serviceAccount.annotations config for all our k8s SA

jupyterhub · Jun 7, 2021 · 7109528 · 7109528
1 parent 0deaa98
commit 7109528
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 0 deletions.
diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml
@@ -1132,6 +1132,18 @@ properties:
         deprecated: true
         description: |
           DEPRECATED: Use [`imagePullSecret`](schema_imagePullSecret) instead.
+      serviceAccount: &serviceAccount
+        type: object
+        additionalProperties: false
+        description: |
+          Configuration for a k8s ServiceAccount dedicated for use by the
+          specific pod which this configuration is nested under.
+        properties:
+          annotations:
+            type: object
+            additionalProperties: true
+            description: |
+              Kubernetes annotations to apply to the k8s ServiceAccount.
 
   proxy:
     type: object
@@ -1544,6 +1556,7 @@ properties:
                 type: boolean
           image: *image-spec
           resources: *resources-spec
+          serviceAccount: *serviceAccount
       labels:
         type: object
         additionalProperties: true
@@ -2062,6 +2075,7 @@ properties:
                         weight:
                           type: integer
           resources: *resources-spec
+          serviceAccount: *serviceAccount
       podPriority:
         type: object
         additionalProperties: false
@@ -2333,6 +2347,7 @@ properties:
           containerSecurityContext: *containerSecurityContext-spec
           image: *image-spec
           resources: *resources-spec
+          serviceAccount: *serviceAccount
       continuous:
         type: object
         additionalProperties: false

diff --git a/jupyterhub/templates/image-puller/rbac.yaml b/jupyterhub/templates/image-puller/rbac.yaml
@@ -17,6 +17,9 @@ metadata:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "0"
+    {{- with .Values.prePuller.hook.serviceAccount.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
 ---
 {{- /*
 ... will be used by this role...

diff --git a/jupyterhub/templates/proxy/autohttps/rbac.yaml b/jupyterhub/templates/proxy/autohttps/rbac.yaml
@@ -7,6 +7,10 @@ metadata:
   name: {{ include "jupyterhub.autohttps.fullname" . }}
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
+  {{- with .Values.proxy.traefik.serviceAccount.annotations }}
+  annotations:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
 rules:
 - apiGroups: [""]
   resources: ["secrets"]

diff --git a/jupyterhub/templates/scheduling/user-scheduler/rbac.yaml b/jupyterhub/templates/scheduling/user-scheduler/rbac.yaml
@@ -6,6 +6,10 @@ metadata:
   name: {{ include "jupyterhub.user-scheduler-deploy.fullname" . }}
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
+  {{- with .Values.scheduling.userScheduler.serviceAccount.annotations }}
+  annotations:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -263,6 +263,8 @@ proxy:
       enabled: false
       maxUnavailable:
       minAvailable: 1
+    serviceAccount:
+      annotations: {}
   secretSync:
     containerSecurityContext:
       runAsUser: 65534 # nobody user
@@ -433,6 +435,8 @@ scheduling:
       maxUnavailable: 1
       minAvailable:
     resources: {}
+    serviceAccount:
+      annotations: {}
   podPriority:
     enabled: false
     globalDefault: false
@@ -498,6 +502,8 @@ prePuller:
     nodeSelector: {}
     tolerations: []
     resources: {}
+    serviceAccount:
+      annotations: {}
   continuous:
     enabled: true
   pullProfileListImages: true

diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
@@ -159,6 +159,8 @@ hub:
       operator: Equal
       value: mock-taint-value-hub
       effect: NoSchedule
+  serviceAccount: &serviceAccount
+    annotations: *annotations
 
 rbac:
   enabled: true
@@ -228,6 +230,7 @@ proxy:
       enabled: true
       maxUnavailable: null
       minAvailable: 1
+    serviceAccount: *serviceAccount
   secretSync:
     resources: *resources
   labels: *labels
@@ -392,6 +395,7 @@ scheduling:
           - name: NodePreferAvoidPods
             weight: 161051
           - name: NodeAffinity
+    serviceAccount: *serviceAccount
   podPriority:
     enabled: true
   userPlaceholder:
@@ -430,6 +434,7 @@ prePuller:
         operator: Equal
         value: mock-taint-value-hook
         effect: NoSchedule
+    serviceAccount: *serviceAccount
   continuous:
     enabled: true
   extraImages: