Helm: add ruler specific service account (#7132)

* Helm: add ruler specific service account Signed-off-by: QuantumEnigmaa <[email protected]> * add suggestions from review Signed-off-by: QuantumEnigmaa <[email protected]> * disable ruler sa by default * add rolebinding to ruler sa Signed-off-by: QuantumEnigmaa <[email protected]> * remove trailing space Signed-off-by: QuantumEnigmaa <[email protected]> * update handling of ruler sa name Signed-off-by: QuantumEnigmaa <[email protected]> * add doc comment for ruler sa name Signed-off-by: QuantumEnigmaa <[email protected]> --------- Signed-off-by: QuantumEnigmaa <[email protected]>
grafana · Feb 8, 2024 · acc6e7e · acc6e7e
1 parent 6ca9b40
commit acc6e7e
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 2 deletions.
diff --git a/operations/helm/charts/mimir-distributed/CHANGELOG.md b/operations/helm/charts/mimir-distributed/CHANGELOG.md
@@ -44,6 +44,7 @@ Entries should include a reference to the Pull Request that introduced the chang
 * [ENHANCEMENT] Add `jaegerReporterMaxQueueSize` Helm value for all components where configuring `JAEGER_REPORTER_MAX_QUEUE_SIZE` makes sense, and override the Jaeger client's default value of 100 for components expected to generate many trace spans. #7068 #7086 #7259
 * [ENHANCEMENT] Rollout-operator: upgraded to v0.10.1. #7125
 * [ENHANCEMENT] Query-frontend: configured `-shutdown-delay`, `-server.grpc.keepalive.max-connection-age` and termination grace period to reduce the likelihood of queries hitting terminated query-frontends. #7129
+* [ENHANCEMENT] Add the possibility to create a dedicated serviceAccount for the `ruler` component by setting `ruler.serivceAcount.create` to true in the values. #7132
 * [ENHANCEMENT] nginx, Gateway: set `proxy_http_version: 1.1` to proxy to HTTP 1.1. #5040
 * [BUGFIX] Metamonitoring: update dashboards to drop unsupported `step` parameter in targets. #7157
 

diff --git a/operations/helm/charts/mimir-distributed/templates/_helpers.tpl b/operations/helm/charts/mimir-distributed/templates/_helpers.tpl
@@ -64,7 +64,7 @@ For compatibility and to support upgrade from enterprise-metrics chart calculate
 {{- end -}}
 
 {{/*
-Create the name of the service account
+Create the name of the general service account
 */}}
 {{- define "mimir.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
@@ -74,6 +74,20 @@ Create the name of the service account
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name of the ruler service account
+*/}}
+{{- define "mimir.ruler.serviceAccountName" -}}
+{{- if and .Values.ruler.serviceAccount.create (eq .Values.ruler.serviceAccount.name "") -}}
+{{- $sa := default (include "mimir.fullname" .) .Values.serviceAccount.name }}
+{{- printf "%s-%s" $sa "ruler" }}
+{{- else if and .Values.ruler.serviceAccount.create (not (eq .Values.ruler.serviceAccount.name "")) -}}
+{{- .Values.ruler.serviceAccount.name -}}
+{{- else -}}
+{{- include "mimir.serviceAccountName" . -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create the app name for clients. Defaults to the same logic as "mimir.fullname", and default client expects "prometheus".
 */}}

diff --git a/operations/helm/charts/mimir-distributed/templates/rolebinding.yaml b/operations/helm/charts/mimir-distributed/templates/rolebinding.yaml
@@ -19,4 +19,8 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "rollout-operator.serviceAccountName" . }}
 {{- end }}
+{{- if .Values.ruler.serviceAccount.create }}
+- kind: ServiceAccount
+  name: {{ template "mimir.ruler.serviceAccountName" . }}
+{{- end }}
 {{- end }}
diff --git a/operations/helm/charts/mimir-distributed/templates/ruler/ruler-dep.yaml b/operations/helm/charts/mimir-distributed/templates/ruler/ruler-dep.yaml
@@ -23,7 +23,7 @@ spec:
         {{- include "mimir.podAnnotations" (dict "ctx" . "component" "ruler") | nindent 8 }}
       namespace: {{ .Release.Namespace | quote }}
     spec:
-      serviceAccountName: {{ template "mimir.serviceAccountName" . }}
+      serviceAccountName: {{ template "mimir.ruler.serviceAccountName" . }}
       {{- if .Values.ruler.priorityClassName }}
       priorityClassName: {{ .Values.ruler.priorityClassName }}
       {{- end }}

diff --git a/operations/helm/charts/mimir-distributed/templates/ruler/ruler-sa.yaml b/operations/helm/charts/mimir-distributed/templates/ruler/ruler-sa.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.ruler.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "mimir.ruler.serviceAccountName" . }}
+  labels:
+    {{- include "mimir.labels" (dict "ctx" .) | nindent 4 }}
+    {{- with .Values.ruler.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- toYaml .Values.ruler.serviceAccount.annotations | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/operations/helm/charts/mimir-distributed/values.yaml b/operations/helm/charts/mimir-distributed/values.yaml
@@ -1114,6 +1114,17 @@ ruler:
     annotations: {}
     labels: {}
 
+  # -- Dedicated service account for ruler pods.
+  # If not set, the default service account defined at the begining of this file will be used.
+  # This service account can be used even if the default one is not set.
+  serviceAccount:
+    create: false
+    # -- Ruler specific service account name. If not set and create is set to true, the default
+    # name will be the default mimir service account's name with the "-ruler" suffix.
+    name: ""
+    annotations: {}
+    labels: {}
+
   resources:
     requests:
       cpu: 100m