FlowForge helm: 1. Editors: service account. 2. Broker: propagate ingress. 3. README

helm/flowforge/README.md

@@ -32,6 +32,7 @@ If using an external PostgreSQL Database you will need to create the database an
  - `forge.localPostrgresql` Deploy a PostgreSQL v14 Database into Kubernetes cluster (default `true`)
  - `forge.postgres.host` the hostname of an external PostgreSQL database (default not set)
  - `forge.postgres.port` the port of an external PostgreSQL database (default `5432`)
+ - `forge.postgres.ssl` sets the connection to the database to use SSL/TLS (default `false`)
  - `forge.cloudProvider` currently only accepts `aws` but will include more as needed (default not set)
  - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`)
  - `forge.managementSelector` a collection of labels and values to filter nodes the Forge App will run on (default `role: management`)
@@ -121,3 +122,20 @@ Enables FlowForge Telemetry
  ### Ingress
  - `ingress.annotations` ingress annotations (default is `{}`). This value is also applied to Editor instances created by FlowForge.
  - `ingress.className` ingress class name (default is `"""`). This value is also applied to Editor instances created by FlowForge. 
+
+### Editors IAM
+   Provision default service account for Editors if `editors.serviceAccount.create` is `true`.
+
+- `editors.serviceAccount.create` flag, indicates whether default Editors service account is going to be provisioned.
+- `editors.serviceAccount.annotations` k8s service account annotations.
+- `editors.serviceAccount.name` name of the service account for Editors.
+
+Example for <i>AWS</i>:
+```yaml
+editors:
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}
+    create: true
+    name: editors
+```

helm/flowforge/templates/broker.yaml

@@ -131,7 +131,13 @@ metadata:
   labels:
     app: flowforge-broker
   annotations:
+  {{- if .Values.ingress.annotations }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+  {{- end }}
 spec:
+  {{- if $.Values.ingress.className }}
+  ingressClassName: {{ $.Values.ingress.className }}
+  {{- end }}
   rules:
     - host: mqtt.{{ .Values.forge.domain }}
       http:

helm/flowforge/templates/configmap.yaml

@@ -25,6 +25,9 @@ data:
       user: {{ .Values.forge.dbUsername }}
       password: {{ .Values.forge.dbPassword }}
       db: {{ .Values.forge.dbName }}
+      {{- if and (hasKey .Values.forge "postgres") (hasKey .Values.forge.postgres "ssl") }}
+      ssl: {{ .Values.forge.postgres.ssl }}
+      {{- end }}
     driver:
       type: kubernetes
       options:

helm/flowforge/templates/deployment.yaml

@@ -36,6 +36,10 @@ spec:
         - name: INGRESS_CLASS_NAME
           value: {{ .Values.ingress.className }}
         {{- end }}
+        {{- if .Values.editors.serviceAccount }}
+        - name: EDITOR_SERVICE_ACCOUNT
+          value: {{ .Values.editors.serviceAccount.name }}
+        {{- end }}
         {{- if .Values.forge.projectDeploymentTolerations }}
         - name: DEPLOYMENT_TOLERATIONS
           value: {{ .Values.forge.projectDeploymentTolerations | toJson | quote }}

helm/flowforge/templates/service-account.yaml

@@ -9,11 +9,27 @@ metadata:
     eks.amazonaws.com/sts-regional-endpoints: "true"
   {{- end }}
   {{- end }}
+
+
+{{- if .Values.editors.serviceAccount.create }}
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.editors.serviceAccount.name }}
+  namespace: {{ .Values.forge.projectNamespace }}
+  {{- with .Values.editors.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: create-pod
+  name: {{ .Release.Name }}-create-pod
 rules:
 - apiGroups: [""]
   resources: ["pods", "pods/log", "pods/exec", "pods/status"]
@@ -45,5 +61,5 @@ subjects:
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: create-pod
+  name: {{ .Release.Name }}-create-pod
   apiGroup: rbac.authorization.k8s.io

helm/flowforge/values.schema.json

@@ -101,6 +101,9 @@
                         },
                         "port": {
                             "type": "integer"
+                        },
+                        "ssl": {
+                            "type": "boolean"
                         }
                     },
                     "required": [
@@ -113,6 +116,28 @@
                 "projectSelector": {
                     "type": "object"
                 },
+                "projectDeploymentTolerations": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "effect": {
+                                "type": "string"
+                            },
+                            "key": {
+                                "type": "string"
+                            },
+                            "operator": {
+                                "type": "string"
+                            },
+                            "value": {
+                                "type": "string"
+                            }
+                        },
+                        "required": ["effect", "key", "operator", "value"]
+                    },
+                    "default": []
+                },
                 "managementSelector": {
                     "type": "object"
                 },
@@ -306,6 +331,29 @@
                     "type": "string"
                 }
             }
+        },
+        "editors": {
+            "type": "object",
+            "properties": {
+                "serviceAccount": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object",
+                            "minProperties": 0
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "name": {
+                            "type": "string",
+                            "description": "Name of service account (scope of uniqueness is a 'Projects' namespace)"
+                        }
+                    },
+                    "required": ["annotations", "name"]
+                }
+            },
+            "required": ["serviceAccount"]
         }
     },
     "required": [

helm/flowforge/values.yaml

@@ -7,12 +7,11 @@ forge:
   projectNamespace: flowforge
   projectSelector:
     role: projects
-
   projectDeploymentTolerations: []
-#    - key: purpose
-#      operator: Equal
-#      value: flowforge-projects
-#      effect: NoSchedule
+  #    - key: purpose
+  #      operator: Equal
+  #      value: flowforge-projects
+  #      effect: NoSchedule
   managementSelector:
     role: management
   telemetry:
@@ -32,17 +31,31 @@ forge:
         type: postgres
         host: flowforge-postgresql
         username: forge
-        password: Zai1Wied
+        password: ""
         database: ff-context
   support:
     enabled: false
 
+  domain: ""
+  entryPoint: ""
+  environment: {}
+  image: ""
+  registry: ""
+
 postgresql:
   postgresqlPostgresPassword: Moomiet0
   postgresqlUsername: forge
   postgresqlPassword: Zai1Wied
   postgresqlDatabase: flowforge
+  global:
+    storageClass: default
 
 ingress:
   annotations: {}
   className: ""
+
+editors:
+  serviceAccount:
+    create: true
+    annotations: {}
+    name: editors