CR-6432 Updates for codefresh-engine service account (#255)

Ted Spinks · web-flow · commit 6f3e712ffc6f · 2021-10-15T14:22:57.000-04:00
* Add missing engine role/binding for codefresh-engine sa
* Add ability to specify annotations for codefresh-engine sa
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/cf-runtime/templates/re/role.engine.yaml b/charts/cf-runtime/templates/re/role.engine.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: codefresh-engine
+  labels: {{- include "cf-re.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
diff --git a/charts/cf-runtime/templates/re/rolebinding.engine.yaml b/charts/cf-runtime/templates/re/rolebinding.engine.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: codefresh-engine
+  labels: {{- include "cf-re.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: codefresh-engine
+subjects:
+  - kind: ServiceAccount
+    name: codefresh-engine
diff --git a/charts/cf-runtime/templates/re/service-account.re.yaml b/charts/cf-runtime/templates/re/service-account.re.yaml
@@ -1,6 +1,12 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  {{/* has to be a constant */}}
+  {{- /* has to be a constant */}}
   name: codefresh-engine
   labels: {{- include "cf-re.labels" . | nindent 4 }}
+{{- if .Values.re.serviceAccount }}
+  annotations: 
+    {{- range $key, $value := .Values.re.serviceAccount.annotations }}
+    {{ $key }}: {{ $value }}
+  {{- end}}
+{{- end}}
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -20,6 +20,14 @@ monitor:
   token: ""
   env: { }
 
+re: { }
+  # Optionally add an AWS IAM role to your pipelines
+  # More info: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
+  # serviceAccount:
+  #   annotations:   # will be set on codefresh-engine service account
+  #     foo: bar
+  #     eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
 venona:
   image: "quay.io/codefresh/venona:1.6.7"
 
