diff --git a/apm-server/README.md b/apm-server/README.md index 11ba26a75..883f16d75 100644 --- a/apm-server/README.md +++ b/apm-server/README.md @@ -130,6 +130,7 @@ as a reference. They are also used in the automated testing of this chart. | `resources` | Allows you to set the [resources][] for the `Deployment` | see [values.yaml][] | | `secretMounts` | Allows you easily mount a secret as a file inside the `Deployment`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `serviceAccount` | Custom [serviceAccount][] that APM Server will use during execution. By default will use the `serviceAccount` created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `service` | Configurable [service][] to expose the APM Server service. See [values.yaml][] for an example | see [values.yaml][] | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing APM Server pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | diff --git a/apm-server/templates/serviceaccount.yaml b/apm-server/templates/serviceaccount.yaml index 683838131..c03750aa7 100644 --- a/apm-server/templates/serviceaccount.yaml +++ b/apm-server/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "apm.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "apm.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/apm-server/tests/apmserver_test.py b/apm-server/tests/apmserver_test.py index cb89d880e..2ce3b70b1 100644 --- a/apm-server/tests/apmserver_test.py +++ b/apm-server/tests/apmserver_test.py @@ -258,6 +258,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/apm-server/values.yaml b/apm-server/values.yaml index f05190d8e..23dce1341 100755 --- a/apm-server/values.yaml +++ b/apm-server/values.yaml @@ -110,6 +110,10 @@ resources: # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # A list of secrets and their paths to mount inside the pod secretMounts: [] # - name: elastic-certificate-pem diff --git a/elasticsearch/templates/serviceaccount.yaml b/elasticsearch/templates/serviceaccount.yaml index c85e37554..801d1cf90 100644 --- a/elasticsearch/templates/serviceaccount.yaml +++ b/elasticsearch/templates/serviceaccount.yaml @@ -8,6 +8,10 @@ metadata: {{- else }} name: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + annotations: + {{- with .Values.rbac.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py index 87b598e0d..d5f583a18 100755 --- a/elasticsearch/tests/elasticsearch_test.py +++ b/elasticsearch/tests/elasticsearch_test.py @@ -576,6 +576,22 @@ def test_adding_pod_annotations(): ) +def test_adding_serviceaccount_annotations(): + config = """ +rbac: + create: true + serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][uname]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index b8a2742ce..0bd6e442e 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -96,6 +96,7 @@ volumeClaimTemplate: rbac: create: false + serviceAccountAnnotations: {} serviceAccountName: "" podSecurityPolicy: diff --git a/filebeat/README.md b/filebeat/README.md index 50376e56e..2e7063293 100644 --- a/filebeat/README.md +++ b/filebeat/README.md @@ -133,6 +133,7 @@ as a reference. They are also used in the automated testing of this chart. | `resources` | Allows you to set the [resources][] for the `DaemonSet` | see [values.yaml][] | | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | | `serviceAccount` | Custom [serviceAccount][] that Filebeat will use during execution. By default will use the service account created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate` | diff --git a/filebeat/templates/serviceaccount.yaml b/filebeat/templates/serviceaccount.yaml index f398a58a9..8c0fcc60c 100644 --- a/filebeat/templates/serviceaccount.yaml +++ b/filebeat/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "filebeat.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "filebeat.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/filebeat/tests/filebeat_test.py b/filebeat/tests/filebeat_test.py index a3eaff7c4..7c8dc0ad0 100644 --- a/filebeat/tests/filebeat_test.py +++ b/filebeat/tests/filebeat_test.py @@ -296,6 +296,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/filebeat/values.yaml b/filebeat/values.yaml index 5118993bd..c2b812f1e 100755 --- a/filebeat/values.yaml +++ b/filebeat/values.yaml @@ -110,6 +110,10 @@ resources: # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # A list of secrets and their paths to mount inside the pod # This is useful for mounting certificates for security other sensitive values secretMounts: [] diff --git a/logstash/templates/serviceaccount.yaml b/logstash/templates/serviceaccount.yaml index 8302d1403..4508878b8 100644 --- a/logstash/templates/serviceaccount.yaml +++ b/logstash/templates/serviceaccount.yaml @@ -8,6 +8,10 @@ metadata: {{- else }} name: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + annotations: + {{- with .Values.rbac.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "logstash.fullname" . }}" chart: "{{ .Chart.Name }}" diff --git a/logstash/tests/logstash_test.py b/logstash/tests/logstash_test.py index 55d838c1b..07bd7c877 100755 --- a/logstash/tests/logstash_test.py +++ b/logstash/tests/logstash_test.py @@ -350,6 +350,22 @@ def test_adding_pod_annotations(): ) +def test_adding_serviceaccount_annotations(): + config = """ +rbac: + create: true + serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_a_node_selector(): config = """ nodeSelector: diff --git a/logstash/values.yaml b/logstash/values.yaml index 9911fada2..74db65794 100755 --- a/logstash/values.yaml +++ b/logstash/values.yaml @@ -70,6 +70,7 @@ volumeClaimTemplate: rbac: create: false + serviceAccountAnnotations: {} serviceAccountName: "" podSecurityPolicy: diff --git a/metricbeat/README.md b/metricbeat/README.md index f4b59c5c9..7c99da98a 100644 --- a/metricbeat/README.md +++ b/metricbeat/README.md @@ -146,6 +146,7 @@ as a reference. They are also used in the automated testing of this chart. | `readinessProbe` | Parameters to pass to readiness [probe][] checks for values such as timeouts and thresholds | see [values.yaml][] | | `replicas` | The replica count for the Metricbeat deployment talking to kube-state-metrics | `1` | | `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart | `""` | +| `serviceAccountAnnotations` | Annotations to be added to the ServiceAccount that is created by this chart. | `{}` | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Metricbeat pod process on pod shutdown | `30` | | `updateStrategy` | The [updateStrategy][] for the DaemonSet By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate` | diff --git a/metricbeat/templates/serviceaccount.yaml b/metricbeat/templates/serviceaccount.yaml index 233064669..227534fa2 100644 --- a/metricbeat/templates/serviceaccount.yaml +++ b/metricbeat/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "metricbeat.serviceAccount" . }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: "{{ template "metricbeat.fullname" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py index 1e0e407d2..fae116de9 100644 --- a/metricbeat/tests/metricbeat_test.py +++ b/metricbeat/tests/metricbeat_test.py @@ -975,6 +975,20 @@ def test_adding_pod_labels(): ) +def test_adding_serviceaccount_annotations(): + config = """ +serviceAccountAnnotations: + eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount +""" + r = helm_template(config) + assert ( + r["serviceaccount"][name]["metadata"]["annotations"][ + "eks.amazonaws.com/role-arn" + ] + == "arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount" + ) + + def test_adding_env_from(): config = """ daemonset: diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml index 59b032395..e8016ac52 100755 --- a/metricbeat/values.yaml +++ b/metricbeat/values.yaml @@ -224,6 +224,10 @@ podAnnotations: {} # Custom service account override that the pod will use serviceAccount: "" +# Annotations to add to the ServiceAccount that is created if the serviceAccount value isn't set. +serviceAccountAnnotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/k8s.clustername.namespace.serviceaccount + # How long to wait for metricbeat pods to stop gracefully terminationGracePeriod: 30