refactor(cf-common): update rbac template (#11)

mikhail-klimko · web-flow · commit da581cfed6f8 · 2023-02-22T17:23:31.000+03:00
diff --git a/charts/cf-common-test/README.md b/charts/cf-common-test/README.md
@@ -35,9 +35,10 @@ Codefresh library chart - test chart - not for deployment!
 | nodeSelector | object | `{}` |  |
 | pdb | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| rbac.serviceAccount | object | `{}` |  |
+| rbac | object | `{}` |  |
 | secrets | object | `{}` |  |
 | service | object | `{}` |  |
+| serviceAccount | object | `{}` |  |
 | tolerations | list | `[]` |  |
 | volumes | object | `{}` |  |
 
diff --git a/charts/cf-common-test/tests/rbac/metadata_test.yaml b/charts/cf-common-test/tests/rbac/metadata_test.yaml
@@ -7,10 +7,8 @@ tests:
   - it: Test SA default metadata
     template: rbac.yaml
     set:
-      rbac:
+      serviceAccount:
         enabled: true
-        serviceAccount:
-          enabled: true
     asserts:
       - hasDocuments:
           count: 1
@@ -32,13 +30,11 @@ tests:
   - it: Test SA custom metadata
     template: rbac.yaml
     set:
-      rbac:
+      serviceAccount:
         enabled: true
-        serviceAccount:
-          enabled: true
-          nameOverride: "alice"
-          annotations:
-            foo: bar
+        nameOverride: "alice"
+        annotations:
+          foo: bar
     asserts:
       - hasDocuments:
           count: 1
@@ -59,10 +55,10 @@ tests:
   - it: Test Role default metadata
     template: rbac.yaml
     set:
+      serviceAccount:
+        enabled: true
       rbac:
         enabled: true
-        serviceAccount:
-          enabled: true
         rules:
           - apiGroups:
               - ""
@@ -98,10 +94,10 @@ tests:
   - it: Test RoleBinding default metadata
     template: rbac.yaml
     set:
+      serviceAccount:
+        enabled: true
       rbac:
         enabled: true
-        serviceAccount:
-          enabled: true
         rules:
           - apiGroups:
               - ""
diff --git a/charts/cf-common-test/tests/rbac/spec_test.yaml b/charts/cf-common-test/tests/rbac/spec_test.yaml
@@ -9,10 +9,8 @@ tests:
     values:
       - values.yaml
     set:
-      rbac:
+      serviceAccount:
         enabled: true
-        serviceAccount:
-          enabled: true
     asserts:
       - equal:
           path: spec.template.spec.serviceAccountName
@@ -22,10 +20,8 @@ tests:
   - it: Test SA secret
     template: templates/rbac.yaml
     set:
-      rbac:
+      serviceAccount:
         enabled: true
-        serviceAccount:
-          enabled: true
     asserts:
       - contains:
           path: secrets
@@ -35,10 +31,10 @@ tests:
   - it: Test Role should contains valid rules set
     template: rbac.yaml
     set:
+      serviceAccount:
+        enabled: true
       rbac:
         enabled: true
-        serviceAccount:
-          enabled: true
         rules:
           - apiGroups:
               - ""
@@ -63,10 +59,10 @@ tests:
   - it: Test RoleBinding should reference to the correct role and SA
     template: rbac.yaml
     set:
+      serviceAccount:
+        enabled: true
       rbac:
         enabled: true
-        serviceAccount:
-          enabled: true
         rules:
           - apiGroups:
               - ""
@@ -92,11 +88,11 @@ tests:
     values:
       - values.yaml
     set:
+      serviceAccount:
+        enabled: true
+        nameOverride: alice
       rbac:
         enabled: true
-        serviceAccount:
-          enabled: true
-          nameOverride: alice
         rules:
           - apiGroups:
               - ""
@@ -123,10 +119,8 @@ tests:
     values:
       - values.yaml
     set:
-      rbac:
+      serviceAccount:
         enabled: false
-        serviceAccount:
-          enabled: false
     asserts:
       - equal:
           path: spec.template.spec.serviceAccountName
diff --git a/charts/cf-common-test/tests/rbac/values.yaml b/charts/cf-common-test/tests/rbac/values.yaml
@@ -1,4 +1,4 @@
-# mock deployment for HPA
+# mock values
 controller:
   enabled: true
   type: deployment
@@ -14,21 +14,7 @@ container:
     tag: master
     pullPolicy: Always
 
-### comment when you want to see templates with `helm template . -f tests/rbac/values.yaml --show-only templates/rbac.yaml`
+serviceAccount:
+  enabled: true
 rbac:
   enabled: true
-  serviceAccount:
-    enabled: true
-#     nameOverride: ""
-#     annotations:
-#       foo: bar
-#   rules:
-#     - apiGroups:
-#         - ""
-#       resources:
-#         - pods
-#       verbs:
-#         - get
-#         - list
-#         - watch
-#         - update
diff --git a/charts/cf-common-test/values.yaml b/charts/cf-common-test/values.yaml
@@ -19,8 +19,9 @@ hpa: {}
 
 pdb: {}
 
-rbac:
-  serviceAccount: {}
+serviceAccount: {}
+
+rbac: {}
 
 podSecurityContext: {}
 
diff --git a/charts/cf-common/Chart.yaml b/charts/cf-common/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v0.0.0
 description: Codefresh library chart
 name: cf-common
-version: 0.0.10
+version: 0.0.11
 type: library
 keywords:
   - codefresh
diff --git a/charts/cf-common/README.md b/charts/cf-common/README.md
@@ -2,7 +2,7 @@
 
 Codefresh library chart
 
-![Version: 0.0.10](https://img.shields.io/badge/Version-0.0.10-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
+![Version: 0.0.11](https://img.shields.io/badge/Version-0.0.11-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
 
 ## Installing the Chart
 
@@ -18,7 +18,7 @@ Include this chart as a dependency in your `Chart.yaml` e.g.
 # Chart.yaml
 dependencies:
 - name: cf-common
-  version: 0.0.10
+  version: 0.0.11
   repository: https://chartmuseum.codefresh.io/cf-common
 ```
 
@@ -105,10 +105,6 @@ dependencies:
 | rbac | object | See below | Configure RBAC parameters |
 | rbac.enabled | bool | `false` | Enable RBAC resources |
 | rbac.rules | list | `[]` | Create custom rules |
-| rbac.serviceAccount | object | `{"annotations":{},"enabled":false,"nameOverride":""}` | Configure Service Account |
-| rbac.serviceAccount.annotations | object | `{}` | Set annotations for Service Account |
-| rbac.serviceAccount.enabled | bool | `false` | Enable Service Account |
-| rbac.serviceAccount.nameOverride | string | `""` | Override Service Account name (by default, name is generated with `fullname` template) |
 | secrets.secret | object | `{"annotation":{},"data":{},"enabled":false,"labels":{},"stringData":{},"type":"Opaque"}` | Secret name. Make sure to use the same name in `volumes` and `container.volumeMounts` |
 | secrets.secret.annotation | object | `{}` | Add additional annotations to the secret |
 | secrets.secret.enabled | bool | `false` | Enable the secret |
@@ -128,6 +124,10 @@ dependencies:
 | service.main.ports.http.targetPort | string | `nil` | Set a service targetPort if you wish to differ the service port from the application port. |
 | service.main.primary | bool | `true` | Make this the primary service (used in probes, notes, etc...). If there is more than 1 service, make sure that only 1 service is marked as primary. |
 | service.main.type | string | `"ClusterIP"` | Set the service type |
+| serviceAccount | object | See below | Configure Service Account |
+| serviceAccount.annotations | object | `{}` | Set annotations for Service Account |
+| serviceAccount.enabled | bool | `false` | Enable and create Service Account |
+| serviceAccount.nameOverride | string | `""` | Override Service Account name (by default, name is generated with `fullname` template) |
 | tolerations | list | `[]` | Set tolerations constrains |
 | topologySpreadConstraints | list | `[]` | Set topologySpreadConstraints rules. Helm template supported. Passed through `tpl`, should be configured as string |
 | volumes | object | See below | Configure volume for the controller. Additional items can be added by adding a dictionary key similar to the 'config'/`secret` key. |
diff --git a/charts/cf-common/templates/common/_names.tpl b/charts/cf-common/templates/common/_names.tpl
@@ -34,11 +34,9 @@ If release name contains chart name it will be used as a full name.
 ServiceAccount Name
 */}}
 {{- define "cf-common.names.serviceAccountName" -}}
-  {{- if .Values.rbac.enabled -}}
-    {{- if .Values.rbac.serviceAccount.enabled -}}
-      {{- .Values.rbac.serviceAccount.nameOverride | default (include "cf-common.names.fullname" .) -}}
-    {{- end -}}
+  {{- if .Values.serviceAccount.enabled -}}
+    {{- .Values.serviceAccount.nameOverride | default (include "cf-common.names.fullname" .)  -}}
   {{- else -}}
-    {{- .Values.rbac.serviceAccount.nameOverride | default "default" -}}
+    {{- print "default" -}}
   {{- end -}}
 {{- end -}}
diff --git a/charts/cf-common/templates/render/_rbac.tpl b/charts/cf-common/templates/render/_rbac.tpl
@@ -6,21 +6,22 @@ Usage:
 
 {{- define "cf-common.rbac" -}}
 
-{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.enabled }}
+{{- if .Values.serviceAccount.enabled }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ default ( include "cf-common.names.fullname" $) .Values.rbac.serviceAccount.nameOverride }}
+  name: {{ default ( include "cf-common.names.fullname" $) .Values.serviceAccount.nameOverride }}
   labels: {{ include "cf-common.labels.standard" . | nindent 4 }}
-  {{- if .Values.rbac.serviceAccount.annotations }}
-  annotations: {{ include "cf-common.tplrender" (dict "Values" .Values.rbac.serviceAccount.annotations "context" $) | nindent 4 }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations: {{ include "cf-common.tplrender" (dict "Values" .Values.serviceAccount.annotations "context" $) | nindent 4 }}
   {{- end }}
 secrets:
   - name: {{ include "cf-common.names.fullname" $ }}-sa-token
 {{- end }}
 
-{{- if and .Values.rbac.enabled .Values.rbac.rules .Values.rbac.serviceAccount.enabled }}
+
+{{- if and .Values.serviceAccount.enabled .Values.rbac.enabled  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -40,8 +41,8 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
-    name: {{ default ( include "cf-common.names.fullname" $) .Values.rbac.serviceAccount.nameOverride }}
+    name: {{ default ( include "cf-common.names.fullname" $) .Values.serviceAccount.nameOverride }}
     namespace: {{ .Release.Namespace }}
 {{- end }}
 
-{{- end -}}
+{{- end -}}
diff --git a/charts/cf-common/values.yaml b/charts/cf-common/values.yaml
@@ -390,19 +390,21 @@ pdb:
   # -- Set number of pods that are unavailable after eviction as number of percentage
   maxUnavailable: ""
 
+# -- Configure Service Account
+# @default -- See below
+serviceAccount:
+  # -- Enable and create Service Account
+  enabled: false
+  # -- Override Service Account name (by default, name is generated with `fullname` template)
+  nameOverride: ""
+  # -- Set annotations for Service Account
+  annotations: {}
+
 # -- Configure RBAC parameters
 # @default -- See below
 rbac:
   # -- Enable RBAC resources
   enabled: false
-  # -- Configure Service Account
-  serviceAccount:
-    # -- Enable Service Account
-    enabled: false
-    # -- Override Service Account name (by default, name is generated with `fullname` template)
-    nameOverride: ""
-    # -- Set annotations for Service Account
-    annotations: {}
   # -- Create custom rules
   rules: []
   # E.g.
