Merge pull request #465 from wunderio/release/2025-01-21

Release 2025-01-21

Author: Rade333

.github/workflows/pull-request.yml

@@ -22,7 +22,7 @@ jobs:
         # Available minikube kubernetes version list:
         # "minikube config defaults kubernetes-version"
         # and https://kubernetes.io/releases/patch-releases/
-        kubernetes-version: ["v1.22.17", "v1.23.17", "v1.24.17", "v1.25.16", "v1.26.15", "v1.27.13", "v1.28.9", "v1.29.4", "v1.30.0", "latest"]
+        kubernetes-version: ["v1.22.17", "v1.23.17", "v1.24.17", "v1.25.16", "v1.26.15", "v1.27.16", "v1.28.13", "v1.29.8", "v1.30.4", "v1.31.0", "latest"]
     env:
       CLUSTER_DOMAIN: minikube.local.wdr.io
       K8S_PROJECT_REPO_DIR: k8s-project-repositories
@@ -41,7 +41,7 @@ jobs:
       - name: Helm and repository setup
         run: |
           # Install Helm 3
-          HELM_VERSION=v3.14.0
+          HELM_VERSION=v3.16.3
           curl -o /tmp/helm.tar.gz https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
             && tar -zxvf /tmp/helm.tar.gz -C /tmp \
             && mv /tmp/linux-amd64/helm ~/.local/bin/helm \
@@ -150,8 +150,8 @@ jobs:
             cert-manager jetstack/cert-manager \
             --namespace cert-manager \
             --create-namespace \
-            --version v1.8.0 \
-            --set installCRDs=true \
+            --version v1.16.2 \
+            --set crds.enabled=true \
             --set global.logLevel=1 \
             --wait
 

drupal/Chart.lock

@@ -19,6 +19,6 @@ dependencies:
   version: 8.5.1
 - name: silta-release
   repository: file://../silta-release
-  version: 1.0.0
-digest: sha256:74ab4b2e06e75563a3838c0a20311d052e2d7aeb6e00b4602fae6e9a2fd77fa0
-generated: "2023-10-03T12:07:07.444943085+03:00"
+  version: 1.0.1
+digest: sha256:b7f96b2faca0716d5dd2b8d4a21f053cea6c0fdd8c7391f463e9c677c7c00196
+generated: "2025-01-21T14:03:49.041107+02:00"

drupal/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: drupal
-version: 1.16.0
+version: 1.17.0
 dependencies:
 - name: mariadb
   version: 7.5.x

drupal/templates/_helpers.tpl

@@ -331,7 +331,7 @@ imagePullSecrets:
 {{- define "drupal.wait-for-db-command" }}
 TIME_WAITING=0
 echo "Waiting for database.";
-until mysqladmin status --connect_timeout=2 -u $DB_USER -p$DB_PASS -h $DB_HOST -P ${DB_PORT:-3306} --silent; do
+until mysqladmin status --connect-timeout=2 -u $DB_USER -p$DB_PASS -h $DB_HOST -P ${DB_PORT:-3306} --silent; do
   echo -n "."
   sleep 5
   TIME_WAITING=$((TIME_WAITING+5))
@@ -655,7 +655,7 @@ fi
   TIME_WAITING=0
   echo "Waiting for database.";
 
-  until mysqladmin status --connect_timeout=2 -u $DB_USER -p$DB_PASS -h $DB_HOST --protocol=tcp --silent; do
+  until mysqladmin status --connect-timeout=2 -u $DB_USER -p$DB_PASS -h $DB_HOST --protocol=tcp --silent; do
     echo -n "."
     sleep 1s
     TIME_WAITING=$((TIME_WAITING+1))
@@ -732,3 +732,11 @@ autoscaling/v2beta1
 {{- else }}false
 {{- end }}
 {{- end }}
+
+{{- define "drupal.serviceAccountName" }}
+{{- if .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name }}
+{{- else }}
+{{- .Release.Name }}-sa
+{{- end }}
+{{- end }}

drupal/templates/backup-cron.yaml

@@ -76,7 +76,7 @@ spec:
                 {{- else }}
                 claimName: {{ .Release.Name }}-backup
                 {{- end }}
-          {{- include "drupal.imagePullSecrets" . | nindent 10 }}
+          serviceAccountName: {{ include "drupal.serviceAccountName" . }}
 {{- end }}
 
 ---

drupal/templates/clamav-deployment.yaml

@@ -76,4 +76,5 @@ spec:
       - name: avdata
         source:
           emptyDir: {}
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
 {{- end }}

drupal/templates/drupal-cron.yaml

@@ -159,7 +159,7 @@ spec:
           volumes:
             {{- include "drupal.volumes" $ | nindent 12 }}
 
-          {{- include "drupal.imagePullSecrets" $ | nindent 10 }}
+          serviceAccountName: {{ include "drupal.serviceAccountName" $ }}
 ---
 {{- end }}
 {{- end }}

drupal/templates/drupal-deployment.yaml

@@ -166,7 +166,7 @@ spec:
         - name: sigsci-tmp
           emptyDir: {}
         {{- end }}
-      {{- include "drupal.imagePullSecrets" . | nindent 6 }}
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
       nodeSelector:
         {{- .Values.php.nodeSelector | toYaml | nindent 8 }}
       tolerations:

drupal/templates/post-release.yaml

@@ -40,7 +40,7 @@ spec:
           {{- end }}
         resources:
           {{- .Values.php.postinstall.resources | toYaml | nindent 10 }}
-      {{- include "drupal.imagePullSecrets" . | nindent 6 }}
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
       volumes:
         {{- include "drupal.volumes" . | nindent 8 }}
         {{- if .Values.referenceData.enabled -}}

drupal/templates/reference-data-cron.yaml

@@ -53,7 +53,7 @@ spec:
                 {{- else }}
                 claimName: {{ include "drupal.referenceEnvironment" . }}-reference-data
                 {{- end }}
-          {{- include "drupal.imagePullSecrets" . | nindent 10 }}
+          serviceAccountName: {{ include "drupal.serviceAccountName" . }}
 {{- end }}
 {{- end }}
 ---

drupal/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-sa
+  labels:
+    {{- include "drupal.release_labels" . | nindent 4 }}
+automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+{{- include "drupal.imagePullSecrets" . }}
+  

drupal/templates/shell-deployment.yaml

@@ -100,6 +100,6 @@ spec:
           claimName: {{ .Release.Name }}-backup
           {{- end }}
       {{- end }}
-      {{- include "drupal.imagePullSecrets" . | nindent 6 }}
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
 {{- end }}
 ---

drupal/templates/silta-hub.yaml

@@ -35,7 +35,7 @@ data:
               {{- include "drupal.volumeMounts" . | nindent 14 }}
             resources:
               {{- .Values.php.postinstall.resources | toYaml | nindent 14 }}
-          {{- include "drupal.imagePullSecrets" . | nindent 10 }}
+          serviceAccountName: {{ include "drupal.serviceAccountName" . }}
           volumes:
             {{- include "drupal.volumes" . | nindent 12 }}
   syncPullJob: |
@@ -63,6 +63,6 @@ data:
               {{- include "drupal.volumeMounts" . | nindent 14 }}
             resources:
               {{- .Values.php.postinstall.resources | toYaml | nindent 14 }}
-          {{- include "drupal.imagePullSecrets" . | nindent 10 }}
+          serviceAccountName: {{ .Release.Name }}-sa
           volumes:
             {{- include "drupal.volumes" . | nindent 12 }}

drupal/templates/solr-statefulset.yaml

@@ -79,7 +79,7 @@ spec:
       volumes:
       - name: {{ .Release.Name }}-core-dir
         emptyDir: {}
-      
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
   volumeClaimTemplates:
   - metadata:
       name: {{ .Release.Name }}-solr-data

drupal/templates/varnish-deployment.yaml

@@ -74,4 +74,5 @@ spec:
       - name: varnish-secret
         secret:
           secretName: {{ .Release.Name }}-secrets-varnish
+      serviceAccountName: {{ include "drupal.serviceAccountName" . }}
 {{- end }}

drupal/tests/private_docker_image_test.yaml

@@ -1,47 +1,21 @@
 suite: private docker image
 templates:
-  - drupal-configmap.yaml
-  - drupal-cron.yaml
-  - drupal-deployment.yaml
-  - drupal-secret.yaml
-  - post-release.yaml
-capabilities:
-  apiVersions:
-    - pxc.percona.com/v1
+  - serviceaccount.yaml
+
 tests:
   - it: has no image pull secret by default
-    template: drupal-deployment.yaml
+    template: serviceaccount.yaml
     asserts:
       - isNull:
           path: spec.template.spec.imagePullSecrets
-      - template: drupal-cron.yaml
-        isNull:
-          path: spec.jobTemplate.spec.template.spec.imagePullSecrets
-      - template: post-release.yaml
-        isNull:
-          path: spec.template.spec.imagePullSecrets
 
   - it: sets the image pull secret
-    template: drupal-deployment.yaml
+    template: serviceaccount.yaml
     set:
       imagePullSecrets:
         - name: gcr
     asserts:
      - contains:
-         path: spec.template.spec.imagePullSecrets
-         content:
-           name: gcr
-
-     - template: drupal-cron.yaml
-       contains:
-         path: spec.jobTemplate.spec.template.spec.imagePullSecrets
+         path: imagePullSecrets
          content:
            name: gcr
-
-     - template: post-release.yaml
-       contains:
-         path: spec.template.spec.imagePullSecrets
-         content:
-           name: gcr
-
-

drupal/tests/serviceaccount_test.yaml

@@ -0,0 +1,56 @@
+suite: service account test
+templates:
+  - drupal-configmap.yaml
+  - drupal-cron.yaml
+  - drupal-deployment.yaml
+  - drupal-secret.yaml
+  - post-release.yaml
+  - backup-cron.yaml
+tests:
+  - it: has default release serviceaccount by default
+    template: drupal-deployment.yaml
+    set:
+      backup:
+        enabled: true
+    asserts:
+      - template: drupal-deployment.yaml
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-sa
+      - template: drupal-cron.yaml
+        equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-sa
+      - template: post-release.yaml
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-sa
+      - template: backup-cron.yaml
+        equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-sa
+
+  - it: can set a custom serviceaccount
+    template: drupal-deployment.yaml
+    set:
+      serviceAccount:
+        name: foo
+      backup:
+        enabled: true
+    asserts:
+      - template: drupal-deployment.yaml
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: foo
+      - template: drupal-cron.yaml
+        equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: foo
+      - template: post-release.yaml
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: foo
+      - template: backup-cron.yaml
+        equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: foo

drupal/values.schema.json

@@ -8,6 +8,14 @@
     "branchName": { "type": "string" },
     "imagePullSecrets": { "type": "array" },
     "imagePullSecret": { "type": "string" },
+    "serviceAccount": { 
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "name": { "type": "string" },
+        "automountServiceAccountToken": { "type": "boolean" }
+      }
+    },
     "app": { "type": "string" },
     "webRoot": { "type": "string" },
 

drupal/values.yaml

@@ -27,6 +27,12 @@ imagePullSecrets: []
 # Custom imagePullSecret for the containers. Base64 encoded. This will create a secret and append it to the imagePullSecrets.
 imagePullSecret: ""
 
+serviceAccount:
+  # Default value: [Release.Name]-sa
+  name: ""
+  # Mount service account token to the containers.
+  automountServiceAccountToken: false
+
 # The app label added to our Kubernetes resources.
 app: drupal
 
@@ -593,6 +599,8 @@ mariadb:
               operator: NotIn
               values:
               - static-ip
+  serviceAccount:
+    create: true
   enableServiceLinks: false
 
 varnish:
@@ -657,6 +665,10 @@ elasticsearch:
   # Disable service links that cause a slow startup.
   enableServiceLinks: false
 
+  rbac:
+    create: true
+    automountToken: false
+
   # This value should be slightly less than 50% of the requested memory.
   esJavaOpts: -Xmx220m -Xms220m
   xpack:
@@ -687,6 +699,9 @@ elasticsearch:
 memcached:
   enabled: false
   replicaCount: 1
+  serviceAccount:
+    create: true
+  automountServiceAccountToken: false
   resources:
     requests:
       cpu: 10m
@@ -700,7 +715,7 @@ memcached:
     # MaxItemSize
     - -I 4M
 
-# https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml
+# https://github.com/bitnami/charts/blob/d4dba2b393167d79b8c8f65b46c48b70ee3a9662/bitnami/redis/values.yaml
 redis:
   enabled: false
   architecture: standalone
@@ -719,6 +734,8 @@ redis:
       requests:
         cpu: 50m
         memory: 256Mi
+  serviceAccount:
+    automountServiceAccountToken: false
 
 # Mailhog service overrides
 # see: https://github.com/codecentric/helm-charts/blob/master/charts/mailhog/values.yaml

frontend/Chart.lock

@@ -19,9 +19,9 @@ dependencies:
   version: 13.2.24
 - name: silta-release
   repository: file://../silta-release
-  version: 1.0.0
+  version: 1.0.1
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 19.1.5
-digest: sha256:b494e7a5c8be4e2c9478ba2af95fa91830a6f537bdafc30c1c1399b4024168c3
-generated: "2024-05-02T08:45:24.766124978+03:00"
+digest: sha256:17f6538177ebf6ba9e5688e9f5cc9b36598746144336ffc44bbd4a3ecc062c25
+generated: "2025-01-21T14:04:37.839887+02:00"

frontend/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: frontend
-version: 1.12.0
+version: 1.13.0
 dependencies:
 - name: mariadb
   version: 7.10.x