diff --git a/chart/compass/charts/director/templates/deployment.yaml b/chart/compass/charts/director/templates/deployment.yaml index 90072dd972..7c52d58a1c 100644 --- a/chart/compass/charts/director/templates/deployment.yaml +++ b/chart/compass/charts/director/templates/deployment.yaml @@ -252,34 +252,20 @@ spec: mountPath: /pairing-adapters {{ end }} - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine command: ["/cloud_sql_proxy", "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432", - "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json", "-term_timeout=2s"] resources: {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }} - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.deployment.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} - name: director-config configMap: name: {{ template "fullname" . }}-config diff --git a/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml b/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml index 5de9968b7e..2a318168f0 100644 --- a/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml +++ b/chart/compass/charts/director/templates/oauth-clients-scopes-sync-job.yaml @@ -26,6 +26,7 @@ spec: app: {{ $jobName }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ template "fullname" . }} restartPolicy: Never shareProcessNamespace: true containers: @@ -88,19 +89,10 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{- end}} volumes: - name: director-config configMap: name: {{ template "fullname" . }}-config - {{- if eq .Values.global.database.embedded.enabled false }} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{- end }} {{- end }} diff --git a/chart/compass/charts/director/templates/rbac.yaml b/chart/compass/charts/director/templates/rbac.yaml index 70a2c3905e..0acfdccffd 100644 --- a/chart/compass/charts/director/templates/rbac.yaml +++ b/chart/compass/charts/director/templates/rbac.yaml @@ -3,6 +3,10 @@ kind: ServiceAccount metadata: name: {{ template "fullname" . }} namespace: {{ .Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml b/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml index 9bf8381ff2..7de9c32451 100644 --- a/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml +++ b/chart/compass/charts/director/templates/tenant-loader-cronjob-external.yaml @@ -16,6 +16,7 @@ spec: app: {{ .Chart.Name }}-tenant-loader release: {{ .Release.Name }} spec: + serviceAccountName: {{ template "fullname" . }} restartPolicy: Never shareProcessNamespace: true containers: @@ -75,18 +76,9 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{end}} volumes: - name: external-tenant-config configMap: name: compass-director-external-tenant-config - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} \ No newline at end of file diff --git a/chart/compass/charts/director/templates/tenant-loader-job-default.yaml b/chart/compass/charts/director/templates/tenant-loader-job-default.yaml index 8d5eef6012..f9091e2b45 100644 --- a/chart/compass/charts/director/templates/tenant-loader-job-default.yaml +++ b/chart/compass/charts/director/templates/tenant-loader-job-default.yaml @@ -17,6 +17,7 @@ spec: app: {{ .Chart.Name }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ template "fullname" . }} restartPolicy: Never shareProcessNamespace: true containers: @@ -76,19 +77,10 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{end}} volumes: - name: default-tenant-config configMap: name: {{ template "fullname" . }}-default-tenant-config - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} {{ end }} diff --git a/chart/compass/charts/ord-service/templates/deployment.yaml b/chart/compass/charts/ord-service/templates/deployment.yaml index 187d7a5990..3f5bb3019c 100644 --- a/chart/compass/charts/ord-service/templates/deployment.yaml +++ b/chart/compass/charts/ord-service/templates/deployment.yaml @@ -33,6 +33,7 @@ spec: app: {{ .Chart.Name }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ template "fullname" . }} nodeSelector: {{- toYaml .Values.deployment.nodeSelector | nindent 8 }} containers: @@ -104,29 +105,15 @@ spec: periodSeconds: {{.Values.deployment.readinessProbe.periodSeconds }} volumeMounts: {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine command: ["/cloud_sql_proxy", "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432", - "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json", "-term_timeout=2s"] resources: {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }} - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.deployment.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} diff --git a/chart/compass/charts/ord-service/templates/rbac.yaml b/chart/compass/charts/ord-service/templates/rbac.yaml new file mode 100644 index 0000000000..53413c3fea --- /dev/null +++ b/chart/compass/charts/ord-service/templates/rbac.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} diff --git a/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml b/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml index d3eecdf6b9..acfaac1d1c 100644 --- a/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml +++ b/chart/compass/charts/prometheus-postgres-exporter/templates/deployment.yaml @@ -100,12 +100,7 @@ spec: - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine command: ["/cloud_sql_proxy", - "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432", - "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json"] - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432"] {{end}} {{- with .Values.extraContainers }} {{ tpl . $ | indent 8 }} @@ -129,11 +124,6 @@ spec: defaultMode: 420 name: {{ template "prometheus-postgres-exporter.fullname" . }} name: queries - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} {{- with .Values.extraVolumes }} {{ tpl . $ | indent 6 }} {{- end }} diff --git a/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml b/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml index 23c98ba415..a3888f60cd 100644 --- a/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml +++ b/chart/compass/charts/prometheus-postgres-exporter/templates/serviceaccount.yaml @@ -3,6 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "prometheus-postgres-exporter.serviceAccountName" . }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: app: {{ template "prometheus-postgres-exporter.name" . }} chart: {{ template "prometheus-postgres-exporter.chart" . }} diff --git a/chart/compass/charts/tenant-fetcher/templates/deployment.yaml b/chart/compass/charts/tenant-fetcher/templates/deployment.yaml index 3dac4ece0f..a77f2b59e7 100644 --- a/chart/compass/charts/tenant-fetcher/templates/deployment.yaml +++ b/chart/compass/charts/tenant-fetcher/templates/deployment.yaml @@ -33,6 +33,7 @@ spec: app: {{ .Chart.Name }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ template "fullname" . }} nodeSelector: {{- toYaml .Values.deployment.nodeSelector | nindent 8 }} containers: @@ -142,30 +143,15 @@ spec: timeoutSeconds: {{ .Values.global.readinessProbe.timeoutSeconds }} periodSeconds: {{.Values.global.readinessProbe.periodSeconds }} {{if eq .Values.global.database.embedded.enabled false}} - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine command: ["/cloud_sql_proxy", "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432", - "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json", "-term_timeout=2s"] resources: {{- toYaml .Values.deployment.resourcesCloudsqlProxy | nindent 12 }} - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.deployment.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} \ No newline at end of file diff --git a/chart/compass/charts/tenant-fetcher/templates/rbac.yaml b/chart/compass/charts/tenant-fetcher/templates/rbac.yaml new file mode 100644 index 0000000000..53413c3fea --- /dev/null +++ b/chart/compass/charts/tenant-fetcher/templates/rbac.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} diff --git a/chart/compass/configure-managed-gcp-postgresql.md b/chart/compass/configure-managed-gcp-postgresql.md index a0a2ebbe00..c384cc400d 100644 --- a/chart/compass/configure-managed-gcp-postgresql.md +++ b/chart/compass/configure-managed-gcp-postgresql.md @@ -16,7 +16,6 @@ To install Compass with GCP managed Postgres database, set the **database.embedd | Parameter | Description | Values | Default | | --- | --- | --- | --- | -| `global.database.managedGCP.serviceAccountKey` | Specifies base64 encoded the key for GCP Service Account mentioned in prerequisites. | base64 encoded string | "" | | `global.database.managedGCP.instanceConnectionName` | Specifies instance connection name to GCP PostgreSQL database | string | "" | | `global.database.managedGCP.director.user` | Specifies the database username in the Director. | string | "" | | `global.database.managedGCP.director.password` | Specifies the password to the user's database in the Director. | string | "" | diff --git a/chart/compass/templates/managed-postgresql-secret.yaml b/chart/compass/templates/managed-postgresql-secret.yaml index 99bb0ee9cf..b2f7d0c23e 100644 --- a/chart/compass/templates/managed-postgresql-secret.yaml +++ b/chart/compass/templates/managed-postgresql-secret.yaml @@ -1,15 +1,6 @@ {{if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.manageSecrets true) }} apiVersion: v1 kind: Secret -type: Opaque -metadata: - name: cloudsql-instance-credentials - namespace: {{ .Release.Namespace }} -data: - credentials.json: {{ .Values.global.database.managedGCP.serviceAccountKey }} ---- -apiVersion: v1 -kind: Secret metadata: name: compass-postgresql namespace: {{ .Release.Namespace }} @@ -27,15 +18,6 @@ data: --- apiVersion: v1 kind: Secret -type: Opaque -metadata: - name: cloudsql-instance-credentials - namespace: {{ .Values.global.tests.namespace }} -data: - credentials.json: {{ .Values.global.database.managedGCP.serviceAccountKey }} ---- -apiVersion: v1 -kind: Secret metadata: name: compass-postgresql namespace: {{ .Values.global.tests.namespace }} diff --git a/chart/compass/templates/migrator-down-job.yaml b/chart/compass/templates/migrator-down-job.yaml index 402516a5a8..03b8dc77b1 100644 --- a/chart/compass/templates/migrator-down-job.yaml +++ b/chart/compass/templates/migrator-down-job.yaml @@ -16,6 +16,7 @@ spec: app: {{ .Chart.Name }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ $.Chart.Name }}-migrator-down-job {{- if eq .Values.global.migratorJob.nodeSelectorEnabled true }} nodeSelector: migrationJobs: "true" @@ -30,11 +31,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{- end }} - name: migrator image: {{ .Values.global.images.containerRegistry.path }}/{{ .Values.global.images.schema_migrator.dir }}compass-schema-migrator:{{ .Values.global.images.schema_migrator.version }} @@ -82,8 +79,19 @@ spec: - name: migrations-storage persistentVolumeClaim: claimName: {{ .Values.global.migratorJob.pvc.name }} - {{- if eq .Values.global.database.embedded.enabled false }} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $.Chart.Name }}-migrator-down-job + namespace: {{ $.Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} + labels: + app: {{ $.Chart.Name }} + release: {{ $.Release.Name }} + helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/instance: {{ $.Release.Name }} \ No newline at end of file diff --git a/chart/compass/templates/migrator-job.yaml b/chart/compass/templates/migrator-job.yaml index 0726d411a4..9e588f8775 100644 --- a/chart/compass/templates/migrator-job.yaml +++ b/chart/compass/templates/migrator-job.yaml @@ -12,6 +12,7 @@ spec: app: {{ .Chart.Name }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ $.Chart.Name }}-migrator-job {{- if eq .Values.global.migratorJob.nodeSelectorEnabled true }} nodeSelector: migrationJobs: "true" @@ -26,11 +27,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{ end }} - name: migrator image: {{ .Values.global.images.containerRegistry.path }}/{{ .Values.global.images.schema_migrator.dir }}compass-schema-migrator:{{ .Values.global.images.schema_migrator.version }} @@ -78,8 +75,19 @@ spec: - name: migrations-storage persistentVolumeClaim: claimName: {{ .Values.global.migratorJob.pvc.name }} - {{- if eq .Values.global.database.embedded.enabled false }} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $.Chart.Name }}-migrator-job + namespace: {{ $.Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} + labels: + app: {{ $.Chart.Name }} + release: {{ $.Release.Name }} + helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/instance: {{ $.Release.Name }} diff --git a/chart/compass/templates/ord-aggregator-job.yaml b/chart/compass/templates/ord-aggregator-job.yaml index 49e26bf460..375ec7bf5b 100644 --- a/chart/compass/templates/ord-aggregator-job.yaml +++ b/chart/compass/templates/ord-aggregator-job.yaml @@ -98,20 +98,11 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432" {{end}} restartPolicy: Never shareProcessNamespace: true volumes: - {{if eq $.Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} - name: director-config configMap: name: compass-director-config @@ -122,6 +113,10 @@ kind: ServiceAccount metadata: name: {{ $.Chart.Name }}-ord-aggregator namespace: {{ $.Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: app: {{ $.Chart.Name }} release: {{ $.Release.Name }} diff --git a/chart/compass/templates/system-fetcher-job.yaml b/chart/compass/templates/system-fetcher-job.yaml index de8529f66b..4c5051db42 100644 --- a/chart/compass/templates/system-fetcher-job.yaml +++ b/chart/compass/templates/system-fetcher-job.yaml @@ -152,20 +152,11 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432" {{end}} restartPolicy: Never shareProcessNamespace: true volumes: - {{if eq $.Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} - name: director-config configMap: name: compass-director-config @@ -188,6 +179,10 @@ kind: ServiceAccount metadata: name: {{ $.Chart.Name }}-system-fetcher namespace: {{ $.Release.Namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: app: {{ $.Chart.Name }} release: {{ $.Release.Name }} diff --git a/chart/compass/templates/tenant-fetcher-job.yaml b/chart/compass/templates/tenant-fetcher-job.yaml index f2964d6e69..2bd9c551ce 100644 --- a/chart/compass/templates/tenant-fetcher-job.yaml +++ b/chart/compass/templates/tenant-fetcher-job.yaml @@ -200,20 +200,10 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true + - "trap 'exit 0' SIGINT; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ $.Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" {{end}} restartPolicy: Never shareProcessNamespace: true - {{if eq $.Values.global.database.embedded.enabled false}} - volumes: - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} --- apiVersion: v1 kind: ConfigMap @@ -242,6 +232,10 @@ kind: ServiceAccount metadata: name: {{ $.Chart.Name }}-tenant-fetcher-job-{{ $tenantFetcherName }} namespace: {{ $.Release.Namespace }} + {{- if eq $.Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: app: {{ $.Chart.Name }} release: {{ $.Release.Name }} diff --git a/chart/compass/templates/tests/director/director-test.yaml b/chart/compass/templates/tests/director/director-test.yaml index 66b1a7d636..224c91d6b6 100644 --- a/chart/compass/templates/tests/director/director-test.yaml +++ b/chart/compass/templates/tests/director/director-test.yaml @@ -142,7 +142,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" + - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" lifecycle: preStop: exec: @@ -157,21 +157,12 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.global.tests.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} {{ if .Values.global.isLocalEnv }} - name: examples hostPath: diff --git a/chart/compass/templates/tests/director/service-account.yaml b/chart/compass/templates/tests/director/service-account.yaml index 5d0afc9065..d92d9a7844 100644 --- a/chart/compass/templates/tests/director/service-account.yaml +++ b/chart/compass/templates/tests/director/service-account.yaml @@ -3,6 +3,10 @@ kind: ServiceAccount metadata: name: {{ .Chart.Name }}-e2e-director namespace: {{ .Values.global.tests.namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: release: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} diff --git a/chart/compass/templates/tests/istio/istio-test.yaml b/chart/compass/templates/tests/istio/istio-test.yaml index d62681deb9..50610764c4 100644 --- a/chart/compass/templates/tests/istio/istio-test.yaml +++ b/chart/compass/templates/tests/istio/istio-test.yaml @@ -18,6 +18,7 @@ spec: labels: app: {{ .Chart.Name }}-istio-tests-app spec: + serviceAccountName: {{ .Chart.Name }}-e2e-istio {{ if .Values.global.isLocalEnv }} hostAliases: - ip: {{ .Values.global.minikubeIP }} @@ -111,7 +112,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" + - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" lifecycle: preStop: exec: @@ -126,19 +127,9 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.global.tests.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} restartPolicy: Never - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} diff --git a/chart/compass/templates/tests/istio/rbac.yaml b/chart/compass/templates/tests/istio/rbac.yaml new file mode 100644 index 0000000000..d7f308ace9 --- /dev/null +++ b/chart/compass/templates/tests/istio/rbac.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-e2e-istio + namespace: {{ .Values.global.tests.namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} diff --git a/chart/compass/templates/tests/ord-service/ord-service-test.yaml b/chart/compass/templates/tests/ord-service/ord-service-test.yaml index 197739cf1a..5f8f945354 100644 --- a/chart/compass/templates/tests/ord-service/ord-service-test.yaml +++ b/chart/compass/templates/tests/ord-service/ord-service-test.yaml @@ -164,7 +164,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" + - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" lifecycle: preStop: exec: @@ -179,19 +179,9 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.global.tests.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} restartPolicy: Never - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} diff --git a/chart/compass/templates/tests/ord-service/service-account.yaml b/chart/compass/templates/tests/ord-service/service-account.yaml index bd48e45335..e54b634812 100644 --- a/chart/compass/templates/tests/ord-service/service-account.yaml +++ b/chart/compass/templates/tests/ord-service/service-account.yaml @@ -3,6 +3,10 @@ kind: ServiceAccount metadata: name: {{ .Chart.Name }}-e2e-ord-service namespace: {{ .Values.global.tests.namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: release: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} diff --git a/chart/compass/templates/tests/system-fetcher/service-account.yaml b/chart/compass/templates/tests/system-fetcher/service-account.yaml index 3d7874a13b..1abd9cc842 100644 --- a/chart/compass/templates/tests/system-fetcher/service-account.yaml +++ b/chart/compass/templates/tests/system-fetcher/service-account.yaml @@ -3,6 +3,10 @@ kind: ServiceAccount metadata: name: {{ .Chart.Name }}-e2e-system-fetcher namespace: {{ .Values.global.tests.namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: release: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} diff --git a/chart/compass/templates/tests/system-fetcher/system-fetcher-test.yaml b/chart/compass/templates/tests/system-fetcher/system-fetcher-test.yaml index ea92053ec7..c01e94175c 100644 --- a/chart/compass/templates/tests/system-fetcher/system-fetcher-test.yaml +++ b/chart/compass/templates/tests/system-fetcher/system-fetcher-test.yaml @@ -91,7 +91,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" + - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" lifecycle: preStop: exec: @@ -106,19 +106,9 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.global.tests.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} restartPolicy: Never diff --git a/chart/compass/templates/tests/tenant-fetcher-job/service-account.yaml b/chart/compass/templates/tests/tenant-fetcher-job/service-account.yaml index 8fb3d14217..901bd232d3 100644 --- a/chart/compass/templates/tests/tenant-fetcher-job/service-account.yaml +++ b/chart/compass/templates/tests/tenant-fetcher-job/service-account.yaml @@ -3,6 +3,10 @@ kind: ServiceAccount metadata: name: {{ .Chart.Name }}-e2e-tenant-fetcher namespace: {{ .Values.global.tests.namespace }} + {{- if eq .Values.global.database.embedded.enabled false }} + annotations: + iam.gke.io/gcp-service-account: {{ $.Values.global.database.sqlProxyServiceAccount | quote }} + {{- end }} labels: release: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} diff --git a/chart/compass/templates/tests/tenant-fetcher-job/tenant-fetcher-job-test.yaml b/chart/compass/templates/tests/tenant-fetcher-job/tenant-fetcher-job-test.yaml index 9f546ce34a..2ea2675f87 100644 --- a/chart/compass/templates/tests/tenant-fetcher-job/tenant-fetcher-job-test.yaml +++ b/chart/compass/templates/tests/tenant-fetcher-job/tenant-fetcher-job-test.yaml @@ -90,7 +90,7 @@ spec: - /bin/sh args: - -c - - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -credential_file=/secrets/cloudsql-instance-credentials/credentials.json -term_timeout=2s" + - "trap 'exit 0' SIGINT SIGTERM; echo 'Waiting for istio-proxy to start...' && sleep 15; /cloud_sql_proxy -instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432 -term_timeout=2s" lifecycle: preStop: exec: @@ -105,19 +105,9 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - volumeMounts: - - name: cloudsql-instance-credentials - mountPath: /secrets/cloudsql-instance-credentials - readOnly: true {{- with .Values.global.tests.securityContext }} securityContext: {{ toYaml . | indent 12 }} {{- end }} {{end}} - volumes: - {{if eq .Values.global.database.embedded.enabled false}} - - name: cloudsql-instance-credentials - secret: - secretName: cloudsql-instance-credentials - {{end}} restartPolicy: Never \ No newline at end of file diff --git a/chart/compass/values.yaml b/chart/compass/values.yaml index f501955942..4924f65f16 100644 --- a/chart/compass/values.yaml +++ b/chart/compass/values.yaml @@ -312,6 +312,7 @@ global: domainName: "kyma.local" database: + sqlProxyServiceAccount: "proxy-user@gcp-cmp.iam.gserviceaccount.com" manageSecrets: true embedded: enabled: true