From ba6da8941666a2758cb75bde8c7324c42990d566 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 16 Mar 2023 08:50:12 +0100 Subject: [PATCH] fix: add annotations support for all SA in helm chart (#6585) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 3 +++ .../background-controller/serviceaccount.yaml | 6 +++++- .../templates/cleanup-controller/serviceaccount.yaml | 4 ++++ .../templates/reports-controller/serviceaccount.yaml | 6 +++++- charts/kyverno/values.yaml | 12 ++++++++++++ 5 files changed, 29 insertions(+), 2 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index b3746b9580..ed5710a14e 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -292,6 +292,7 @@ The command removes all the Kubernetes components associated with the chart and | cleanupController.enabled | bool | `true` | Enable cleanup controller. | | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | +| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | cleanupController.image.registry | string | `"ghcr.io"` | Image registry | @@ -350,6 +351,7 @@ The command removes all the Kubernetes components associated with the chart and | reportsController.enabled | bool | `true` | Enable reports controller. | | reportsController.rbac.create | bool | `true` | Create RBAC resources | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | +| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | reportsController.image.registry | string | `"ghcr.io"` | Image registry | | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | @@ -400,6 +402,7 @@ The command removes all the Kubernetes components associated with the chart and | backgroundController.enabled | bool | `true` | Enable background controller. | | backgroundController.rbac.create | bool | `true` | Create RBAC resources | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | +| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | backgroundController.image.registry | string | `nil` | Image registry | | backgroundController.image.repository | string | `"ghcr.io/kyverno/background-controller"` | Image repository | diff --git a/charts/kyverno/templates/background-controller/serviceaccount.yaml b/charts/kyverno/templates/background-controller/serviceaccount.yaml index 067add7a96..b291b7e9ab 100644 --- a/charts/kyverno/templates/background-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/background-controller/serviceaccount.yaml @@ -4,8 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.background-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} + {{- with .Values.backgroundController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml index d054d1880f..a20a186446 100644 --- a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml @@ -7,5 +7,9 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/serviceaccount.yaml b/charts/kyverno/templates/reports-controller/serviceaccount.yaml index 8ae1bbbffe..44ddeda447 100644 --- a/charts/kyverno/templates/reports-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/reports-controller/serviceaccount.yaml @@ -4,8 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} + {{- with .Values.reportsController.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index cab392423d..086a4ce250 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -548,6 +548,10 @@ cleanupController: # -- Service account name name: + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -792,6 +796,10 @@ reportsController: # -- Service account name name: + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1024,6 +1032,10 @@ backgroundController: # -- Service account name name: + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: []