Skip to content

Commit

Permalink
feat(helm): add kubernetes access account token projection support
Browse files Browse the repository at this point in the history
  • Loading branch information
@wbabyte
wbabyte committed Jan 31, 2025
1 parent e435fd0 commit 37f86d6
Show file tree
Hide file tree
Showing 8 changed files with 138 additions and 2 deletions.
4 changes: 4 additions & 0 deletions helm/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@

This file documents all notable changes to [Gravitee.io API Management 3.x](https://github.com/gravitee-io/helm-charts/tree/master/apim/3.x) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).

### 4.4.19

- add kubernetes access account token projection support

### 4.4.16

- Improve HPA by allowing custom annotation, custom metrics and define the behavior spec (APIM-8186)
Expand Down
7 changes: 6 additions & 1 deletion helm/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,9 @@ annotations:
###########
# "changes" must be the last section in this file, because a CI job clean it after each release
###########
artifacthub.io/changes:
artifacthub.io/changes: |
- kind: added
description: 'Add support of the kubernetes service account token projection'
links:
- name: Github Issue
url: https://github.com/gravitee-io/issues/issues/10225
31 changes: 31 additions & 0 deletions helm/templates/api/api-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,16 @@ spec:
containerPort: {{ .Values.api.services.bridge.service.internalPort }}
{{- end }}
env:
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PROJECTION_ENABLED
value: 'true'
- name: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH
value: '/var/run/secrets/tokens/vault-token'
{{- end }}
{{- end }}
{{- end }}
{{- if $plugins }}
- name: GRAVITEE_PLUGINS_PATH_0
value: '${gravitee.home}/plugins'
Expand Down Expand Up @@ -222,6 +232,14 @@ spec:

resources: {{ toYaml .Values.api.resources | nindent 12 }}
volumeMounts:
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: vault-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
{{- end }}
- name: config
mountPath: /opt/graviteeio-management-api/config/gravitee.yml
subPath: gravitee.yml
Expand Down Expand Up @@ -275,6 +293,19 @@ spec:
- name: {{ .Values.api.image.pullSecrets }}
{{- end }}
volumes:
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: {{ .expirationSeconds }}
audience: {{ .audience }}
{{- end }}
{{- end }}
{{- end }}
{{- if not (include "api.externalConfig" .) }}
- name: config
configMap:
Expand Down
31 changes: 31 additions & 0 deletions helm/templates/gateway/gateway-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,16 @@ spec:
- name: GRAVITEE_PLUGINS_PATH_1
value: '${gravitee.home}/plugins-ext'
{{- end }}
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PROJECTION_ENABLED
value: 'true'
- name: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH
value: '/var/run/secrets/tokens/vault-token'
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.gateway.env | default .Values.gateway.deployment.extraEnvs }}
{{ toYaml ( .Values.gateway.env | default .Values.gateway.deployment.extraEnvs ) | indent 12 }}
{{- end }}
Expand Down Expand Up @@ -226,6 +236,14 @@ spec:
{{- end }}
resources: {{ toYaml .Values.gateway.resources | nindent 12 }}
volumeMounts:
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: vault-token
mountPath: /var/run/secrets/tokens
{{- end }}
{{- end }}
{{- end }}
- name: config
mountPath: /opt/graviteeio-gateway/config/gravitee.yml
subPath: gravitee.yml
Expand Down Expand Up @@ -259,6 +277,19 @@ spec:
- name: {{ .Values.gateway.image.pullSecrets }}
{{- end }}
volumes:
{{- if .Values.apim.kubernetes }}
{{- with .Values.apim.kubernetes.projection }}
{{- if .enabled }}
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: {{ .expirationSeconds }}
audience: {{ .audience }}
{{- end }}
{{- end }}
{{- end }}
{{- if not (include "gateway.externalConfig" .) }}
- name: config
configMap:
Expand Down
29 changes: 29 additions & 0 deletions helm/tests/api/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,3 +272,32 @@ tests:
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true

- it: kubernetes service account projection enabled tests
template: api/api-deployment.yaml
set:
apim:
kubernetes:
projection:
enabled: true
expirationSeconds: 600
audience: all
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].name
value: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PROJECTION_ENABLED
- equal:
path: spec.template.spec.containers[0].env[0].value
value: 'true'
- equal:
path: spec.template.spec.containers[0].env[1].name
value: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH
- equal:
path: spec.template.spec.containers[0].env[1].value
value: '/var/run/secrets/tokens/vault-token'
- equal:
path: spec.template.spec.volumes[0].name
value: vault-token
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].name
value: vault-token
30 changes: 30 additions & 0 deletions helm/tests/gateway/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,3 +314,33 @@ tests:
- equal:
path: spec.template.spec.containers[0].ports[1].containerPort
value: 9090

- it: kubernetes service account projection enabled tests
template: gateway/gateway-deployment.yaml
set:
apim:
kubernetes:
projection:
enabled: true
expirationSeconds: 600
audience: all
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].name
value: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PROJECTION_ENABLED
- equal:
path: spec.template.spec.containers[0].env[0].value
value: 'true'
- equal:
path: spec.template.spec.containers[0].env[1].name
value: KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH
- equal:
path: spec.template.spec.containers[0].env[1].value
value: '/var/run/secrets/tokens/vault-token'
- equal:
path: spec.template.spec.volumes[0].name
value: vault-token
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].name
value: vault-token

6 changes: 6 additions & 0 deletions helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,12 @@ apim:
# Only Gateway will be deployed to the cluster in DB less mode
dbLess: false

kubernetes:
projection:
enabled: false
expirationSeconds: 2592000
audience: vault

chaos:
enabled: false

Expand Down
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
<gravitee-gateway-api.version>3.5.3</gravitee-gateway-api.version>
<gravitee-integration-api.version>1.1.0</gravitee-integration-api.version>
<gravitee-node.version>6.0.10</gravitee-node.version>
<gravitee-kubernetes.version>3.4.2</gravitee-kubernetes.version>
<gravitee-kubernetes.version>3.4.3</gravitee-kubernetes.version>
<gravitee-notifier-api.version>1.4.3</gravitee-notifier-api.version>
<gravitee-plugin.version>3.1.1</gravitee-plugin.version>
<gravitee-platform-repository-api.version>1.3.0</gravitee-platform-repository-api.version>
Expand Down

0 comments on commit 37f86d6

Please sign in to comment.