diff --git a/charts/operator/ci/03-enable-automount-values.yaml b/charts/operator/ci/03-enable-automount-values.yaml new file mode 100644 index 0000000000..13cbf9d3d2 --- /dev/null +++ b/charts/operator/ci/03-enable-automount-values.yaml @@ -0,0 +1,17 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +serviceAccount: + automountServiceAccountToken: true diff --git a/charts/operator/deployment.go b/charts/operator/deployment.go index b4386ba207..d5e27e3b78 100644 --- a/charts/operator/deployment.go +++ b/charts/operator/deployment.go @@ -147,7 +147,7 @@ func operatorContainers(dot *helmette.Dot, podTerminationGracePeriodSeconds *int func kubeRBACProxyVolumeMounts(dot *helmette.Dot) []corev1.VolumeMount { values := helmette.Unwrap[Values](dot.Values) - if !(values.ServiceAccount.Create && !ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false)) { + if !(values.ServiceAccount.Create && (!ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false)) || !ptr.Deref(values.PodTemplate.Spec.AutomountServiceAccountToken, false)) { return nil } @@ -259,7 +259,7 @@ func operatorPodVolumes(dot *helmette.Dot) []corev1.Volume { vol := []corev1.Volume{} - if values.ServiceAccount.Create && !ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false) { + if values.ServiceAccount.Create && (!ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false) || !ptr.Deref(values.PodTemplate.Spec.AutomountServiceAccountToken, false)) { vol = append(vol, kubeTokenAPIVolume(ServiceAccountVolumeName)) } @@ -335,7 +335,7 @@ func operatorPodVolumesMounts(dot *helmette.Dot) []corev1.VolumeMount { volMount := []corev1.VolumeMount{} - if values.ServiceAccount.Create && !ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false) { + if values.ServiceAccount.Create && (!ptr.Deref(values.ServiceAccount.AutomountServiceAccountToken, false) || !ptr.Deref(values.PodTemplate.Spec.AutomountServiceAccountToken, false)) { mountName := ServiceAccountVolumeName for _, vol := range operatorPodVolumes(dot) { if strings.HasPrefix(ServiceAccountVolumeName+"-", vol.Name) { diff --git a/charts/operator/templates/_deployment.go.tpl b/charts/operator/templates/_deployment.go.tpl index 84e829eb53..57d99b4b37 100644 --- a/charts/operator/templates/_deployment.go.tpl +++ b/charts/operator/templates/_deployment.go.tpl @@ -32,7 +32,7 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} -{{- if (not ((and $values.serviceAccount.create (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))))) -}} +{{- if (not ((or (and $values.serviceAccount.create ((not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")))) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.podTemplate.spec.automountServiceAccountToken false) ))) "r"))))) -}} {{- $_is_returning = true -}} {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} @@ -134,7 +134,7 @@ {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} {{- $vol := (list ) -}} -{{- if (and $values.serviceAccount.create (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))) -}} +{{- if (and $values.serviceAccount.create ((or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.podTemplate.spec.automountServiceAccountToken false) ))) "r"))))) -}} {{- $vol = (concat (default (list ) $vol) (list (get (fromJson (include "operator.kubeTokenAPIVolume" (dict "a" (list "kube-api-access") ))) "r"))) -}} {{- end -}} {{- if (not $values.webhook.enabled) -}} @@ -165,7 +165,7 @@ {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} {{- $volMount := (list ) -}} -{{- if (and $values.serviceAccount.create (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))) -}} +{{- if (and $values.serviceAccount.create ((or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.podTemplate.spec.automountServiceAccountToken false) ))) "r"))))) -}} {{- $mountName := "kube-api-access" -}} {{- range $_, $vol := (get (fromJson (include "operator.operatorPodVolumes" (dict "a" (list $dot) ))) "r") -}} {{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}} diff --git a/charts/operator/testdata/template-cases.golden.txtar b/charts/operator/testdata/template-cases.golden.txtar index 2ecc81e978..c19ba356c2 100644 --- a/charts/operator/testdata/template-cases.golden.txtar +++ b/charts/operator/testdata/template-cases.golden.txtar @@ -17559,7 +17559,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsPolicy: 禉ȎÝ汱 ephemeralContainers: null hostAliases: @@ -25339,7 +25342,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - QXyBi4x @@ -39711,7 +39717,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - uFFDQ @@ -43134,7 +43143,10 @@ spec: memory: "695" securityContext: allowPrivilegeEscalation: false - volumeMounts: [] + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -43148,7 +43160,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true ephemeralContainers: null imagePullSecrets: - name: 2di49JY @@ -43161,7 +43176,25 @@ spec: serviceAccountName: a terminationGracePeriodSeconds: 10 tolerations: [] - volumes: [] + volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace --- # Source: operator/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml apiVersion: monitoring.coreos.com/v1 @@ -49932,7 +49965,10 @@ spec: memory: "234" securityContext: allowPrivilegeEscalation: false - volumeMounts: [] + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -49946,7 +49982,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: options: - name: Wf0HvUtqF @@ -50007,6 +50046,24 @@ spec: tolerationSeconds: -4478242017118697500 value: 6jeY5TPOEJY volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: "" - name: 061joXv - name: nASsEAPm @@ -57413,7 +57470,10 @@ spec: memory: "673" securityContext: allowPrivilegeEscalation: false - volumeMounts: [] + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -57427,7 +57487,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - tZ @@ -57515,6 +57578,24 @@ spec: topologyKey: FS whenUnsatisfiable: H皀靬i? volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: 6Wvlg --- # Source: operator/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml @@ -77260,7 +77341,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - bnxKu @@ -102368,7 +102452,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - Nr @@ -107940,7 +108027,10 @@ spec: memory: "967" securityContext: allowPrivilegeEscalation: false - volumeMounts: [] + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -107954,7 +108044,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - E4iX @@ -108054,6 +108147,24 @@ spec: topologyKey: 2PWoF15m whenUnsatisfiable: Ƈ volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: "" - name: MlOcWr --- @@ -152192,7 +152303,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - XQQvkKFB7z @@ -153775,7 +153889,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - OKrRLUXo1z @@ -176904,6 +177021,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -176920,7 +177040,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true ephemeralContainers: null imagePullSecrets: [] initContainers: [] @@ -176931,6 +177054,24 @@ spec: terminationGracePeriodSeconds: 10 tolerations: [] volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -180181,6 +180322,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -180197,7 +180341,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true ephemeralContainers: null imagePullSecrets: - name: Qzv @@ -180220,6 +180367,24 @@ spec: tolerationSeconds: -180540694248284540 value: F0lt volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -187303,6 +187468,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -187319,7 +187487,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true ephemeralContainers: null imagePullSecrets: [] initContainers: [] @@ -187330,6 +187501,24 @@ spec: terminationGracePeriodSeconds: 10 tolerations: [] volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -210369,6 +210558,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -210385,7 +210577,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true ephemeralContainers: null imagePullSecrets: - name: T @@ -210415,6 +210610,24 @@ spec: tolerationSeconds: -411540980645837600 value: uFHD2K volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -226867,7 +227080,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - "" @@ -239657,7 +239873,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - 9vmm6l @@ -263138,7 +263357,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - h9KdM @@ -277816,6 +278038,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -277832,7 +278057,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - 41sorB33 @@ -277954,6 +278182,24 @@ spec: topologyKey: "n" whenUnsatisfiable: uƈl塻柜Ɔi馿实Ē9潳 volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -289109,6 +289355,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -289125,7 +289374,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - 0l7aqP @@ -289234,6 +289486,24 @@ spec: topologyKey: OcJMDNvd whenUnsatisfiable: 2ðɞ樀ȵ檛舼闲i volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -292593,7 +292863,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - lFF4bR @@ -300037,6 +300310,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -300053,7 +300329,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: options: - name: kUN @@ -300178,6 +300457,24 @@ spec: topologyKey: ZUbNp whenUnsatisfiable: ʃrx volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -314454,7 +314751,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - vD1Q @@ -322931,6 +323231,9 @@ spec: securityContext: allowPrivilegeEscalation: false volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -322947,7 +323250,10 @@ spec: - containerPort: 8443 name: https resources: {} - volumeMounts: null + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access + readOnly: true dnsConfig: nameservers: - 2CpyVbnvo @@ -323047,6 +323353,24 @@ spec: topologyKey: ZmjDn whenUnsatisfiable: )坞]yQÆT聤ćŭ volumes: + - name: kube-api-access + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: cert secret: defaultMode: 420 @@ -327164,41 +327488,1252 @@ spec: # Create the Redpanda resource $KUBECTL -n default apply -f - < /tmp/tls.crt + $KUBECTL -n default get secret cluster-tls-user-client -o go-template='{{ base64decode (index .data "tls.key") }}' > /tmp/tls.key + $KUBECTL -n default get secret cluster-tls-user-client -o go-template='{{ base64decode (index .data "ca.crt") }}' > /tmp/ca.crt + + # Make sure Redpanda works + rpk topic create test -v + + # Clean up + $KUBECTL -n default delete -f - < /etc/redpanda/redpanda.yaml << EOF + redpanda: + rpk: + kafka_api: + brokers: + - cluster-tls-0.cluster-tls.default.svc.cluster.local:9092 + - cluster-tls-1.cluster-tls.default.svc.cluster.local:9092 + - cluster-tls-2.cluster-tls.default.svc.cluster.local:9092 + tls: + enabled: true + key_file: /tmp/tls.key + cert_file: /tmp/tls.crt + truststore_file: /tmp/ca.crt + EOF + curl -Ls https://dl.k8s.io/${KUBECTL_VERSION}/bin/linux/amd64/kubectl -o /tmp/kubectl-${KUBECTL_VERSION} + echo "$(curl -Ls https://dl.k8s.io/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256) /tmp/kubectl-${KUBECTL_VERSION}" | sha256sum --check + chmod +x /tmp/kubectl-${KUBECTL_VERSION} + KUBECTL=/tmp/kubectl-${KUBECTL_VERSION} + + # Create the Redpanda resource + $KUBECTL -n default apply -f - <4.0.0" + clusterSpec: + console: + enabled: false + image: + repository: docker.redpanda.com/redpandadata/redpanda + tag: v24.2.1 + listeners: + admin: + external: {} + port: 9644 tls: + cert: "" + enabled: false + requireClientAuth: false + http: + authenticationMethod: none + enabled: true + external: {} + kafkaEndpoint: kafka-default + port: 8082 + tls: + cert: "" + enabled: false + requireClientAuth: false + kafka: + authenticationMethod: none + external: {} + port: 9092 + tls: + cert: kafka-internal-0 enabled: true - requireClientAuth: true - adminApi: - - port: 9644 - pandaproxyApi: - - port: 8082 - developerMode: true + requireClientAuth: false + rpc: + port: 33145 + logging: + logLevel: trace + usageStats: + enabled: false + resources: + cpu: + cores: 1 + memory: + container: + max: 2Gi + min: 2Gi + statefulset: + replicas: 3 + storage: + persistentVolume: + enabled: true + size: 100Gi + tls: + certs: + kafka-internal-0: + caEnabled: true + enabled: true + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: cluster-tls-user-client + spec: + emailAddresses: + - test@domain.dom + duration: 43800h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: cluster-tls-kafka-internal-0-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: cluster-tls-user-client + EOF # Wait for things to be ready - $KUBECTL -n default wait --for=condition=ClusterConfigured --timeout=10m cluster/cluster-tls - $KUBECTL -n default wait --for=jsonpath='{.status.restarting}'=false --timeout=10m cluster/cluster-tls - $KUBECTL -n default wait --for=jsonpath='{.status.upgrading}'=false --timeout=10m cluster/cluster-tls + $KUBECTL -n default wait --for=condition=Ready --timeout=10m redpanda/cluster-tls $KUBECTL -n default wait --for=jsonpath='{.metadata.name}'=cluster-tls-user-client --timeout=10m secret/cluster-tls-user-client $KUBECTL -n default get secret cluster-tls-user-client -o go-template='{{ base64decode (index .data "tls.crt") }}' > /tmp/tls.crt $KUBECTL -n default get secret cluster-tls-user-client -o go-template='{{ base64decode (index .data "tls.key") }}' > /tmp/tls.key @@ -327209,35 +328744,87 @@ spec: # Clean up $KUBECTL -n default delete -f - <4.0.0" + clusterSpec: + console: + enabled: false + image: + repository: docker.redpanda.com/redpandadata/redpanda + tag: v24.2.1 + listeners: + admin: + external: {} + port: 9644 + tls: + cert: "" + enabled: false + requireClientAuth: false + http: + authenticationMethod: none + enabled: true + external: {} + kafkaEndpoint: kafka-default + port: 8082 tls: + cert: "" + enabled: false + requireClientAuth: false + kafka: + authenticationMethod: none + external: {} + port: 9092 + tls: + cert: kafka-internal-0 enabled: true - requireClientAuth: true - adminApi: - - port: 9644 - pandaproxyApi: - - port: 8082 - developerMode: true + requireClientAuth: false + rpc: + port: 33145 + logging: + logLevel: trace + usageStats: + enabled: false + resources: + cpu: + cores: 1 + memory: + container: + max: 2Gi + min: 2Gi + statefulset: + replicas: 3 + storage: + persistentVolume: + enabled: true + size: 100Gi + tls: + certs: + kafka-internal-0: + caEnabled: true + enabled: true + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: cluster-tls-user-client + spec: + emailAddresses: + - test@domain.dom + duration: 43800h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: cluster-tls-kafka-internal-0-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: cluster-tls-user-client + EOF $KUBECTL -n default delete pvc --all volumeMounts: @@ -327265,126 +328852,7 @@ spec: apiVersion: v1 fieldPath: metadata.namespace path: namespace ---- -# Source: operator/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: operator-kube-prometheus-s-admission-create - namespace: default - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission-create - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: operator - app.kubernetes.io/version: "51.2.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-51.2.0 - release: "operator" - heritage: "Helm" -spec: - template: - metadata: - name: operator-kube-prometheus-s-admission-create - labels: - app: kube-prometheus-stack-admission-create - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: operator - app.kubernetes.io/version: "51.2.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-51.2.0 - release: "operator" - heritage: "Helm" - spec: - containers: - - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20221220-controller-v1.5.1-58-g787ea74b6 - imagePullPolicy: IfNotPresent - args: - - create - - --host=operator-kube-prometheus-s-operator,operator-kube-prometheus-s-operator.default.svc - - --namespace=default - - --secret-name=operator-kube-prometheus-s-admission - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: - {} - restartPolicy: OnFailure - serviceAccountName: operator-kube-prometheus-s-admission - securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - seccompProfile: - type: RuntimeDefault ---- -# Source: operator/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: operator-kube-prometheus-s-admission-patch - namespace: default - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission-patch - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: operator - app.kubernetes.io/version: "51.2.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-51.2.0 - release: "operator" - heritage: "Helm" -spec: - template: - metadata: - name: operator-kube-prometheus-s-admission-patch - labels: - app: kube-prometheus-stack-admission-patch - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: operator - app.kubernetes.io/version: "51.2.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-51.2.0 - release: "operator" - heritage: "Helm" - spec: - containers: - - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20221220-controller-v1.5.1-58-g787ea74b6 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=operator-kube-prometheus-s-admission - - --namespace=default - - --secret-name=operator-kube-prometheus-s-admission - - --patch-failure-policy= - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: - {} - restartPolicy: OnFailure - serviceAccountName: operator-kube-prometheus-s-admission - securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - seccompProfile: - type: RuntimeDefault --- testdata/default-values.yaml.golden -- +-- testdata/disabled-service-account-automount-token-with-volume-overwrite.yaml.golden -- --- # Source: operator/templates/service_account.yaml apiVersion: v1 @@ -328230,8 +329698,7 @@ spec: allowPrivilegeEscalation: false volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access - readOnly: true + name: kube-api-access-overwrite - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -328277,6 +329744,24 @@ spec: apiVersion: v1 fieldPath: metadata.namespace path: namespace + - name: kube-api-access-overwrite + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 666 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: some-kube-root-ca-config-map.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace --- # Source: operator/templates/tests/create-topic-with-client-auth.yaml apiVersion: v1 @@ -328528,11 +330013,11 @@ spec: apiVersion: v1 fieldPath: metadata.namespace path: namespace --- testdata/disabled-service-account-automount-token-with-volume-overwrite.yaml.golden -- +-- testdata/enabled-service-account-automount-token-in-only-service-account-resource.yaml.golden -- --- # Source: operator/templates/service_account.yaml apiVersion: v1 -automountServiceAccountToken: false +automountServiceAccountToken: true kind: ServiceAccount metadata: annotations: null @@ -329374,7 +330859,8 @@ spec: allowPrivilegeEscalation: false volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-overwrite + name: kube-api-access + readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -329420,24 +330906,6 @@ spec: apiVersion: v1 fieldPath: metadata.namespace path: namespace - - name: kube-api-access-overwrite - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 666 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: some-kube-root-ca-config-map.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace --- # Source: operator/templates/tests/create-topic-with-client-auth.yaml apiVersion: v1 diff --git a/charts/operator/testdata/template-cases.txtar b/charts/operator/testdata/template-cases.txtar index 746d1b8f5f..01c103907c 100644 --- a/charts/operator/testdata/template-cases.txtar +++ b/charts/operator/testdata/template-cases.txtar @@ -69,3 +69,7 @@ serviceAccount: podTemplate: spec: automountServiceAccountToken: true + +-- enabled-service-account-automount-token-in-only-service-account-resource -- +serviceAccount: + automountServiceAccountToken: true