firezone: service account per component (#24)

* firezone: reorganize into subfolders

* firezone: add a service account per component

* firezone: fix service account name

* firezone: fix service account name

* firezone: fix service account name

* firezone: fix fullname templates

* firezone: fix service account name

* firezone: bump chart version

Author: Intuinewin

firezone/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: firezone
-version: 0.8.0
+version: 0.8.1
 appVersion: 7c2796c71676fcd506d8ccc87b8fd89198ccff24
 type: application
 description: A Helm chart for deploying firezone

firezone/templates/_helpers.tpl

@@ -128,14 +128,3 @@ Common env secrets
       name: {{ required "Missing `firezone.email.opts.secret`" .Values.global.email.opts.secret }}
       key: {{ required "Missing `firezone.email.opts.key`" .Values.global.email.opts.key }}
 {{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "firezone.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "firezone.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

firezone/templates/_api_helpers.tpl renamed to firezone/templates/api/_helpers.tpl

@@ -1,3 +1,7 @@
+{{- define "firezone.api.fullname" -}}
+{{- printf "%s-%s" (include "firezone.fullname" $) "api" -}}
+{{- end }}
+
 {{/*
 Api Common labels
 */}}
@@ -18,3 +22,14 @@ app.kubernetes.io/name: {{ include "firezone.name" . }}
 app.kubernetes.io/component: api
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "firezone.api.serviceAccountName" -}}
+{{- if or (.Values.api.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) }}
+{{- default (include "firezone.api.fullname" .) .Values.api.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.api.serviceAccount.name }}
+{{- end }}
+{{- end }}

firezone/templates/api-deployment.yaml renamed to firezone/templates/api/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ printf "%s-%s" (include "firezone.fullname" $) "api" }}
+  name: {{ include "firezone.api.fullname" . }}
   labels:
     {{- include "firezone.api.labels" . | nindent 4 }}
 spec:
@@ -29,7 +29,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "firezone.serviceAccountName" . }}
+      serviceAccountName: {{ include "firezone.api.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.api.podSecurityContext | nindent 8 }}
       containers:

firezone/templates/api-hpa.yaml renamed to firezone/templates/api/hpa.yaml

@@ -2,14 +2,14 @@
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{  printf "%s-%s" (include "firezone.fullname" $) "api" }}
+  name: {{ include "firezone.api.fullname" . }}
   labels:
     {{- include "firezone.api.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ printf "%s-%s" (include "firezone.fullname" $) "api" }}
+    name: {{ include "firezone.api.fullname" . }}
   minReplicas: {{ .Values.api.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.api.autoscaling.maxReplicas }}
   metrics:

firezone/templates/api-ingress.yaml renamed to firezone/templates/api/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.api.ingress.enabled -}}
-{{- $fullName := printf "%s-%s" (include "firezone.fullname" $) "api" -}}
+{{- $fullName := include "firezone.api.fullname" . -}}
 {{- $svcPort := .Values.api.service.port -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress

firezone/templates/role.yaml renamed to firezone/templates/api/role.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "firezone.serviceAccountName" . }}
+  name: {{ include "firezone.api.serviceAccountName" . }}
 rules:
   - apiGroups:
       - ""

firezone/templates/rolebinding.yaml renamed to firezone/templates/api/rolebinding.yaml

@@ -2,12 +2,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "firezone.serviceAccountName" . }}
+  name: {{ include "firezone.api.serviceAccountName" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "firezone.serviceAccountName" . }}
+  name: {{ include "firezone.api.serviceAccountName" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "firezone.serviceAccountName" . }}
+    name: {{ include "firezone.api.serviceAccountName" . }}
 {{- end }}

firezone/templates/api-service.yaml renamed to firezone/templates/api/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ printf "%s-%s" (include "firezone.fullname" $) "api" }}
+  name: {{ include "firezone.api.fullname" . }}
   labels:
     {{- include "firezone.api.labels" . | nindent 4 }}
     {{ .Values.global.erlangCluster.kubernetes.selector.key }}: {{ .Values.global.erlangCluster.kubernetes.selector.value }}

firezone/templates/api/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if or (.Values.api.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "firezone.api.serviceAccountName" . }}
+  labels:
+    {{- include "firezone.labels" . | nindent 4 }}
+  {{- with .Values.api.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.api.serviceAccount.automount }}
+{{- end }}

firezone/templates/_domain_helpers.tpl renamed to firezone/templates/domain/_helpers.tpl

@@ -1,3 +1,7 @@
+{{- define "firezone.domain.fullname" -}}
+{{- printf "%s-%s" (include "firezone.fullname" $) "domain" -}}
+{{- end }}
+
 {{/*
 Domain Common labels
 */}}
@@ -18,3 +22,14 @@ app.kubernetes.io/name: {{ include "firezone.name" . }}
 app.kubernetes.io/component: domain
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "firezone.domain.serviceAccountName" -}}
+{{- if or (.Values.domain.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) }}
+{{- default (include "firezone.domain.fullname" .) .Values.domain.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.domain.serviceAccount.name }}
+{{- end }}
+{{- end }}

firezone/templates/domain-deployment.yaml renamed to firezone/templates/domain/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ printf "%s-%s" (include "firezone.fullname" $) "domain" }}
+  name: {{ include "firezone.domain.fullname" . }}
   labels:
     {{- include "firezone.domain.labels" . | nindent 4 }}
 spec:
@@ -29,7 +29,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "firezone.serviceAccountName" . }}
+      serviceAccountName: {{ include "firezone.domain.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.domain.podSecurityContext | nindent 8 }}
       containers:

firezone/templates/domain-hpa.yaml renamed to firezone/templates/domain/hpa.yaml

@@ -2,14 +2,14 @@
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{  printf "%s-%s" (include "firezone.fullname" $) "domain" }}
+  name: {{ include "firezone.domain.fullname" . }}
   labels:
     {{- include "firezone.domain.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ printf "%s-%s" (include "firezone.fullname" $) "domain" }}
+    name: {{ include "firezone.domain.fullname" . }}
   minReplicas: {{ .Values.domain.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.domain.autoscaling.maxReplicas }}
   metrics:

firezone/templates/domain/role.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.erlangCluster.enableKubernetesClusterModule -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "firezone.domain.serviceAccountName" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - list
+{{- end }}

firezone/templates/domain/rolebinding.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.erlangCluster.enableKubernetesClusterModule -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "firezone.domain.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "firezone.domain.serviceAccountName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "firezone.domain.serviceAccountName" . }}
+{{- end }}

firezone/templates/domain/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if or (.Values.domain.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "firezone.domain.serviceAccountName" . }}
+  labels:
+    {{- include "firezone.labels" . | nindent 4 }}
+  {{- with .Values.domain.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.domain.serviceAccount.automount }}
+{{- end }}

firezone/templates/serviceaccount.yaml

@@ -1,3 +1,7 @@
+{{- define "firezone.web.fullname" -}}
+{{- printf "%s-%s" (include "firezone.fullname" $) "web" -}}
+{{- end }}
+
 {{/*
 Web Common labels
 */}}
@@ -18,3 +22,14 @@ app.kubernetes.io/name: {{ include "firezone.name" . }}
 app.kubernetes.io/component: web
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "firezone.web.serviceAccountName" -}}
+{{- if or (.Values.domain.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) }}
+{{- default (include "firezone.web.fullname" .) .Values.web.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.web.serviceAccount.name }}
+{{- end }}
+{{- end }}

firezone/templates/_web_helpers.tpl renamed to firezone/templates/web/_helpers.tpl

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ printf "%s-%s" (include "firezone.fullname" $) "web" }}
+  name: {{ include "firezone.web.fullname" . }}
   labels:
     {{- include "firezone.web.labels" . | nindent 4 }}
 spec:
@@ -29,7 +29,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "firezone.serviceAccountName" . }}
+      serviceAccountName: {{ include "firezone.web.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.web.podSecurityContext | nindent 8 }}
       containers:

firezone/templates/web-deployment.yaml renamed to firezone/templates/web/deployment.yaml

@@ -2,14 +2,14 @@
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{  printf "%s-%s" (include "firezone.fullname" $) "web" }}
+  name: {{ include "firezone.web.fullname" . }}
   labels:
     {{- include "firezone.web.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ printf "%s-%s" (include "firezone.fullname" $) "web" }}
+    name: {{ include "firezone.web.fullname" . }}
   minReplicas: {{ .Values.web.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.web.autoscaling.maxReplicas }}
   metrics:

firezone/templates/web-hpa.yaml renamed to firezone/templates/web/hpa.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.web.ingress.enabled -}}
-{{- $fullName := printf "%s-%s" (include "firezone.fullname" $) "web" -}}
+{{- $fullName := include "firezone.web.fullname" . -}}
 {{- $svcPort := .Values.web.service.port -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress

firezone/templates/web-ingress.yaml renamed to firezone/templates/web/ingress.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.erlangCluster.enableKubernetesClusterModule -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "firezone.web.serviceAccountName" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - list
+{{- end }}

firezone/templates/web/role.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.erlangCluster.enableKubernetesClusterModule -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "firezone.web.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "firezone.web.serviceAccountName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "firezone.web.serviceAccountName" . }}
+{{- end }}

firezone/templates/web/rolebinding.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ printf "%s-%s" (include "firezone.fullname" $) "web" }}
+  name: {{ include "firezone.web.fullname" . }}
   labels:
     {{- include "firezone.web.labels" . | nindent 4 }}
     {{ .Values.global.erlangCluster.kubernetes.selector.key }}: {{ .Values.global.erlangCluster.kubernetes.selector.value }}

firezone/templates/web-service.yaml renamed to firezone/templates/web/service.yaml

@@ -0,0 +1,13 @@
+{{- if or (.Values.web.serviceAccount.create) (.Values.global.erlangCluster.enableKubernetesClusterModule) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "firezone.web.serviceAccountName" . }}
+  labels:
+    {{- include "firezone.labels" . | nindent 4 }}
+  {{- with .Values.web.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.web.serviceAccount.automount }}
+{{- end }}