +1,8 @@ +{{- if and (.Values.serviceAccount).create (.Values.serviceAccount).name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/pega/README.md b/charts/pega/README.md index 19cdd044f..8a2e78359 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -671,7 +671,20 @@ tier: ### Service Account -If the pod needs to be run with a specific [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), you can specify a custom `serviceAccountName` for your deployment tier. +If the pod needs to be run with a specific [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), and the service account also needs to be provisioned, you can specify a custom `serviceAccount` section for your deployment tier. + +Example: + +```yaml +tier: + - name: my-tier + custom: + serviceAccount: + create: true + name: MY_SERVICE_ACCOUNT_NAME +``` + +If the pod only needs to be run with a specific service account, you can just specify a custom `serviceAccountName` for your deployment tier. Example: @@ -682,6 +695,8 @@ tier: serviceAccountName: MY_SERVICE_ACCOUNT_NAME ``` +Specifying serviceAccount.name takes precedence over serviceAccountName. + ### Custom volumes You can optionally specify custom `volumes` and `volumeMounts` for your deployment tier. You need to grant read and/or write permissions to the volume location to the Pega user depending on the purpose of the volume. By default, the Pega user UID is 9001. @@ -1390,6 +1405,16 @@ Example: installer: serviceAccountName: MY_INSTALLER_SERVICE_ACCOUNT_NAME ``` +If you require the helm charts also to provision the service account, you can use the section `serviceAccount` for your job. + +Example: + +```yaml +installer: + serviceAccount: + create: true + name: MY_INSTALLER_SERVICE_ACCOUNT_NAME +``` ### Installer Custom Volumes and Volume Mounts You can specify custom volume and volume mounts for the installer pod. @@ -1488,6 +1513,8 @@ Parameter | Description `hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""` `hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator). | `""` `hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). | `""` +| `hazelcast.serviceAccount` | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. | `""` + #### Example ```yaml diff --git a/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml b/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml index fc772f082..32d0bae89 100644 --- a/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml +++ b/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml @@ -22,6 +22,9 @@ spec: {{- include "generatedClusteringServicePodAnnotations" . | indent 8 }} spec: terminationGracePeriodSeconds: {{ .Values.server.graceful_shutdown_max_wait_seconds }} +{{- if (.Values.serviceAccount).name }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} {{- if .Values.securityContext }} securityContext: {{ toYaml .Values.securityContext | indent 8 }} diff --git a/charts/pega/charts/hazelcast/templates/clustering-service-sa.yaml b/charts/pega/charts/hazelcast/templates/clustering-service-sa.yaml new file mode 100644 index 000000000..2fede5651 --- /dev/null +++ b/charts/pega/charts/hazelcast/templates/clustering-service-sa.yaml @@ -0,0 +1,8 @@ +{{- if and (eq (include "isClusteringServiceEnabled" .) "true") (.Values.serviceAccount).create (.Values.serviceAccount).name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/pega/charts/hazelcast/templates/pega-hz-deployment.yaml b/charts/pega/charts/hazelcast/templates/pega-hz-deployment.yaml index 494c116ca..8758819b9 100644 --- a/charts/pega/charts/hazelcast/templates/pega-hz-deployment.yaml +++ b/charts/pega/charts/hazelcast/templates/pega-hz-deployment.yaml @@ -21,6 +21,9 @@ spec: annotations: {{- include "generatedHazelcastServicePodAnnotations" . | indent 8 }} spec: +{{- if (.Values.serviceAccount).name }} + serviceAccountName: {{ .Values.serviceAccount.name }} +{{- end }} terminationGracePeriodSeconds: {{ .Values.server.graceful_shutdown_max_wait_seconds }} containers: - name: hazelcast diff --git a/charts/pega/charts/hazelcast/templates/pega-hz-sa.yaml b/charts/pega/charts/hazelcast/templates/pega-hz-sa.yaml new file mode 100644 index 000000000..cf27c2e69 --- /dev/null +++ b/charts/pega/charts/hazelcast/templates/pega-hz-sa.yaml @@ -0,0 +1,8 @@ +{{- if and (eq (include "isHazelcastEnabled" .) "true") (.Values.serviceAccount).create (.Values.serviceAccount).name -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | quote }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/pega/charts/installer/templates/_pega-installer-job.tpl b/charts/pega/charts/installer/templates/_pega-installer-job.tpl index fa0a3335f..2c9682f78 100644 --- a/charts/pega/charts/installer/templates/_pega-installer-job.tpl +++ b/charts/pega/charts/installer/templates/_pega-installer-job.tpl @@ -41,7 +41,9 @@ spec: {{- end }} spec: shareProcessNamespace: {{ .root.Values.shareProcessNamespace }} -{{- if .root.Values.serviceAccountName }} +{{- if (.root.Values.serviceAccount).name }} + serviceAccountName: {{ .root.Values.serviceAccount.name }} +{{- else if .root.Values.serviceAccountName }} serviceAccountName: {{ .root.Values.serviceAccountName }} {{- end }} volumes: diff --git a/charts/pega/charts/installer/templates/pega-installer-sa.yaml b/charts/pega/charts/installer/templates/pega-installer-sa.yaml new file mode 100644 index 000000000..531b1fd85 --- /dev/null +++ b/charts/pega/charts/installer/templates/pega-installer-sa.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.serviceAccount).create (or (.Values.serviceAccount).name .Values.serviceAccountName) -}} +apiVersion: v1 +kind: ServiceAccount +metadata: +{{- if (.Values.serviceAccount).name }} + name: {{ .Values.serviceAccount.name | quote }} +{{- else if .Values.serviceAccountName }} + name: {{ .Values.serviceAccountName | quote}} +{{- end }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index 9bcb4b603..e20b51634 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -73,7 +73,9 @@ spec: spec: {{- include "generatedDNSConfigAnnotations" .root | indent 6 }} {{- if .custom }} -{{- if .custom.serviceAccountName }} +{{- if (.custom.serviceAccount).name }} + serviceAccountName: {{ .custom.serviceAccount.name }} +{{- else if .custom.serviceAccountName }} serviceAccountName: {{ .custom.serviceAccountName }} {{- end }} {{- end }} diff --git a/charts/pega/templates/_pega-sa.tpl b/charts/pega/templates/_pega-sa.tpl new file mode 100644 index 000000000..04877fb24 --- /dev/null +++ b/charts/pega/templates/_pega-sa.tpl @@ -0,0 +1,8 @@ +{{- define "pega.serviceaccount" -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .name | quote }} + namespace: {{ .root.Release.Namespace }} +--- +{{- end -}} \ No newline at end of file diff --git a/charts/pega/templates/pega-tier-sa.yaml b/charts/pega/templates/pega-tier-sa.yaml new file mode 100644 index 000000000..bbbfc4de9 --- /dev/null +++ b/charts/pega/templates/pega-tier-sa.yaml @@ -0,0 +1,15 @@ +{{ if (eq (include "performDeployment" $) "true") }} +{{ $salist := list }} +{{ range $dep := .Values.global.tier }} +{{ $saname := "" }} +{{ if (($dep.custom).serviceAccount).name }} +{{ $saname = $dep.custom.serviceAccount.name }} +{{ else if ($dep.custom).serviceAccountName }} +{{ $saname = $dep.custom.serviceAccountName }} +{{ end }} +{{ if and ((($dep.custom).serviceAccount).create) $saname (not (has $saname $salist)) }} +{{ $salist = append $salist $saname }} +{{ template "pega.serviceaccount" dict "root" $ "name" $saname }} +{{ end }} +{{ end }} +{{ end }}