Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-24 06:47:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/magento] fix: 🔒 Move service-account token auto-mount to pod declaration (#22488)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
Co-authored-by: Miguel Ruiz <miruiz@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-19 11:53:14 +01:00
committed by GitHub
parent 09708d4231
commit 72db09bfa2
6 changed files with 69 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/magento/Chart.yaml
View File

@@ -48,4 +48,4 @@ maintainers:
name: magento
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/magento
version: 25.1.1
version: 25.2.0

25
bitnami/magento/README.md
View File

@@ -90,6 +90,7 @@ The command removes all the Kubernetes components associated with the chart and
| `image.pullPolicy` | Magento image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Specify if debug logs should be enabled | `false` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | Add deployment host aliases | `[]` |
| `replicaCount` | Number of Magento Pods to run | `1` |
| `magentoSkipInstall` | Skip Magento installation wizard. Useful for migrations and restoring from SQL dump | `false` |
@@ -252,16 +253,20 @@ The command removes all the Kubernetes components associated with the chart and
### Volume Permissions parameters
| Name | Description | Value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resourcesc for the init container | `{}` |
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resourcesc for the init container | `{}` |
| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
### Traffic Exposure Parameters

11
bitnami/magento/templates/_helpers.tpl
View File

@@ -67,6 +67,17 @@ When using Ingress, it will be set to the Ingress hostname.
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "magento.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper certificate image name
*/}}

2
bitnami/magento/templates/deployment.yaml
View File

@@ -32,6 +32,8 @@ spec:
{{- end }}
spec:
{{- include "magento.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ include "magento.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}

18
bitnami/magento/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "magento.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end -}}

22
bitnami/magento/values.yaml
View File

@@ -89,6 +89,9 @@ image:
## Set to true if you would like to see extra information on logs
##
debug: false
## @param automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
@@ -749,6 +752,25 @@ volumePermissions:
## memory: 128Mi
requests: {}
## Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## @param serviceAccount.create Enable creation of ServiceAccount for WordPress pod
##
create: true
## @param serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
## Can be set to false if pods using this serviceAccount do not need to use K8s API
##
automountServiceAccountToken: false
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
##
annotations: {}
## @section Traffic Exposure Parameters
## Kubernetes configuration