From a5d203bcca24c78b16910e17711bef8c6b2b4827 Mon Sep 17 00:00:00 2001 From: sunboy Date: Thu, 2 Feb 2023 01:55:53 +0800 Subject: [PATCH] Add allowedServiceAccounts option to helm chart (#5397) Signed-off-by: sunzhaochang Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Yaron Schneider (cherry picked from commit 3713a058c7c64455ffa8d96d1bc173b7e64f96d2) --- charts/dapr/README.md | 1 + .../templates/dapr_sidecar_injector_deployment.yaml | 4 ++++ charts/dapr/charts/dapr_sidecar_injector/values.yaml | 1 + 3 files changed, 6 insertions(+) diff --git a/charts/dapr/README.md b/charts/dapr/README.md index 590a9176..d2a731b1 100644 --- a/charts/dapr/README.md +++ b/charts/dapr/README.md @@ -176,6 +176,7 @@ The Helm chart has the follow configuration options that can be supplied: | `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` | | `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | | `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | +| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `serviceAccount1:namespace1,serviceAccount2:namespace2` | `""` | | `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | | `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` | | `dapr_sidecar_injector.kubeClusterDomain` | Domain for this kubernetes cluster. If not set, will auto-detect the cluster domain through the `/etc/resolv.conf` file `search domains` content. | `cluster.local` | diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml index 1e789e4d..7ed8518b 100644 --- a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml +++ b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml @@ -151,6 +151,10 @@ spec: {{- if .Values.sidecarReadOnlyRootFilesystem }} - name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM value: "{{ .Values.sidecarReadOnlyRootFilesystem }}" +{{- end }} +{{- if .Values.allowedServiceAccounts }} + - name: ALLOWED_SERVICE_ACCOUNTS + value: "{{ .Values.allowedServiceAccounts }}" {{- end }} ports: - name: https diff --git a/charts/dapr/charts/dapr_sidecar_injector/values.yaml b/charts/dapr/charts/dapr_sidecar_injector/values.yaml index de5fb690..75186503 100644 --- a/charts/dapr/charts/dapr_sidecar_injector/values.yaml +++ b/charts/dapr/charts/dapr_sidecar_injector/values.yaml @@ -21,6 +21,7 @@ sidecarImagePullPolicy: IfNotPresent runAsNonRoot: true sidecarRunAsNonRoot: true sidecarReadOnlyRootFilesystem: true +allowedServiceAccounts: "" resources: {} kubeClusterDomain: cluster.local ignoreEntrypointTolerations: "[{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"alibabacloud.com/eci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"azure.com/aci\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"aws\\\"},{\\\"effect\\\":\\\"NoSchedule\\\",\\\"key\\\":\\\"huawei.com/cci\\\"}]" -- GitLab