Add service account to todoblazor (optional)

charts/todoblazor/CONTRIBUTING.md

@@ -23,6 +23,12 @@ Update `Chart.lock`:
 helm dependency update
 ```
 
+## Review the generated manifest
+
+```bash
+helm template todoblazor . -f values.yaml -f values.mine.yaml --namespace demo > temp.yaml
+```
+
 ## Validate on a test cluster
 
 Create the secret with the connection string:
@@ -37,16 +43,20 @@ kubectl create secret generic todoblazor-database \
 Create a `values.mine.yaml` file:
 
 ```yaml
-dotnet:
-  environment: Development
 webapp:
-  tag: 1.0.21375563304
+  tag: 1.0.21398515939
   db:
-    # connectionString: mongodb://root:admin@todoblazor-mongodb:27017/todolist?authSource=admin
     connectionStringSecretKeyRef:
       name: todoblazor-database
       key: connectionstring
     databaseName: todolist
+dotnet:
+  environment: Development
+security:
+  serviceAccount:
+    create: true
+  rbac:
+    giveClusterAdmin: true
 ingress:
   enabled: true
   className: traefik
@@ -83,9 +93,9 @@ If needed, debug with:
 
 - Forward MongoDB port to view the database from Compass (with connection string "mongodb://root:admin@localhost:27017/todolist?authSource=admin")
 
-    ```bash
-    kubectl port-forward svc/todoblazor-mongodb -n demo 27017:27017
-    ```
+  ```bash
+  kubectl port-forward svc/todoblazor-mongodb -n demo 27017:27017
+  ```
 
 - Have a shell in a MongoDB container
 

charts/todoblazor/Chart.yaml

@@ -2,7 +2,7 @@
 name: todoblazor
 description: Helm chart for Todo Blazor web application
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "1.0.0"
 dependencies:
   - name: mongodb

charts/todoblazor/templates/clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if and .Values.security.rbac.giveClusterAdmin .Values.security.serviceAccount.create }}
+{{- $namespace := .Release.Namespace }}
+{{- $applications := list .Values.webapp -}}
+{{ range $applications }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .name }}-cluster-admin
+  labels:
+    app: {{ .name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ $namespace }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}
+{{- end }}

charts/todoblazor/templates/deployment.yaml

@@ -1,6 +1,5 @@
 {{- $applications := list .Values.webapp -}}
 {{ range $applications }}
-{{- $name := .name -}}
 {{- if .enabled -}}
 ---
 apiVersion: apps/v1
@@ -21,8 +20,8 @@ spec:
   template:
     metadata:
       labels:
-        app: {{ $name }}
-        app.kubernetes.io/name: {{ $name }}
+        app: {{ .name }}
+        app.kubernetes.io/name: {{ .name }}
         {{- if .additionalPodLabels }}
         {{- toYaml .additionalPodLabels | nindent 8 }}
         {{- end }}
@@ -35,6 +34,11 @@ spec:
                 - key: "kubernetes.io/arch"
                   operator: In
                   values: ["amd64"]
+      {{- if $.Values.security.serviceAccount.create }}
+      serviceAccountName: {{ .name }}
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
       containers:
         - name: {{ .name }}
           image: {{ .image }}:{{ .tag }}

charts/todoblazor/templates/ingress.yaml

@@ -1,12 +1,11 @@
 {{- $applications := list .Values.webapp -}}
 {{ range $applications }}
-{{- $name := .name -}}
 {{- if and $.Values.ingress.enabled .enabled -}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ $name }}
+  name: {{ .name }}
   {{- with $.Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -23,7 +22,7 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: {{ $name }}
+                name: {{ .name }}
                 port:
                   number: {{ .port }}
     {{- range .ingressExtraHosts }}
@@ -35,7 +34,7 @@ spec:
             pathType: {{ .pathType }}
             backend:
               service:
-                name: {{ $name }}
+                name: {{ .name }}
                 port:
                   number: {{ .port }}
           {{- end }}

charts/todoblazor/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.security.serviceAccount.create }}
+{{- $applications := list .Values.webapp -}}
+{{ range $applications }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .name }}
+  labels:
+    app: {{ .name }}
+{{ end }}
+{{- end }}

charts/todoblazor/values.yaml

@@ -10,6 +10,7 @@
   containerPort: 8080
   healthEndpoint: /health
   db:
+    # important: connectionString or connectionStringSecretKeyRef must be provided
     # connectionString: "someconnstring"
     # connectionStringSecretKeyRef:
     #   name: todoblazor-secret
@@ -38,6 +39,12 @@ dotnet:
   enableOpenTelemetry: false
   enableHttpRedirect: true
 
+security:
+  serviceAccount:
+    create: false
+  rbac:
+    giveClusterAdmin: false
+
 ingress:
   enabled: false
   className: ""