feat: Update aws-sdk to enable IRSA (AWS IAM Roles for ServiceAccount…

…s) support, add securityContext to helm chart (#200) - Update AWS SDK version - securityContext in a helm chart
external-secrets · Nov 7, 2019 · 165662c · 165662c
1 parent 25e2f74
commit 165662c
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 48 deletions.
diff --git a/charts/kubernetes-external-secrets/README.md b/charts/kubernetes-external-secrets/README.md
@@ -22,6 +22,12 @@ $ helm install --name my-release external-secrets/kubernetes-external-secrets
 
 > **Tip:** A namespace can be specified by the `Helm` option '`--namespace kube-external-secrets`'
 
+To install the chart with [AWS IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html):
+
+```bash
+$ helm install --name my-release --set securityContext.fsGroup=65534 --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"='arn:aws:iam::111111111111:role/ROLENAME' external-secrets/kubernetes-external-secrets
+```
+
 ## Uninstalling the Chart
 
 To uninstall/delete the deployment:
@@ -49,8 +55,10 @@ The following table lists the configurable parameters of the `kubernetes-externa
 | `nameOverride` | Override the name of app | `nil` |
 | `fullnameOverride` | Override the full name of app | `nil` |
 | `rbac.create` | Create & use RBAC resources | `true` |
+| `securityContext.fsGroup` | Security context for the container | `{}` |
 | `serviceAccount.create` | Whether a new service account name should be created. | `true` |
-| `serviceAccount.name` | Service account to be used. | automatically generated
+| `serviceAccount.name` | Service account to be used. | automatically generated |
+| `serviceAccount.annotations` | Annotations to be added to service account | `nil` |
 | `podAnnotations` | Annotations to be added to pods | `{}` |
 | `replicaCount` | Number of replicas | `1` |
 | `nodeSelector` | node labels for pod assignment | `{}` |

diff --git a/charts/kubernetes-external-secrets/templates/deployment.yaml b/charts/kubernetes-external-secrets/templates/deployment.yaml
@@ -24,6 +24,9 @@ spec:
  {{- end }}
  spec:
  serviceAccountName: {{ template "kubernetes-external-secrets.serviceAccountName" . }}
+ {{- if .Values.securityContext }}
+ securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+ {{- end }}
  containers:
  - name: {{ .Chart.Name }}
  image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

diff --git a/charts/kubernetes-external-secrets/values.yaml b/charts/kubernetes-external-secrets/values.yaml
@@ -43,6 +43,9 @@ fullnameOverride: ""
 
 podAnnotations: {}
 
+securityContext: {}
+ # fsGroup: 65534
+
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,7 +29,7 @@
  "node": ">=12.0.0"
  },
  "dependencies": {
- "aws-sdk": "^2.433.0",
+ "aws-sdk": "^2.566.0",
  "express": "^4.17.1",
  "json-stream": "^1.0.0",
  "kubernetes-client": "^8.3.0",