diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml index 25c81adf6bcbe..36c46fac717a4 100644 --- a/helm/superset/Chart.yaml +++ b/helm/superset/Chart.yaml @@ -22,7 +22,7 @@ maintainers: - name: craig-rueda email: craig@craigrueda.com url: https://github.com/craig-rueda -version: 0.5.1 +version: 0.5.2 dependencies: - name: postgresql version: 10.2.0 diff --git a/helm/superset/templates/_helpers.tpl b/helm/superset/templates/_helpers.tpl index 579fd5a7eae6c..eef1b09c2c409 100644 --- a/helm/superset/templates/_helpers.tpl +++ b/helm/superset/templates/_helpers.tpl @@ -42,6 +42,17 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create the name of the service account to use +*/}} +{{- define "superset.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (include "superset.fullname" .) .Values.serviceAccountName -}} +{{- else -}} +{{- default "default" .Values.serviceAccountName -}} +{{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/helm/superset/templates/deployment-worker.yaml b/helm/superset/templates/deployment-worker.yaml index e91601337b212..8a86349cb9068 100644 --- a/helm/superset/templates/deployment-worker.yaml +++ b/helm/superset/templates/deployment-worker.yaml @@ -54,8 +54,8 @@ spec: app: {{ template "superset.name" . }}-worker release: {{ .Release.Name }} spec: - {{- if .Values.serviceAccountName }} - serviceAccountName: {{ .Values.serviceAccountName }} + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} diff --git a/helm/superset/templates/deployment.yaml b/helm/superset/templates/deployment.yaml index b5f039481221e..10de683b3b184 100644 --- a/helm/superset/templates/deployment.yaml +++ b/helm/superset/templates/deployment.yaml @@ -57,8 +57,8 @@ spec: app: {{ template "superset.name" . }} release: {{ .Release.Name }} spec: - {{- if .Values.serviceAccountName }} - serviceAccountName: {{ .Values.serviceAccountName }} + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} diff --git a/helm/superset/templates/init-job.yaml b/helm/superset/templates/init-job.yaml index d69e83062e405..483ced8d3702b 100644 --- a/helm/superset/templates/init-job.yaml +++ b/helm/superset/templates/init-job.yaml @@ -31,6 +31,9 @@ spec: {{ toYaml .Values.init.podAnnotations | nindent 8 }} {{- end }} spec: + {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }} + serviceAccountName: {{ template "superset.serviceAccountName" . }} + {{- end }} securityContext: runAsUser: {{ .Values.runAsUser }} {{- if .Values.init.initContainers }} diff --git a/helm/superset/templates/service-account.yaml b/helm/superset/templates/service-account.yaml new file mode 100755 index 0000000000000..dd6084d78fa59 --- /dev/null +++ b/helm/superset/templates/service-account.yaml @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "superset.serviceAccountName" . }} + labels: + app.kubernetes.io/name: {{ include "superset.name" . }} + helm.sh/chart: {{ include "superset.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if semverCompare "> 1.6" .Capabilities.KubeVersion.GitVersion }} + kubernetes.io/cluster-service: "true" + {{- end }} + addonmanager.kubernetes.io/mode: Reconcile +{{- end -}} diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index 03ddc0d61e4b8..c843fd18cb551 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -25,6 +25,11 @@ replicaCount: 1 # Runn containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure runAsUser: 0 +# Create custom service account for Superset. If create: true and name is not provided, superset.fullname will be used. +# serviceAccountName: superset +serviceAccount: + create: false + # Install additional packages and do any other bootstrap configuration in this script # For production clusters it's recommended to build own image with this step done in CI bootstrapScript: |