Merge pull request #35 from meisterplan/feature/KNUTH-76836-apolloalp…

…aca-schema-sync-zu- KNUTH-76836 Apolloalpaca Schema sync zu Rolle umziehen
meisterplan · Nov 16, 2022 · 4292edf · 4292edf
2 parents 6500437 + 99a9c0d
commit 4292edf
Show file tree

Hide file tree

Showing 11 changed files with 181 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -119,6 +119,10 @@
 
 # cronjob
 
+## 1.4.0
+
+- Add support for service account
+
 ## 1.3.0
 
 - Add support for ghcr.io registry.

diff --git a/Makefile b/Makefile
@@ -2,6 +2,7 @@ test:
 	$(MAKE) test-case CHART=spring-service CASE=simple-service
 	$(MAKE) test-case CHART=spring-service CASE=complex-service
 	$(MAKE) test-case CHART=cronjob CASE=simple-cronjob
+	$(MAKE) test-case CHART=cronjob CASE=service-account-cronjob
 	$(MAKE) test-version-in-changelog CHART=spring-service
 	$(MAKE) test-version-in-changelog CHART=cronjob
 

diff --git a/charts/cronjob/Chart.yaml b/charts/cronjob/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 name: cronjob
 description: A generalized cronjob that can access secrets.
-version: 1.3.0
+version: 1.4.0
diff --git a/charts/cronjob/templates/cronjob.yaml b/charts/cronjob/templates/cronjob.yaml
@@ -14,6 +14,9 @@ spec:
       completions: 1
       template:
         spec:
+          {{- if .Values.podRoleArn }}
+          serviceAccountName: {{ .Values.cronJobName }}
+          {{- end }}
           restartPolicy: Never
           imagePullSecrets:
             - name: docker.pkg.github.com

diff --git a/charts/cronjob/templates/pre-deployment/serviceaccount.yaml b/charts/cronjob/templates/pre-deployment/serviceaccount.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.podRoleArn }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.cronJobName }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    eks.amazonaws.com/role-arn: '{{ .Values.podRoleArn }}'
+{{- end }}
diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml
@@ -0,0 +1,53 @@
+---
+# Source: cronjob/templates/cronjob.yaml
+kind: CronJob
+apiVersion: batch/v1
+metadata:
+  name: "simple-job-staging"
+  namespace: "team-superpower"
+spec:
+  concurrencyPolicy: "Replace"
+  schedule: "22 */5 * * *"
+  suspend: false
+  jobTemplate:
+    spec:
+      backoffLimit: 0
+      parallelism: 1
+      completions: 1
+      template:
+        spec:
+          serviceAccountName: simple-job-staging
+          restartPolicy: Never
+          imagePullSecrets:
+            - name: docker.pkg.github.com
+            - name: ghcr.io
+          containers:
+            - name: "simple-job-staging"
+              image: "docker.pkg.github.com/my-company/myservice:1.30.7"
+              args:
+              - /bin/bash
+              - echo "42"
+              imagePullPolicy: IfNotPresent
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 64Mi
+                limits:
+                  cpu: 1
+                  memory: 64Mi
+
+              env:
+                - name: "AWS_ACCESS_KEY_ID"
+                  valueFrom:
+                    secretKeyRef:
+                      name: "simple-job-staging-external-secret"
+                      key: "AWS_ACCESS_KEY_ID"
+                - name: "THIRD_PARTY_API_KEY"
+                  valueFrom:
+                    secretKeyRef:
+                      name: "simple-job-staging-external-secret"
+                      key: "THIRD_PARTY_API_KEY"
+                - name: ENVIRONMENT
+                  value: production
+                - name: VARIANT
+                  value: staging
diff --git a/.../service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml b/.../service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml
@@ -0,0 +1,32 @@
+---
+# Source: cronjob/templates/post-deployment/prometheus-rules.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  namespace: "team-superpower"
+  labels:
+    app: kube-prometheus-stack
+    release: prometheus
+  name: "simple-job-staging"
+spec:
+  groups:
+    - name: "simple-job-staging"
+      rules:
+        - alert: "simple-job-staging_MyCronjobFailed"
+          expr: "absent(cronjob_up)"
+          for: "5m"
+          labels:
+            service: "simple-job-staging"
+            namespace: "team-superpower"
+          annotations:
+            description: "The job {{ $labels.job_name }} has exited with failure exit code."
+            playbook_url: "https://my-playbook-collection/abc"
+        - alert: "simple-job-staging_MyCronjobStagingAlert"
+          expr: "rate(cronjob_executions) < 1000"
+          for: "5m"
+          labels:
+            service: "simple-job-staging"
+            namespace: "team-superpower"
+          annotations:
+            description: "Simple-Job {{ $labels.job_name }} has too few executions"
+            playbook_url: "https://my-playbook-collection/xyz"
diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml
@@ -0,0 +1,15 @@
+---
+# Source: cronjob/templates/pre-deployment/secret.yaml
+apiVersion: "kubernetes-client.io/v1"
+kind: ExternalSecret
+metadata:
+  namespace: team-superpower
+  name: simple-job-staging-external-secret
+spec:
+  backendType: systemManager
+  roleArn: arn:aws:iam::1234567890:role/read-secrets-role-staging-team-superpower
+  data:
+    - name: "AWS_ACCESS_KEY_ID"
+      key: "/staging/aws/access-key-id"
+    - name: "THIRD_PARTY_API_KEY"
+      key: "/staging/third-party/api-key"
diff --git a/...job/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml b/...job/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml
@@ -0,0 +1,9 @@
+---
+# Source: cronjob/templates/pre-deployment/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple-job-staging
+  namespace: team-superpower
+  annotations:
+    eks.amazonaws.com/role-arn: 'arn:aws:iam::1234567890:role/role-while-executing-superpower-things-staging-team-superpower'
diff --git a/tests/cronjob/service-account-cronjob/values.staging.yaml b/tests/cronjob/service-account-cronjob/values.staging.yaml
@@ -0,0 +1,17 @@
+cronJobName: "simple-job-staging"
+podRoleArn: arn:aws:iam::1234567890:role/role-while-executing-superpower-things-staging-team-superpower
+
+env:
+  fromSecret:
+    THIRD_PARTY_API_KEY:
+      parameterName: third-party/api-key
+  additional:
+    VARIANT:
+      value: staging
+
+alertingRules:
+  MyCronjobStagingAlert:
+    expr: rate(cronjob_executions) < 1000
+    for: 5m
+    description: Simple-Job {{ $labels.job_name }} has too few executions
+    playbook_url: https://my-playbook-collection/xyz
diff --git a/tests/cronjob/service-account-cronjob/values.yaml b/tests/cronjob/service-account-cronjob/values.yaml
@@ -0,0 +1,37 @@
+namespace: team-superpower
+cronJobName: save-the-world
+
+clusterName: staging
+secretsRoleArn: arn:aws:iam::1234567890:role/read-secrets-role-staging-team-superpower
+
+schedule: "22 */5 * * *"
+
+image:
+  repository: docker.pkg.github.com/my-company/myservice
+  tag: "1.30.7"
+
+args:
+  - /bin/bash
+  - echo "42"
+
+resources:
+  memory: 64Mi
+  cpu:
+    guarantee: 100m
+    limit: 1
+
+env:
+  fromSecret:
+    AWS_ACCESS_KEY_ID:
+      parameterName: aws/access-key-id
+  additional:
+    ENVIRONMENT:
+      value: "production"
+
+alertingRules:
+  MyCronjobFailed:
+    expr: absent(cronjob_up)
+    for: 5m
+    summary: The job {{ $labels.job_name }} has failed
+    description: The job {{ $labels.job_name }} has exited with failure exit code.
+    playbook_url: https://my-playbook-collection/abc