[bitnami/external-dns:] Follow Helm rbac best practices

bitnami/external-dns/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: external-dns
-version: 2.24.1
+version: 3.0.0
 appVersion: 0.7.1
 description: ExternalDNS is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.
 keywords:

bitnami/external-dns/README.md

@@ -180,10 +180,10 @@ The following table lists the configurable parameters of the external-dns chart
 | `service.loadBalancerIP`            | IP address to assign to load balancer (if supported)                                                     | `""`                                                        |
 | `service.loadBalancerSourceRanges`  | List of IP CIDRs allowed access to load balancer (if supported)                                          | `[]`                                                        |
 | `service.annotations`               | Annotations to add to service                                                                            | `{}`                                                        |
+| `serviceAccount.create`             | Determine whether a Service Account should be created or it should reuse a exiting one.                  | `true`                                                      |
+| `serviceAccount.name`               | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set     | `nil`                                                       |
+| `serviceAccount.annotations`        | Additional Service Account annotations                                                                   | `{}`                                                        |
 | `rbac.create`                       | Weather to create & use RBAC resources or not                                                            | `true`                                                      |
-| `rbac.serviceAccountCreate`         | Determine whether a Service Account should be created or it should reuse a exiting one.                  | `true`                                                      |
-| `rbac.serviceAccountName`           | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set     | `nil`                                                       |
-| `rbac.serviceAccountAnnotations`    | Additional Service Account annotations                                                                   | `{}`                                                        |
 | `rbac.apiVersion`                   | Version of the RBAC API                                                                                  | `v1beta1`                                                   |
 | `rbac.pspEnabled`                   | PodSecurityPolicy                                                                                        | `false`                                                     |
 | `resources`                         | CPU/Memory resource requests/limits.                                                                     | `{}`                                                        |
@@ -262,6 +262,14 @@ $ helm install my-release \
 
 ## Upgrading
 
+### To 3.0.0
+
+- The parameters below are renamed:
+  - `rbac.serviceAccountCreate` -> `serviceAccount.create`
+  - `rbac.serviceAccountName` -> `serviceAccount.name`
+  - `rbac.serviceAccountAnnotations` -> `serviceAccount.annotation`
+- It is now possible to create serviceAccount, clusterRole and clusterRoleBinding manually and give the serviceAccount to the chart.
+
 ### To 2.0.0
 
 Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.

bitnami/external-dns/templates/_helpers.tpl

@@ -578,9 +578,9 @@ external-dns: ovh.applicationSecret
 Return the ExternalDNS service account name
 */}}
 {{- define "external-dns.serviceAccountName" -}}
-{{- if .Values.rbac.serviceAccountName -}}
-    {{- printf "%s" (tpl .Values.rbac.serviceAccountName . ) -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "external-dns.fullname" .) .Values.serviceAccount.name }}
 {{- else -}}
-    {{- printf "%s" (include "external-dns.fullname" . ) -}}
+    {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}

bitnami/external-dns/templates/deployment.yaml

@@ -34,9 +34,7 @@ spec:
       {{- with .Values.tolerations }}
       tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
-      {{- if .Values.rbac.create }}
       serviceAccountName: {{ template "external-dns.serviceAccountName" . }}
-      {{- end }}
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName | quote }}
       {{- end }}

bitnami/external-dns/templates/serviceaccount.yaml

@@ -1,10 +1,10 @@
-{{- if and .Values.rbac.create .Values.rbac.serviceAccountCreate -}}
+{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "external-dns.serviceAccountName" . }}
   labels: {{ include "external-dns.labels" . | nindent 4 }}
-  {{- if .Values.rbac.serviceAccountAnnotations }}
-  annotations: {{ toYaml .Values.rbac.serviceAccountAnnotations | nindent 4 }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
   {{- end }}
 {{- end }}

bitnami/external-dns/values-production.yaml

@@ -13,7 +13,7 @@
 image:
   registry: docker.io
   repository: bitnami/external-dns
-  tag: 0.7.1-debian-10-r54
+  tag: 0.7.1-debian-10-r56
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
   ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -448,24 +448,23 @@ service:
   ##
   annotations: {}
 
-## RBAC parameteres
-## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+## ServiceAccount parameters
+## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 ##
-rbac:
+serviceAccount:
   create: true
-  ## Determine whether a Service Account should be created
-  ## or reuse a exiting one
-  ##
-  serviceAccountCreate: true
-
   ## Service Account for pods
-  ## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##
-  serviceAccountName:
-
+  name:
   ## Annotations for the Service Account
   ##
-  serviceAccountAnnotations: {}
+  annotations: {}
+
+## RBAC parameteres (clusterRole and clusterRoleBinding)
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+  create: true
   ## RBAC API version
   ##
   apiVersion: v1beta1

bitnami/external-dns/values.yaml

@@ -13,7 +13,7 @@
 image:
   registry: docker.io
   repository: bitnami/external-dns
-  tag: 0.7.1-debian-10-r54
+  tag: 0.7.1-debian-10-r56
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
   ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -447,24 +447,23 @@ service:
   ##
   annotations: {}
 
-## RBAC parameteres
-## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+## ServiceAccount parameters
+## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 ##
-rbac:
+serviceAccount:
   create: true
-  ## Determine whether a Service Account should be created
-  ## or reuse a exiting one
-  ##
-  serviceAccountCreate: true
-
   ## Service Account for pods
-  ## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##
-  serviceAccountName:
-
+  name:
   ## Annotations for the Service Account
   ##
-  serviceAccountAnnotations: {}
+  annotations: {}
+
+## RBAC parameteres
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+  create: true
   ## RBAC API version
   ##
   apiVersion: v1beta1