[bitnami/joomla] fix: 🔒 Move service-account token auto-mount to pod declaration (#22487)

* [bitnami/joomla] fix: 🔒 Move service-account token auto-mount to pod declaration Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * docs: 🚨 Add next-line Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 fix helper name Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Remove enabled from podSecurityContext when deploying Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
2026-03-12 14:57:18 +08:00 · 2024-01-22 14:27:52 +01:00
parent bfdc456029
commit 194627b1a0
6 changed files with 61 additions and 3 deletions
--- a/bitnami/joomla/Chart.yaml
+++ b/bitnami/joomla/Chart.yaml
@@ -36,4 +36,4 @@ maintainers:
 name: joomla
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/joomla
-version: 18.1.1
+version: 18.2.0
--- a/bitnami/joomla/README.md
+++ b/bitnami/joomla/README.md
@@ -1,5 +1,6 @@
 <!--- app-name: Joomla! -->

+<!-- markdownlint-disable-next-line MD026 -->
 # Bitnami package for Joomla!

 Joomla! is an award winning open source CMS platform for building websites and applications. It includes page caching, page compression and Let's Encrypt auto-configuration support.
@@ -95,6 +96,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `command`                                           | Override default container command (useful when using custom images)                                                 | `[]`                     |
 | `args`                                              | Override default container args (useful when using custom images)                                                    | `[]`                     |
 | `replicaCount`                                      | Number of replicas (requires ReadWriteMany PVC support)                                                              | `1`                      |
+| `automountServiceAccountToken`                      | Mount Service Account token in pod                                                                                   | `false`                  |
 | `hostAliases`                                       | Deployment pod host aliases                                                                                          | `[]`                     |
 | `updateStrategy.type`                               | Update strategy - only really applicable for deployments with RWO PVs attached                                       | `RollingUpdate`          |
 | `extraEnvVars`                                      | Extra environment variables                                                                                          | `[]`                     |
@@ -169,6 +171,10 @@ The command removes all the Kubernetes components associated with the chart and
 | `lifecycleHooks`                                    | LifecycleHook to set additional configuration at startup Evaluated as a template                                     | `{}`                     |
 | `podAnnotations`                                    | Pod annotations                                                                                                      | `{}`                     |
 | `podLabels`                                         | Add additional labels to the pod (evaluated as a template)                                                           | `{}`                     |
+| `serviceAccount.create`                             | Enable creation of ServiceAccount for pod                                                                            | `true`                   |
+| `serviceAccount.name`                               | The name of the ServiceAccount to use.                                                                               | `""`                     |
+| `serviceAccount.automountServiceAccountToken`       | Allows auto mount of ServiceAccountToken on the serviceAccount created                                               | `false`                  |
+| `serviceAccount.annotations`                        | Additional custom annotations for the ServiceAccount                                                                 | `{}`                     |

 ### Traffic Exposure Parameters

--- a/bitnami/joomla/templates/_helpers.tpl
+++ b/bitnami/joomla/templates/_helpers.tpl
@@ -32,6 +32,17 @@ Return the proper Docker Image Registry Secret Names
 {{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image) "global" .Values.global) -}}
 {{- end -}}

+{{/*
+ Create the name of the service account to use
+ */}}
+{{- define "joomla.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return  the proper Storage Class
 */}}
--- a/bitnami/joomla/templates/deployment.yaml
+++ b/bitnami/joomla/templates/deployment.yaml
@@ -34,9 +34,9 @@ spec:
        {{- end }}
    spec:
      {{- include "joomla.imagePullSecrets" . | nindent 6 }}
+      serviceAccountName: {{ include "joomla.serviceAccountName" .}}
      {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
      {{- end }}
      {{- if .Values.affinity }}
      affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
@@ -64,6 +64,7 @@ spec:
      {{- if .Values.initContainers }}
      initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
      {{- end }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
      {{- if .Values.hostAliases }}
      # yamllint disable rule:indentation
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
--- a/bitnami/joomla/templates/serviceaccount.yaml
+++ b/bitnami/joomla/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "joomla.serviceAccountName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end -}}
--- a/bitnami/joomla/values.yaml
+++ b/bitnami/joomla/values.yaml
@@ -109,6 +109,9 @@ args: []
 ## @param replicaCount Number of replicas (requires ReadWriteMany PVC support)
 ##
 replicaCount: 1
+## @param automountServiceAccountToken Mount Service Account token in pod
+##
+automountServiceAccountToken: false
 ## @param hostAliases [array] Deployment pod host aliases
 ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
 ##
@@ -378,6 +381,25 @@ podAnnotations: {}
 ##
 podLabels: {}

+## Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+  ## @param serviceAccount.create Enable creation of ServiceAccount for pod
+  ##
+  create: true
+  ## @param serviceAccount.name The name of the ServiceAccount to use.
+  ## If not set and create is true, a name is generated using the common.names.fullname template
+  ##
+  name: ""
+  ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
+  ## Can be set to false if pods using this serviceAccount do not need to use K8s API
+  ##
+  automountServiceAccountToken: false
+  ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
+  ##
+  annotations: {}
+
 ## @section Traffic Exposure Parameters
 ##