Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-02 15:27:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/kafka] fix: 🔒 Move service-account token auto-mount to pod declaration (#22415)

Browse Source 
* [bitnami/kafka] fix: 🔒 Move service-account token auto-mount to pod declaration

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test:  Update goss test to reflect new value

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Add missing automountSAToken

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-22 14:25:31 +01:00
committed by GitHub
parent 6b632870dc
commit 76a58808d2
9 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.vib/kafka/goss/goss.yaml
View File

@@ -30,7 +30,7 @@ command:
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
exit-status: 0 exit-status: 0
{{ if .Vars.serviceAccount.automountServiceAccountToken }} {{ if .Vars.controller.automountServiceAccountToken }}
check-sa: check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0 exit-status: 0

2
.vib/kafka/runtime-parameters.yaml
View File

@@ -39,6 +39,6 @@ controller:
containerSecurityContext: containerSecurityContext:
enabled: true enabled: true
runAsUser: 1002 runAsUser: 1002
automountServiceAccountToken: true
serviceAccount: serviceAccount:
create: true create: true
automountServiceAccountToken: true

4
bitnami/kafka/README.md
View File

@@ -243,6 +243,7 @@ The command removes all the Kubernetes components associated with the chart and
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | | `controller.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | | `controller.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` |
| `controller.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | | `controller.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` |
| `controller.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `controller.hostAliases` | Kafka pods host aliases | `[]` | | `controller.hostAliases` | Kafka pods host aliases | `[]` |
| `controller.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | | `controller.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` |
| `controller.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | | `controller.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` |
@@ -348,6 +349,7 @@ The command removes all the Kubernetes components associated with the chart and
| `broker.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | | `broker.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` |
| `broker.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | | `broker.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` |
| `broker.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | | `broker.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` |
| `broker.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `broker.hostAliases` | Kafka pods host aliases | `[]` | | `broker.hostAliases` | Kafka pods host aliases | `[]` |
| `broker.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | | `broker.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` |
| `broker.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | | `broker.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` |
@@ -555,6 +557,7 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.kafka.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka exporter containers' Security Context allowPrivilegeEscalation | `false` | | `metrics.kafka.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka exporter containers' Security Context allowPrivilegeEscalation | `false` |
| `metrics.kafka.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka exporter containers' Security Context readOnlyRootFilesystem | `true` | | `metrics.kafka.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka exporter containers' Security Context readOnlyRootFilesystem | `true` |
| `metrics.kafka.containerSecurityContext.capabilities.drop` | Set Kafka exporter containers' Security Context capabilities to be dropped | `["ALL"]` | | `metrics.kafka.containerSecurityContext.capabilities.drop` | Set Kafka exporter containers' Security Context capabilities to be dropped | `["ALL"]` |
| `metrics.kafka.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `metrics.kafka.hostAliases` | Kafka exporter pods host aliases | `[]` | | `metrics.kafka.hostAliases` | Kafka exporter pods host aliases | `[]` |
| `metrics.kafka.podLabels` | Extra labels for Kafka exporter pods | `{}` | | `metrics.kafka.podLabels` | Extra labels for Kafka exporter pods | `{}` |
| `metrics.kafka.podAnnotations` | Extra annotations for Kafka exporter pods | `{}` | | `metrics.kafka.podAnnotations` | Extra annotations for Kafka exporter pods | `{}` |
@@ -626,6 +629,7 @@ The command removes all the Kubernetes components associated with the chart and
| Name | Description | Value | | Name | Description | Value |
| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------- | | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `provisioning.enabled` | Enable kafka provisioning Job | `false` | | `provisioning.enabled` | Enable kafka provisioning Job | `false` |
| `provisioning.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `provisioning.numPartitions` | Default number of partitions for topics when unspecified | `1` | | `provisioning.numPartitions` | Default number of partitions for topics when unspecified | `1` |
| `provisioning.replicationFactor` | Default replication factor for topics when unspecified | `1` | | `provisioning.replicationFactor` | Default replication factor for topics when unspecified | `1` |
| `provisioning.topics` | Kafka topics to provision | `[]` | | `provisioning.topics` | Kafka topics to provision | `[]` |

14
bitnami/kafka/templates/_helpers.tpl
View File

@@ -1131,6 +1131,20 @@ kafka: rbac.create
K8s API. Please note this initContainer requires specific RBAC resources. You can create them K8s API. Please note this initContainer requires specific RBAC resources. You can create them
by specifying "--set rbac.create=true". by specifying "--set rbac.create=true".
{{- end -}} {{- end -}}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (gt (int .Values.controller.replicaCount) 0) (not .Values.controller.automountServiceAccountToken) }}
kafka: controller-automountServiceAccountToken
By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true"
an initContainer will be used to auto-detect the external IPs/ports by querying the
K8s API. Please note this initContainer requires the service account token. Please set controller.automountServiceAccountToken=true
and broker.automountServiceAccountToken=true.
{{- end -}}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (gt (int .Values.broker.replicaCount) 0) (not .Values.broker.automountServiceAccountToken) }}
kafka: broker-automountServiceAccountToken
By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true"
an initContainer will be used to auto-detect the external IPs/ports by querying the
K8s API. Please note this initContainer requires the service account token. Please set controller.automountServiceAccountToken=true
and broker.automountServiceAccountToken=true.
{{- end -}}
{{- end -}} {{- end -}}
{{/* Validate values of Kafka - LoadBalancerIPs or LoadBalancerNames should be set when autoDiscovery is disabled */}} {{/* Validate values of Kafka - LoadBalancerIPs or LoadBalancerNames should be set when autoDiscovery is disabled */}}

1
bitnami/kafka/templates/broker/statefulset.yaml
View File

@@ -52,6 +52,7 @@ spec:
{{- end }} {{- end }}
spec: spec:
{{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- include "kafka.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.broker.automountServiceAccountToken }}
{{- if .Values.broker.hostAliases }} {{- if .Values.broker.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.broker.hostAliases "context" $) | nindent 8 }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.broker.hostAliases "context" $) | nindent 8 }}
{{- end }} {{- end }}

1
bitnami/kafka/templates/controller-eligible/statefulset.yaml
View File

@@ -52,6 +52,7 @@ spec:
{{- end }} {{- end }}
spec: spec:
{{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- include "kafka.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
{{- if .Values.controller.hostAliases }} {{- if .Values.controller.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }}
{{- end }} {{- end }}

1
bitnami/kafka/templates/metrics/deployment.yaml
View File

@@ -35,6 +35,7 @@ spec:
{{- end }} {{- end }}
spec: spec:
{{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- include "kafka.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.metrics.kafka.automountServiceAccountToken }}
{{- if .Values.metrics.kafka.hostAliases }} {{- if .Values.metrics.kafka.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.hostAliases "context" $) | nindent 8 }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.hostAliases "context" $) | nindent 8 }}
{{- end }} {{- end }}

1
bitnami/kafka/templates/provisioning/job.yaml
View File

@@ -28,6 +28,7 @@ spec:
{{- end }} {{- end }}
spec: spec:
serviceAccountName: {{ template "kafka.provisioning.serviceAccountName" . }} serviceAccountName: {{ template "kafka.provisioning.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.provisioning.automountServiceAccountToken }}
enableServiceLinks: {{ .Values.provisioning.enableServiceLinks }} enableServiceLinks: {{ .Values.provisioning.enableServiceLinks }}
{{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- include "kafka.imagePullSecrets" . | nindent 6 }}
{{- if .Values.provisioning.schedulerName }} {{- if .Values.provisioning.schedulerName }}

12
bitnami/kafka/values.yaml
View File

@@ -642,6 +642,9 @@ controller:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: capabilities:
drop: ["ALL"] drop: ["ALL"]
## @param controller.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param controller.hostAliases Kafka pods host aliases ## @param controller.hostAliases Kafka pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
## ##
@@ -1039,6 +1042,9 @@ broker:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: capabilities:
drop: ["ALL"] drop: ["ALL"]
## @param broker.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param broker.hostAliases Kafka pods host aliases ## @param broker.hostAliases Kafka pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
## ##
@@ -1892,6 +1898,9 @@ metrics:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: capabilities:
drop: ["ALL"] drop: ["ALL"]
## @param metrics.kafka.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param metrics.kafka.hostAliases Kafka exporter pods host aliases ## @param metrics.kafka.hostAliases Kafka exporter pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
## ##
@@ -2227,6 +2236,9 @@ provisioning:
## @param provisioning.enabled Enable kafka provisioning Job ## @param provisioning.enabled Enable kafka provisioning Job
## ##
enabled: false enabled: false
## @param provisioning.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param provisioning.numPartitions Default number of partitions for topics when unspecified ## @param provisioning.numPartitions Default number of partitions for topics when unspecified
## ##
numPartitions: 1 numPartitions: 1