feat: add extra containers to cleanup cronjob

mehdimas · mehdimas · commit 9115e97e04bd · 2025-07-28T22:49:14.000-04:00
diff --git a/helm/charts/kratos/templates/_helpers.tpl b/helm/charts/kratos/templates/_helpers.tpl
@@ -238,3 +238,14 @@ Check if list contains object
     {{- end -}}
   {{- end -}}
 {{- end -}}
+
+{{/*
+Create the name of the service account for the Cleanup CronJob to use
+*/}}
+{{- define "kratos.cleanup.serviceAccountName" -}}
+{{- if .Values.cronjob.cleanup.serviceAccount.create -}}
+{{- printf "%s-cleanup" (default (include "kratos.fullname" .) .Values.cronjob.cleanup.serviceAccount.name) -}}
+{{- else -}}
+{{- include "kratos.serviceAccountName" . -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm/charts/kratos/templates/cronjob-cleanup.yaml b/helm/charts/kratos/templates/cronjob-cleanup.yaml
@@ -87,6 +87,9 @@ spec:
                 - name: {{ include "kratos.name" . }}-config-volume
                   mountPath: /etc/config
                   readOnly: true
+            {{- if .Values.cronjob.cleanup.extraContainers }}
+            {{- toYaml .Values.cronjob.cleanup.extraContainers | nindent 12 }}
+            {{- end }}
           {{- with .Values.cronjob.cleanup.nodeSelector }}
           nodeSelector:
             {{- toYaml . | nindent 12 }}
@@ -103,4 +106,7 @@ spec:
           affinity:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          serviceAccountName: {{ include "kratos.cleanup.serviceAccountName" . }}
+          automountServiceAccountToken: {{ .Values.cronjob.cleanup.automountServiceAccountToken }}
+          shareProcessNamespace: {{ .Values.cronjob.cleanup.shareProcessNamespace }}
 {{- end }}
diff --git a/helm/charts/kratos/templates/rbac-cleanup.yaml b/helm/charts/kratos/templates/rbac-cleanup.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.cronjob.cleanup.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kratos.cleanup.serviceAccountName" . }}
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "kratos.labels" . | nindent 4 }}
+  {{- with .Values.cronjob.cleanup.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.cronjob.cleanup.automountServiceAccountToken }}
+{{- end -}}
diff --git a/helm/charts/kratos/values.yaml b/helm/charts/kratos/values.yaml
@@ -695,6 +695,32 @@ cronjob:
     # -- Set custom cron job level annotations
     annotations: {}
 
+    # -- If you want to add extra sidecar containers.
+    extraContainers: []
+    # extraContainers: |
+    #  - name: cloud-sql-proxy
+    #    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.18.0
+    #    command: ["/cloud_sql_proxy"]
+    #    args: ["--port=5432", "--exit-zero-on-sigterm", "myproject:myregion:myinstance"]
+
+    # -- Set automounting of the SA token
+    automountServiceAccountToken: false
+
+    # -- Set sharing process namespace
+    shareProcessNamespace: false
+
+    # -- Specify the serviceAccountName value.
+    # Sometime you need to provide specific permissions for the cleanup cronjob.
+    # For example installing Kratos on a cluster with a PosSecurityPolicy and Istio.
+    # Uncomment if you need to provide a ServiceAccount for the cleanup cronjob.
+    serviceAccount:
+      # -- Specifies whether a service account should be created
+      create: true
+      # -- Annotations to add to the service account
+      annotations: {}
+      # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
+      name: ""
+
     # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
     podMetadata:
       # -- Extra pod level labels
