feat: support annotations for service account in helm chart (#31)

Co-authored-by: Robin Breathe <[email protected]>

Author: danielcstancu

deploy/charts/github-token-manager/Chart.yaml

@@ -4,4 +4,4 @@ name: github-token-manager
 description: A Helm chart for github-token-manager
 
 type: application
-version: 0.1.3
+version: 0.1.4

deploy/charts/github-token-manager/README.md

@@ -0,0 +1,56 @@
+# GitHub Token Manager Helm Chart
+
+This Helm chart is used to deploy the GitHub Token Manager application.
+
+## Installing the Chart
+
+To install the chart with the release name `my-github-token-manager`:
+
+```sh
+helm install my-github-token-manager -f values.yaml oci://ghcr.io/isometry/charts/github-token-manager
+```
+
+## Uninstalling the Chart
+
+To uninstall the chart with the release name `my-github-token-manager`:
+
+```sh
+helm uninstall my-github-token-manager
+```
+
+## Configuration
+
+The following table lists the most relevant configurable parameters of the GitHub Token Manager chart and their default values.
+
+| Parameter | Description | Default               |
+| --- | --- |-----------------------|
+config.app_id | GitHub App ID | `0`                   |
+config.installation_id | GitHub App Installation ID | `0`                   |
+config.provider | GitHub App Private Key Provider | `aws`                 |
+config.key | GitHub App Private Key Path | `alias/github-token-manager` |
+rbac.serviceAccount.annotations | Annotations for the service account | `{}`                  |
+commonAnnotations | Common annotations for all resources | `{}`                  |
+
+The `config.provider` field supported options are:
+- `aws`: The GitHub App private key is stored in AWS KMS (asymmetric, RSA_2048, sign and verify key) and the `config.key` field should be set to the alias of this KMS key.
+- `file`: The GitHub App private key is embedded by YAML multiline string in the `config.key` field.
+- `gcp`: The GitHub App private key is stored in GCP KMS.
+- `vault`: The GitHub App private key is stored in HashiCorp Vault.
+
+When using external providers like `aws`, `gcp`, or `vault`, the controller's `ServiceAccount` must be configured with the necessary permissions to access the external store.
+
+### Example values.yaml configuration for aws provider
+
+```yaml
+config:
+  app_id: 12345
+  installation_id: 67890
+  provider: aws
+  key: alias/github-token-manager
+# The following annotation is required to allow the GitHub Token Manager to assume the role that has access to the GitHub App private key (IRSA)
+serviceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/github-token-manager-role
+```
+
+The role used requires `kms:DescribeKey` and `kms:Sign` permission on the KMS key.

deploy/charts/github-token-manager/templates/config.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.config.app_id != 0 }}
+{{- if ne (int .Values.config.app_id) 0 }}
 ---
 apiVersion: v1
 kind: Secret

deploy/charts/github-token-manager/templates/deployment.yaml

@@ -109,7 +109,7 @@ spec:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
-      serviceAccountName: {{ include "chart.fullname" . }}
+      serviceAccountName: {{ .Values.rbac.serviceAccount.name | default (include "chart.fullname" . ) }}
       terminationGracePeriodSeconds: 10
       volumes:
         - name: config

deploy/charts/github-token-manager/templates/rbac.yaml

@@ -3,13 +3,18 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "chart.fullname" . }}
-  {{- with .Values.commonAnnotations | default dict }}
+  name: {{ .Values.rbac.serviceAccount.name | default (include "chart.fullname" . ) }}
+  {{- if or .Values.rbac.serviceAccount.annotations .Values.commonAnnotations }}
   annotations:
+  {{- with .Values.rbac.serviceAccount.annotations | default dict }}
+    {{- tpl ( toYaml . ) $ | nindent 4 }}
+  {{- end }}
+  {{- with .Values.commonAnnotations | default dict }}
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
+  {{- end }}
   labels:
     component: rbac
     {{- include "labels" . | nindent 4 }}

deploy/charts/github-token-manager/values.yaml

@@ -27,6 +27,8 @@ crds:
 ##     false: do not create the RBAC resources
 rbac:
   install: true
+  serviceAccount:
+    annotations: {}
 
 ## metrics:
 ##   enabled: true | false