diff --git a/charts/substra-backend/CHANGELOG.md b/charts/substra-backend/CHANGELOG.md index 8a20cdc62..3672bec84 100644 --- a/charts/substra-backend/CHANGELOG.md +++ b/charts/substra-backend/CHANGELOG.md @@ -5,6 +5,7 @@ ## [25.0.0] - 2024-01-03 - BREAKING: Remove ServiceAccount creation from `worker.rbac.create`, putting it in a new `worker.serviceAccount.create` option +- BREAKING: Some options that would result in service account names defaulting to "default" now raise an error at rendering time. Set the name to "default" by hand to reproduce the old behavior. - Add a new `worker.serviceAccount.name` option ## [24.0.1] - 2023-12-15 diff --git a/charts/substra-backend/README.md b/charts/substra-backend/README.md index 25e96a65e..0149ca496 100644 --- a/charts/substra-backend/README.md +++ b/charts/substra-backend/README.md @@ -123,9 +123,9 @@ See [UPGRADE.md](https://github.com/Substra/substra-backend/blob/main/charts/sub | `worker.nodeSelector` | Node labels for pod assignment | `{}` | | `worker.tolerations` | Toleration labels for pod assignment | `[]` | | `worker.affinity` | Affinity settings for pod assignment, ignored if `DataSampleStorageInServerMedia` is `true` | `{}` | -| `worker.rbac.create` | Create a role and service account for the worker | `true` | +| `worker.rbac.create` | Create a role for the worker | `true` | | `worker.serviceAccount.create` | Create a service account for the worker | `true` | -| `worker.serviceAccount.name` | The name of the ServiceAccount to use | `""` | +| `worker.serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the substra.fullname template | `""` | | `worker.persistence.storageClass` | Specify the _StorageClass_ used to provision the volume. Or the default _StorageClass_ will be used. Set it to `-` to disable dynamic provisioning | `""` | | `worker.persistence.size` | The size of the volume. The size of this volume should be sufficient to store many assets. | `10Gi` | | `worker.computePod.maxStartupWaitSeconds` | Set the maximum amount of time we will wait for the compute pod to be ready | `300` | diff --git a/charts/substra-backend/UPGRADE.md b/charts/substra-backend/UPGRADE.md index 2d33d5b7a..fce129157 100644 --- a/charts/substra-backend/UPGRADE.md +++ b/charts/substra-backend/UPGRADE.md @@ -4,6 +4,8 @@ If you have set `worker.rbac.create=false`, you now need to also set `worker.serviceAccount.create=false` to preserve the same behavior. +If you have set any of `worker.serviceAccount.create`, `worker.events.serviceAccount.create`, or `api.events.serviceAccount.create` to `false` without explicitely telling Substra how the corresponding externally-created ServiceAccount is named (this is very unlikely), it defaulted to `default`, which you now need to set by hand through `{...}.serviceAccount.name`. + ## 23.0.0 Database should be dumped and restored as the `postgresql` sub-chart version incremented. You can follow [Upgrading a PostgreSQL Cluster](https://www.postgresql.org/docs/16/upgrading.html) documentation for further detail diff --git a/charts/substra-backend/templates/_helpers.tpl b/charts/substra-backend/templates/_helpers.tpl index 5db1929c7..8a0926e5c 100644 --- a/charts/substra-backend/templates/_helpers.tpl +++ b/charts/substra-backend/templates/_helpers.tpl @@ -148,7 +148,11 @@ Return the user list {{- if .Values.worker.serviceAccount.create -}} {{ default (printf "%s-event" ( include "substra.fullname" .)) .Values.worker.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.worker.serviceAccount.name }} + {{- if .Values.worker.serviceAccount.name -}} + {{ .Values.worker.serviceAccount.name }} + {{- else -}} + {{ fail "if worker.serviceAccount.create is false, worker.serviceAccount.name must be given" }} + {{- end -}} {{- end -}} {{- end -}} @@ -159,7 +163,11 @@ Return the user list {{- if .Values.worker.events.serviceAccount.create -}} {{ default (printf "%s-event" ( include "substra.fullname" .)) .Values.worker.events.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.worker.events.serviceAccount.name }} + {{- if .Values.worker.events.serviceAccount.name -}} + {{ .Values.worker.events.serviceAccount.name }} + {{- else -}} + {{ fail "if worker.events.serviceAccount.create is false, worker.events.serviceAccount.name must be given" }} + {{- end -}} {{- end -}} {{- end -}} @@ -170,7 +178,11 @@ Return the user list {{- if .Values.api.events.serviceAccount.create -}} {{ default (printf "%s-event" ( include "substra.fullname" .)) .Values.api.events.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.api.events.serviceAccount.name }} + {{- if .Values.api.events.serviceAccount.name -}} + {{ .Values.api.events.serviceAccount.name }} + {{- else -}} + {{ fail "if api.events.serviceAccount.create is false, api.events.serviceAccount.name must be given" }} + {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/substra-backend/values.yaml b/charts/substra-backend/values.yaml index 1b199e4c0..7dcf76b3d 100644 --- a/charts/substra-backend/values.yaml +++ b/charts/substra-backend/values.yaml @@ -315,7 +315,7 @@ worker: ## @param worker.affinity Affinity settings for pod assignment, ignored if `DataSampleStorageInServerMedia` is `true` ## affinity: {} - ## @param worker.rbac.create Create a role and service account for the worker + ## @param worker.rbac.create Create a role for the worker ## rbac: create: true @@ -323,8 +323,7 @@ worker: ## @param worker.serviceAccount.create Create a service account for the worker ## create: true - ## @param worker.serviceAccount.name The name of the ServiceAccount to use - ## If not set and create is true, a name is generated using the substra.fullname template + ## @param worker.serviceAccount.name The name of the ServiceAccount to use. If not set and create is true, a name is generated using the substra.fullname template ## name: "" ## @param worker.persistence.storageClass Specify the _StorageClass_ used to provision the volume. Or the default _StorageClass_ will be used. Set it to `-` to disable dynamic provisioning