Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: harmonize service account binding #major #363

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat!: harmonize service account binding #major #363

wants to merge 2 commits into from

Conversation

aslafy-z
Copy link
Collaborator

@aslafy-z aslafy-z commented Nov 15, 2024
edited
Loading

Closes #320
Closes #361

  • BREAKING: Rename rbac.serviceAccount.enabled field to rbac.serviceAccount.create.

  • Fix inconsistencies in serviceAccount binding across CronJob, Job, and Deployment templates by introducing a new application.serviceAccountName template:

    rbac.serviceAccount.create rbac.serviceAccount.name result
    true "" (include "application.name" .)
    true "foo" "foo"
    false "" "default"
    false "bar" "bar"

@aslafy-z aslafy-z force-pushed the aslafy-z-patch-3 branch 2 times, most recently from 0ef820d to 7d495fb Compare November 15, 2024 12:05
@aslafy-z aslafy-z requested a review from d3adb5 November 15, 2024 12:07
@aslafy-z aslafy-z mentioned this pull request Dec 18, 2024
Closed
d3adb5
d3adb5 requested changes Jan 7, 2025
View reviewed changes
Copy link
Collaborator

@d3adb5 d3adb5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments. I like the idea of adding a semantic value like this, but I feel the way it currently is introduces more confusion than clarity. I expanded upon this in one of the threads I opened below.

application/templates/_helpers.tpl Outdated Show resolved Hide resolved
application/templates/_helpers.tpl Outdated
{{- if .Values.rbac.serviceAccount.enabled }}
{{- default (include "application.name" .) .Values.rbac.serviceAccount.name }}
{{- else }}
{{- default "null" .Values.rbac.existingServiceAccountName }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edge case, may or may not be something to take into consideration: service accounts named null. Also, we're assuming the result of this partial template to be interpreted as YAML rather than a raw string, that may create confusion.

Suggested change
{{- default "null" .Values.rbac.existingServiceAccountName }}
{{- $saName := .Values.rbac.existingServiceAccountName }}
{{- empty $saName | ternary (quote $saName) "null" }}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the partial now only returns strings, do you think i should still quote the output?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea, yes, since the output is supposed to be a string.

application/templates/_helpers.tpl Outdated Show resolved Hide resolved
@aslafy-z aslafy-z force-pushed the aslafy-z-patch-3 branch 4 times, most recently from 4662e88 to a6b974e Compare January 22, 2025 19:21
@aslafy-z aslafy-z changed the title feat: allow usage of existing service account feat!: allow usage of existing service account Jan 22, 2025
@aslafy-z aslafy-z changed the title feat!: allow usage of existing service account feat!: allow usage of existing service account #major Jan 22, 2025
@aslafy-z aslafy-z changed the title feat!: allow usage of existing service account #major feat!: harmonize service account binding #major Jan 22, 2025
@aslafy-z aslafy-z requested a review from d3adb5 January 22, 2025 19:33
@aslafy-z aslafy-z marked this pull request as ready for review January 22, 2025 19:35
d3adb5
d3adb5 requested changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@d3adb5 d3adb5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final set of comments, I promise. Reminder to add a unit test for it if you do take the suggestion. Otherwise, LGTM.

application/templates/cronjob.yaml
serviceAccountName: {{ template "application.name" $ }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be another feature, but personally, I think we should add this:

Suggested change
serviceAccountName: {{ include "application.serviceAccountName" $ }}
automountServiceAccountToken: {{ $.Values.rbac.enabled }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}

If RBAC is disabled, we shouldn't even allow mounting tokens for the default service account, I'd say. What do you think?

application/templates/deployment.yaml
@@ -74,6 +74,7 @@ spec:
]
{{- end }}
spec:
serviceAccountName: {{ include "application.serviceAccountName" $ }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as in the other thread.

Suggested change
serviceAccountName: {{ include "application.serviceAccountName" $ }}
automountServiceAccount: {{ $.Values.rbac.enabled }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}

application/templates/job.yaml
serviceAccountName: {{ template "application.name" $ }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as in the other threads.

Suggested change
serviceAccountName: {{ include "application.serviceAccountName" $ }}
automountServiceAccount: {{ $.Values.rbac.enabled }}
serviceAccountName: {{ include "application.serviceAccountName" $ }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d3adb5 d3adb5 d3adb5 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aslafy-z @d3adb5