Helm: add ruler specific service account

operations/helm/charts/mimir-distributed/CHANGELOG.md

@@ -43,6 +43,7 @@ Entries should include a reference to the Pull Request that introduced the chang
 * [ENHANCEMENT] Rollout-operator: upgraded to v0.10.1. #7125
 * [ENHANCEMENT] Query-frontend: configured `-shutdown-delay`, `-server.grpc.keepalive.max-connection-age` and termination grace period to reduce the likelihood of queries hitting terminated query-frontends. #7129
 * [BUGFIX] Metamonitoring: update dashboards to drop unsupported `step` parameter in targets. #7157
+* [ENHANCEMENT] Add the possibility to create a dedicated serviceAccount for the `ruler` component.
 
 ## 5.2.0
 

operations/helm/charts/mimir-distributed/templates/_helpers.tpl

@@ -64,7 +64,7 @@ For compatibility and to support upgrade from enterprise-metrics chart calculate
 {{- end -}}
 
 {{/*
-Create the name of the service account
+Create the name of the general service account
 */}}
 {{- define "mimir.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
@@ -74,6 +74,18 @@ Create the name of the service account
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name of the ruler service account
+*/}}
+{{- define "mimir.ruler.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- $sa := default (include "mimir.fullname" .) .Values.serviceAccount.name }}
+{{- printf "%s-%s" $sa "ruler" }}
+{{- else -}}
+    {{ default (include "mimir.serviceAccountName" .) .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create the app name for clients. Defaults to the same logic as "mimir.fullname", and default client expects "prometheus".
 */}}

operations/helm/charts/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -23,7 +23,7 @@ spec:
         {{- include "mimir.podAnnotations" (dict "ctx" . "component" "ruler") | nindent 8 }}
       namespace: {{ .Release.Namespace | quote }}
     spec:
-      serviceAccountName: {{ template "mimir.serviceAccountName" . }}
+      serviceAccountName: {{ template "mimir.ruler.serviceAccountName" . }}
       {{- if .Values.ruler.priorityClassName }}
       priorityClassName: {{ .Values.ruler.priorityClassName }}
       {{- end }}

operations/helm/charts/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.ruler.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "mimir.serviceAccountName" . }}
+  labels:
+    {{- include "mimir.labels" (dict "ctx" .) | nindent 4 }}
+    {{- with .Values.ruler.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- toYaml .Values.ruler.serviceAccount.annotations | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

operations/helm/charts/mimir-distributed/values.yaml

@@ -1118,6 +1118,12 @@
   service:
     annotations: {}
     labels: {}
+
+  serviceAccount:
+    create: true
+    name:
+    annotations: {}
+    labels: {}
 
   resources:
     requests:

operations/helm/tests/enterprise-https-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: enterprise-https-values-mimir
+      serviceAccountName: enterprise-https-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/enterprise-https-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: enterprise-https-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: enterprise-https-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/gateway-enterprise-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: gateway-enterprise-values-mimir
+      serviceAccountName: gateway-enterprise-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/gateway-enterprise-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gateway-enterprise-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: gateway-enterprise-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/gateway-nginx-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: gateway-nginx-values-mimir
+      serviceAccountName: gateway-nginx-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/gateway-nginx-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gateway-nginx-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: gateway-nginx-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/graphite-enabled-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: graphite-enabled-values-mimir
+      serviceAccountName: graphite-enabled-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/graphite-enabled-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: graphite-enabled-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: graphite-enabled-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/large-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: large-values-mimir
+      serviceAccountName: large-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/large-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: large-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: large-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/metamonitoring-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: metamonitoring-values-mimir
+      serviceAccountName: metamonitoring-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/metamonitoring-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metamonitoring-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: metamonitoring-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/openshift-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: openshift-values-mimir
+      serviceAccountName: openshift-values-mimir-ruler
       securityContext:
         runAsNonRoot: true
         seccompProfile:

operations/helm/tests/openshift-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openshift-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: openshift-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/scheduler-name-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: scheduler-name-values-mimir
+      serviceAccountName: scheduler-name-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/scheduler-name-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: scheduler-name-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: scheduler-name-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/small-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: small-values-mimir
+      serviceAccountName: small-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/small-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: small-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: small-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/test-enterprise-configmap-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -37,7 +37,7 @@ spec:
         minio-secret-version: "42"
       namespace: "citestns"
     spec:
-      serviceAccountName: test-enterprise-configmap-values-mimir
+      serviceAccountName: test-enterprise-configmap-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/test-enterprise-configmap-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-enterprise-configmap-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: test-enterprise-configmap-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/test-enterprise-k8s-1.25-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: test-enterprise-k8s-1.25-values-mimir
+      serviceAccountName: test-enterprise-k8s-1.25-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/test-enterprise-k8s-1.25-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-enterprise-k8s-1.25-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: test-enterprise-k8s-1.25-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/test-enterprise-legacy-label-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -33,7 +33,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: test-enterprise-legacy-label-values-enterprise-metrics
+      serviceAccountName: test-enterprise-legacy-label-values-enterprise-metrics-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/test-enterprise-legacy-label-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-enterprise-legacy-label-values-enterprise-metrics
+  labels:
+    app: enterprise-metrics
+    heritage: Helm
+    release: test-enterprise-legacy-label-values
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/test-enterprise-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: test-enterprise-values-mimir
+      serviceAccountName: test-enterprise-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/test-enterprise-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-enterprise-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: test-enterprise-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"

operations/helm/tests/test-ingress-values-generated/mimir-distributed/templates/ruler/ruler-dep.yaml

@@ -36,7 +36,7 @@ spec:
       annotations:
       namespace: "citestns"
     spec:
-      serviceAccountName: test-ingress-values-mimir
+      serviceAccountName: test-ingress-values-mimir-ruler
       securityContext:
         fsGroup: 10001
         runAsGroup: 10001

operations/helm/tests/test-ingress-values-generated/mimir-distributed/templates/ruler/ruler-sa.yaml

@@ -0,0 +1,13 @@
+---
+# Source: mimir-distributed/templates/ruler/ruler-sa.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-ingress-values-mimir
+  labels:
+    app.kubernetes.io/name: mimir
+    app.kubernetes.io/instance: test-ingress-values
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    {}
+  namespace: "citestns"