From 99a9c0dab4aff02d71f569e64ecc40f9d7e9e98f Mon Sep 17 00:00:00 2001 From: Nico Dreher Date: Wed, 16 Nov 2022 16:39:09 +0100 Subject: [PATCH] Add support for service account to cronjob KNUTH-76836 --- CHANGELOG.md | 4 ++ Makefile | 1 + charts/cronjob/Chart.yaml | 2 +- charts/cronjob/templates/cronjob.yaml | 3 ++ .../pre-deployment/serviceaccount.yaml | 9 ++++ .../expected/cronjob/templates/cronjob.yaml | 53 +++++++++++++++++++ .../post-deployment/prometheus-rules.yaml | 32 +++++++++++ .../templates/pre-deployment/secret.yaml | 15 ++++++ .../pre-deployment/serviceaccount.yaml | 9 ++++ .../values.staging.yaml | 17 ++++++ .../service-account-cronjob/values.yaml | 37 +++++++++++++ 11 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 charts/cronjob/templates/pre-deployment/serviceaccount.yaml create mode 100644 tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml create mode 100644 tests/cronjob/service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml create mode 100644 tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml create mode 100644 tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml create mode 100644 tests/cronjob/service-account-cronjob/values.staging.yaml create mode 100644 tests/cronjob/service-account-cronjob/values.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index a6473fa..80fd6dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -119,6 +119,10 @@ # cronjob +## 1.4.0 + +- Add support for service account + ## 1.3.0 - Add support for ghcr.io registry. diff --git a/Makefile b/Makefile index c24939c..7b95e71 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,7 @@ test: $(MAKE) test-case CHART=spring-service CASE=simple-service $(MAKE) test-case CHART=spring-service CASE=complex-service $(MAKE) test-case CHART=cronjob CASE=simple-cronjob + $(MAKE) test-case CHART=cronjob CASE=service-account-cronjob $(MAKE) test-version-in-changelog CHART=spring-service $(MAKE) test-version-in-changelog CHART=cronjob diff --git a/charts/cronjob/Chart.yaml b/charts/cronjob/Chart.yaml index a29df39..b1ad63a 100644 --- a/charts/cronjob/Chart.yaml +++ b/charts/cronjob/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v1 name: cronjob description: A generalized cronjob that can access secrets. -version: 1.3.0 +version: 1.4.0 diff --git a/charts/cronjob/templates/cronjob.yaml b/charts/cronjob/templates/cronjob.yaml index 45dd477..81193fa 100644 --- a/charts/cronjob/templates/cronjob.yaml +++ b/charts/cronjob/templates/cronjob.yaml @@ -14,6 +14,9 @@ spec: completions: 1 template: spec: + {{- if .Values.podRoleArn }} + serviceAccountName: {{ .Values.cronJobName }} + {{- end }} restartPolicy: Never imagePullSecrets: - name: docker.pkg.github.com diff --git a/charts/cronjob/templates/pre-deployment/serviceaccount.yaml b/charts/cronjob/templates/pre-deployment/serviceaccount.yaml new file mode 100644 index 0000000..1e803fa --- /dev/null +++ b/charts/cronjob/templates/pre-deployment/serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if .Values.podRoleArn }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.cronJobName }} + namespace: {{ .Values.namespace }} + annotations: + eks.amazonaws.com/role-arn: '{{ .Values.podRoleArn }}' +{{- end }} diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml new file mode 100644 index 0000000..b35efb8 --- /dev/null +++ b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/cronjob.yaml @@ -0,0 +1,53 @@ +--- +# Source: cronjob/templates/cronjob.yaml +kind: CronJob +apiVersion: batch/v1 +metadata: + name: "simple-job-staging" + namespace: "team-superpower" +spec: + concurrencyPolicy: "Replace" + schedule: "22 */5 * * *" + suspend: false + jobTemplate: + spec: + backoffLimit: 0 + parallelism: 1 + completions: 1 + template: + spec: + serviceAccountName: simple-job-staging + restartPolicy: Never + imagePullSecrets: + - name: docker.pkg.github.com + - name: ghcr.io + containers: + - name: "simple-job-staging" + image: "docker.pkg.github.com/my-company/myservice:1.30.7" + args: + - /bin/bash + - echo "42" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 1 + memory: 64Mi + + env: + - name: "AWS_ACCESS_KEY_ID" + valueFrom: + secretKeyRef: + name: "simple-job-staging-external-secret" + key: "AWS_ACCESS_KEY_ID" + - name: "THIRD_PARTY_API_KEY" + valueFrom: + secretKeyRef: + name: "simple-job-staging-external-secret" + key: "THIRD_PARTY_API_KEY" + - name: ENVIRONMENT + value: production + - name: VARIANT + value: staging diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml new file mode 100644 index 0000000..ef33cce --- /dev/null +++ b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/post-deployment/prometheus-rules.yaml @@ -0,0 +1,32 @@ +--- +# Source: cronjob/templates/post-deployment/prometheus-rules.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + namespace: "team-superpower" + labels: + app: kube-prometheus-stack + release: prometheus + name: "simple-job-staging" +spec: + groups: + - name: "simple-job-staging" + rules: + - alert: "simple-job-staging_MyCronjobFailed" + expr: "absent(cronjob_up)" + for: "5m" + labels: + service: "simple-job-staging" + namespace: "team-superpower" + annotations: + description: "The job {{ $labels.job_name }} has exited with failure exit code." + playbook_url: "https://my-playbook-collection/abc" + - alert: "simple-job-staging_MyCronjobStagingAlert" + expr: "rate(cronjob_executions) < 1000" + for: "5m" + labels: + service: "simple-job-staging" + namespace: "team-superpower" + annotations: + description: "Simple-Job {{ $labels.job_name }} has too few executions" + playbook_url: "https://my-playbook-collection/xyz" diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml new file mode 100644 index 0000000..ffd4eee --- /dev/null +++ b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/secret.yaml @@ -0,0 +1,15 @@ +--- +# Source: cronjob/templates/pre-deployment/secret.yaml +apiVersion: "kubernetes-client.io/v1" +kind: ExternalSecret +metadata: + namespace: team-superpower + name: simple-job-staging-external-secret +spec: + backendType: systemManager + roleArn: arn:aws:iam::1234567890:role/read-secrets-role-staging-team-superpower + data: + - name: "AWS_ACCESS_KEY_ID" + key: "/staging/aws/access-key-id" + - name: "THIRD_PARTY_API_KEY" + key: "/staging/third-party/api-key" diff --git a/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml new file mode 100644 index 0000000..4bde492 --- /dev/null +++ b/tests/cronjob/service-account-cronjob/expected/cronjob/templates/pre-deployment/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +# Source: cronjob/templates/pre-deployment/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: simple-job-staging + namespace: team-superpower + annotations: + eks.amazonaws.com/role-arn: 'arn:aws:iam::1234567890:role/role-while-executing-superpower-things-staging-team-superpower' diff --git a/tests/cronjob/service-account-cronjob/values.staging.yaml b/tests/cronjob/service-account-cronjob/values.staging.yaml new file mode 100644 index 0000000..d222f00 --- /dev/null +++ b/tests/cronjob/service-account-cronjob/values.staging.yaml @@ -0,0 +1,17 @@ +cronJobName: "simple-job-staging" +podRoleArn: arn:aws:iam::1234567890:role/role-while-executing-superpower-things-staging-team-superpower + +env: + fromSecret: + THIRD_PARTY_API_KEY: + parameterName: third-party/api-key + additional: + VARIANT: + value: staging + +alertingRules: + MyCronjobStagingAlert: + expr: rate(cronjob_executions) < 1000 + for: 5m + description: Simple-Job {{ $labels.job_name }} has too few executions + playbook_url: https://my-playbook-collection/xyz diff --git a/tests/cronjob/service-account-cronjob/values.yaml b/tests/cronjob/service-account-cronjob/values.yaml new file mode 100644 index 0000000..315f7c0 --- /dev/null +++ b/tests/cronjob/service-account-cronjob/values.yaml @@ -0,0 +1,37 @@ +namespace: team-superpower +cronJobName: save-the-world + +clusterName: staging +secretsRoleArn: arn:aws:iam::1234567890:role/read-secrets-role-staging-team-superpower + +schedule: "22 */5 * * *" + +image: + repository: docker.pkg.github.com/my-company/myservice + tag: "1.30.7" + +args: + - /bin/bash + - echo "42" + +resources: + memory: 64Mi + cpu: + guarantee: 100m + limit: 1 + +env: + fromSecret: + AWS_ACCESS_KEY_ID: + parameterName: aws/access-key-id + additional: + ENVIRONMENT: + value: "production" + +alertingRules: + MyCronjobFailed: + expr: absent(cronjob_up) + for: 5m + summary: The job {{ $labels.job_name }} has failed + description: The job {{ $labels.job_name }} has exited with failure exit code. + playbook_url: https://my-playbook-collection/abc