Merge branch 'master' into optional_secret_config

Author: cognifloyd

CHANGELOG.md

@@ -7,6 +7,8 @@
 * Fix mounts for `jobs.preRegisterContentCommand` container to use the same mounts as the primary register-content container. (#322) (by @cognifloyd)
 * Add support for providing custom st2actionrunner-specific docker repository, image name, pull policy, and pull secret via `values.yaml`. (#141) (by @Sheshagiri)
 * Fix bug that hung an init container when `st2.packs.volumes.enabled` without `st2.packs.volumes.configs`. (#324) (by @rebrowning)
+* Add ability to create custom labels for service account.(#327)(by @SuganJoe)
+* Fix bug that would not set the appropriate redis connection string when using `redis.password` and `redis.usePassword` (#325) (by @rebrowning)
 * New Feature: Add `existingConfigSecret`.  If this is defined, the `st2.secrets.conf` key within this secret will be written as /etc/st2/st2.secrets.conf and added to the end of the command line arguments of all pods. (#289) (by @eric-al/@ericreeves)
 
 ## v0.100.0

templates/_helpers.tpl

@@ -114,6 +114,13 @@ Generate list of nodes for Redis with Sentinel connection string, based on numbe
 {{- end -}}
 {{- end -}}
 
+{{- define "stackstorm-ha.redis-password" -}}
+{{- if not .Values.redis.sentinel.enabled }}
+{{- fail "value for redis.sentinel.enabled MUST be true" }}
+{{- end }}
+{{- if not (empty .Values.redis.password)}}:{{ .Values.redis.password }}@{{- end }}
+{{- end -}}
+
 {{/*
 Reduce duplication of the st2.*.conf volume details
 */}}

templates/configmaps_st2-conf.yaml

@@ -17,7 +17,7 @@ data:
     ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
     {{- if index .Values "redis" "enabled" }}
     [coordination]
-    url = redis://{{ template "stackstorm-ha.redis-nodes" $ }}
+    url = redis://{{ template "stackstorm-ha.redis-password" $ }}{{ template "stackstorm-ha.redis-nodes" $ }}
     {{- end }}
     {{- if index .Values "rabbitmq" "enabled" }}
     [messaging]

templates/service-account.yaml

@@ -9,6 +9,9 @@ metadata:
     {{- toYaml .Values.serviceAccount.serviceAccountAnnotations | nindent 4 }}
   {{- end }}
   labels: {{- include "stackstorm-ha.labels" (list $ (include "stackstorm-ha.name" $)) | nindent 4 }}
+    {{- if .Values.serviceAccount.serviceAccountLabels }}
+    {{- toYaml .Values.serviceAccount.serviceAccountLabels | nindent 4 }}
+    {{- end }}
   {{- if .Values.serviceAccount.pullSecret }}
 imagePullSecrets:
 - name: "{{ .Values.serviceAccount.pullSecret }}"

tests/unit/labels_test.yaml

@@ -214,6 +214,24 @@ tests:
           path: metadata.labels.heritage
           value: Helm
 
+  - it: ServiceAccount accepts custom labels
+    template: service-account.yaml
+    set:
+      serviceAccount:
+        create: true
+        serviceAccountLabels:
+          foo: bar
+          answer: "42"
+    asserts:
+      - isNotNull:
+          path: metadata.labels
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.answer
+          value: "42"
+
   - it: st2web Ingress has required labels
     template: ingress.yaml
     set:

values.yaml

@@ -32,6 +32,9 @@ serviceAccount:
   serviceAccountAnnotations: {}
   # Used to override service account name
   serviceAccountName:
+  # Used to define any custom labels required
+  #serviceAccountLabels: {}
+
   # Fallback image pull secret.
   # If a pod does not have pull secrets, k8s will use the service account's pull secrets.
   # See: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
@@ -67,7 +70,7 @@ st2:
   config: |
     [api]
     allow_origin = '*'
-  
+
   #Override Definitions can be added here.
   #https://docs.stackstorm.com/latest/packs.html#overriding-pack-defaults
   overrides: {}
@@ -1058,10 +1061,15 @@ redis:
   # https://github.com/bitnami/charts/tree/master/bitnami/redis#master-slave-with-sentinel
   sentinel:
     enabled: true
+    # DO NOT SET sentinel.usePassword, the tooz driver cannot connect to a password protected sentinel
+    # however it can connect to a password protected redis that is being managed by sentinel
+    # usePassword: false
     # Enable or disable static sentinel IDs for each replicas
     # If disabled each sentinel will generate a random id at startup
     # If enabled, each replicas will have a constant ID on each start-up
     staticID: true
+  # if redis.usePassword is true, you can set the password here
+  # password: mysupersecretpassword
   networkPolicy:
     enabled: false
   usePassword: false