use default serviceaccount if not set and create disabled

Signed-off-by: GitHub <[email protected]>
stakater · Jan 22, 2025 · a6b974e · a6b974e
1 parent c127a42
commit a6b974e
Show file tree

Hide file tree

Showing 13 changed files with 74 additions and 67 deletions.
diff --git a/README.md b/README.md
@@ -214,12 +214,13 @@ helm delete --namespace test my-application
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | rbac.enabled | bool | `true` | Enable RBAC. |
-| rbac.existingServiceAccountName | string | `""` | Existing Service Account Name. |
-| rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. |
-| rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. |
-| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. |
-| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. |
+| rbac.serviceAccount.create | bool | `false` | Specifies whether to create a dedicated service account. If set to `true`, a new service account will be created. |
+| rbac.serviceAccount.name | string | `""` | The name of the service account. Behavior based on its value and `rbac.serviceAccount.create`: If `rbac.serviceAccount.create` is `false` and `name` is empty, the default service account ("default") is used. If `rbac.serviceAccount.create` is `false` and `name` is set, the provided name is used. If `rbac.serviceAccount.create` is `true` and `name` is empty, a name is auto-generated using the fullname template. If `rbac.serviceAccount.create` is `true` and `name` is set, the provided name is used for creation. |
+| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. If `rbac.serviceAccount.create` is set to true, these labels are appended to the service account. |
+| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. If `rbac.serviceAccount.create` is set to true, these annotations are appended to the service account. |
 | rbac.roles | list | `nil` | Namespaced Roles. |
+| rbac.additionalLabels | object | `nil` | Additional labels for the Role and RoleBinding resources. |
+| rbac.annotations | object | `nil` | Annotations for the Role and RoleBinding resources. |
 
 ### ConfigMap Parameters
 

diff --git a/application/templates/_helpers.tpl b/application/templates/_helpers.tpl
@@ -69,17 +69,16 @@ reference:
   name: {{ include "application.name" . }}
 {{- end }}
 
-{{- define "application.service-account-name" }}
-{{- if .Values.rbac.enabled }}
-  {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }}
-    {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }}
-  {{- end }}
-  {{- if .Values.rbac.serviceAccount.enabled }}
+{{/*
+Get the name of the service account to use.
+If the service account is set to be created, return the service account name or a default name.
+If the service account is not set to be created and a name is provided, return the provided name;
+otherwise, return the default namespace service account.
+*/}}
+{{- define "application.serviceAccountName" }}
+  {{- if .Values.rbac.serviceAccount.create }}
     {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }}
   {{- else }}
-    {{- default "null" .Values.rbac.existingServiceAccountName }}
+    {{- default "default" .Values.rbac.serviceAccount.name }}
   {{- end }}
-{{- else }}
-  null
-{{- end }}
 {{- end }}
diff --git a/application/templates/cronjob.yaml b/application/templates/cronjob.yaml
@@ -54,7 +54,7 @@ spec:
           annotations: {{ toYaml . | nindent 12 }}
           {{- end }}
         spec:
-          serviceAccountName: {{ template "application.service-account-name" $ }}
+          serviceAccountName: {{ include "application.serviceAccountName" $ }}
           containers:
           - name: {{ $name }}
             {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}

diff --git a/application/templates/deployment.yaml b/application/templates/deployment.yaml
@@ -74,7 +74,7 @@ spec:
           ]
 {{- end }}
     spec:
-      serviceAccountName: {{ template "application.service-account-name" $ }}
+      serviceAccountName: {{ include "application.serviceAccountName" $ }}
       {{- if .Values.deployment.hostAliases }}
       hostAliases:
 {{ toYaml .Values.deployment.hostAliases | indent 6 }}

diff --git a/application/templates/job.yaml b/application/templates/job.yaml
@@ -37,7 +37,7 @@ spec:
       annotations: {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      serviceAccountName: {{ template "application.service-account-name" $ }}
+      serviceAccountName: {{ include "application.serviceAccountName" $ }}
       containers:
       - name: {{ $name }}
 
@@ -98,7 +98,7 @@ spec:
       restartPolicy: OnFailure
       {{ end }}
       {{- with $job.imagePullSecrets}}
-      imagePullSecrets: 
+      imagePullSecrets:
 {{ toYaml . | indent 8 }}
       {{ end }}
       {{- with $job.volumes }}

diff --git a/application/templates/rolebinding.yaml b/application/templates/rolebinding.yaml
@@ -21,11 +21,7 @@ roleRef:
   name: {{ template "application.name" $ }}-role-{{ .name }}
 subjects:
   - kind: ServiceAccount
-  {{- if $.Values.rbac.serviceAccount.name }}
-    name: {{ $.Values.rbac.serviceAccount.name }}
-  {{- else }}
-    name: {{ template "application.name" $ }}
-  {{- end }}
+    name: {{ include "application.serviceAccountName" $ }}
     namespace: {{ $.Release.Namespace }}
 {{- end }}
 {{- end }}
diff --git a/application/templates/serviceaccount.yaml b/application/templates/serviceaccount.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.enabled }}
+{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "application.service-account-name" . }}
+  name: {{ include "application.serviceAccountName" . }}
   namespace: {{ template "application.namespace" . }}
   labels:
     {{- include "application.labels" $ | nindent 4 }}

diff --git a/application/tests/cronjob_test.yaml b/application/tests/cronjob_test.yaml
@@ -78,18 +78,19 @@ tests:
           path: spec.jobTemplate.spec.template.spec.containers[0].image
           value: example-image:example-tag@sha256:example-digest
 
-  - it: yields empty service account name when disabled
+  - it: yields default service account name when create is disabled and no existing service account name is given
     set:
       cronJob:
         enabled: true
         jobs:
           example:
             image:
               repository: example-image
-      rbac.serviceAccount.enabled: false
+      rbac.serviceAccount.create: false
     asserts:
-      - isNullOrEmpty:
+      - equal:
           path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: default
 
   - it: uses service account name override when present
     set:
@@ -99,7 +100,7 @@ tests:
           example:
             image:
               repository: example-image
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: example-sa
     asserts:
       - equal:
@@ -115,7 +116,7 @@ tests:
             image:
               repository: example-image
       applicationName: example-app
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: ""
     asserts:
       - equal:

diff --git a/application/tests/deployment_test.yaml b/application/tests/deployment_test.yaml
@@ -87,16 +87,17 @@ tests:
           path: spec.template.spec.containers[0].image
           value: example-image:example-tag@sha256:example-digest
 
-  - it: yields empty service account name when disabled
+  - it: yields default service account name when create is disabled and no existing service account name is given
     set:
-      rbac.serviceAccount.enabled: false
+      rbac.serviceAccount.create: false
     asserts:
-      - isNullOrEmpty:
-          path: spec.template.spec.serviceAccountName
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: default
 
   - it: uses service account name override when present
     set:
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: example-sa
     asserts:
       - equal:
@@ -106,7 +107,7 @@ tests:
   - it: uses a generated service account name when not given
     set:
       applicationName: example-app
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: ""
     asserts:
       - equal:

diff --git a/application/tests/job_test.yaml b/application/tests/job_test.yaml
@@ -104,10 +104,11 @@ tests:
           example:
             image:
               repository: example-image
-      rbac.serviceAccount.enabled: false
+      rbac.serviceAccount.create: false
     asserts:
-      - isNullOrEmpty:
+      - equal:
           path: spec.template.spec.serviceAccountName
+          value: default
 
   - it: uses service account name override when present
     set:
@@ -117,7 +118,7 @@ tests:
           example:
             image:
               repository: example-image
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: example-sa
     asserts:
       - equal:
@@ -133,7 +134,7 @@ tests:
             image:
               repository: example-image
       applicationName: example-app
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: ""
     asserts:
       - equal:

diff --git a/application/tests/serviceaccount_test.yaml b/application/tests/serviceaccount_test.yaml
@@ -9,7 +9,7 @@ tests:
       rbac:
         enabled: false
         serviceAccount:
-          enabled: true
+          create: true
     asserts:
       - hasDocuments:
           count: 0
@@ -19,7 +19,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: false
+          create: false
     asserts:
       - hasDocuments:
           count: 0
@@ -29,7 +29,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: true
+          create: true
     asserts:
       - hasDocuments:
           count: 1
@@ -41,7 +41,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: true
+          create: true
           additionalLabels:
             foo: bar
             test: ing
@@ -59,7 +59,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: true
+          create: true
           annotations:
             foo: bar
             test: ing
@@ -76,7 +76,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: true
+          create: true
     asserts:
       - matchRegex:
           path: metadata.annotations["serviceaccounts.openshift.io/oauth-redirectreference.primary"]
@@ -87,7 +87,7 @@ tests:
       rbac:
         enabled: true
         serviceAccount:
-          enabled: true
+          create: true
           name: example-name-that-should-be-used
     asserts:
       - equal:

diff --git a/application/values-test.yaml b/application/values-test.yaml
@@ -270,7 +270,7 @@ service:
       kubernetes.io/ingress.class: external-ingress
       ingress.kubernetes.io/rewrite-target: /
       ingress.kubernetes.io/force-ssl-redirect: "true"
-  
+
   ports:
     - port: 8080
       name: http
@@ -385,7 +385,7 @@ forecastle:
 
   # URL of the icon for the custom app
   icon: https://raw.githubusercontent.com/stakater/ForecastleIcons/master/stakater-big.png
-  
+
   # Name of the application to be displayed on the Forecastle Dashboard
   displayName: "application"
 
@@ -404,7 +404,7 @@ rbac:
 
   # Service Account to use by pods
   serviceAccount:
-    enabled: true
+    create: true
     name: "application"
 
     # Additional Labels on service account
@@ -702,13 +702,13 @@ externalSecret:
   #SecretStore defines which SecretStore to use when fetching the secret data
   secretStore:
     name: example-secret-store
-    #kind: SecretStore # or ClusterSecretStore  
+    #kind: SecretStore # or ClusterSecretStore
 
   # RefreshInterval is the amount of time before the values reading again from the SecretStore provider
   refreshInterval: "1m"
   files:
     secret-1-name:
-      #Data defines the connection between the Kubernetes Secret keys and the Provider data 
+      #Data defines the connection between the Kubernetes Secret keys and the Provider data
       data:
         example-secret-key:
           remoteRef:
@@ -1315,7 +1315,7 @@ backup:
   snapshotVolumes: true
   storageLocation: "dpa-1"
   ttl: "1h0m0s"
-  includedResources: 
+  includedResources:
     - deployments
     - services
     - persistentvolumeclaims
@@ -1330,7 +1330,7 @@ backup:
     - resourcequotas
     - controllerrevisions.apps
 
-job: 
+job:
   enabled: true
   jobs:
     db-migration:
@@ -1340,15 +1340,15 @@ job:
         helm.sh/hook-delete-policy: "before-hook-creation"
       imagePullSecrets:
        - name: nexus-secret
-      image: 
+      image:
         repository: docker.io/nginx
         tag: v1.0.0
-      env: 
+      env:
         KEY:
           value: VALUE
       command: ["/bin/bash"]
       args: ["-c","sleep 5000"]
-      resources:  
+      resources:
         requests:
             memory: 5Gi
             cpu: 1