feat: allow usage of existing service account

Author: aslafy-z

README.md

@@ -214,6 +214,7 @@ helm delete --namespace test my-application
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | rbac.enabled | bool | `true` | Enable RBAC. |
+| rbac.existingServiceAccountName | string | `""` | Existing Service Account Name. |
 | rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. |
 | rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. |
 | rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. |

application/templates/_helpers.tpl

@@ -68,3 +68,18 @@ reference:
   kind: Route
   name: {{ include "application.name" . }}
 {{- end }}
+
+{{- define "application.service-account-name" }}
+{{- if .Values.rbac.enabled }}
+  {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }}
+    {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }}
+  {{- end }}
+  {{- if .Values.rbac.serviceAccount.enabled }}
+    {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }}
+  {{- else }}
+    {{- default "null" .Values.rbac.existingServiceAccountName }}
+  {{- end }}
+{{- else }}
+  null
+{{- end }}
+{{- end }}

application/templates/cronjob.yaml

@@ -54,13 +54,7 @@ spec:
           annotations: {{ toYaml . | nindent 12 }}
           {{- end }}
         spec:
-          {{- if $.Values.rbac.enabled }}
-          {{- if $.Values.rbac.serviceAccount.name }}
-          serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-            {{- else }}
-          serviceAccountName: {{ template "application.name" $ }}
-          {{- end }}
-          {{- end }}
+          serviceAccountName: {{ template "application.service-account-name" $ }}
           containers:
           - name: {{ $name }}
             {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}

application/templates/deployment.yaml

@@ -74,6 +74,7 @@ spec:
           ]
 {{- end }}
     spec:
+      serviceAccountName: {{ template "application.service-account-name" $ }}
       {{- if .Values.deployment.hostAliases }}
       hostAliases:
 {{ toYaml .Values.deployment.hostAliases | indent 6 }}
@@ -308,13 +309,6 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
-      {{- if .Values.rbac.serviceAccount.enabled }}
-      {{- if .Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ .Values.rbac.serviceAccount.name }}
-      {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
       {{- if .Values.deployment.hostNetwork }}
       hostNetwork: {{ .Values.deployment.hostNetwork }}
       {{- end }}

application/templates/job.yaml

@@ -37,13 +37,7 @@ spec:
       annotations: {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      {{- if $.Values.rbac.enabled }}
-      {{- if $.Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-        {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
+      serviceAccountName: {{ template "application.service-account-name" $ }}
       containers:
       - name: {{ $name }}
 

application/templates/serviceaccount.yaml

@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ default (include "application.name" .) .Values.rbac.serviceAccount.name }}
+  name: {{ template "application.service-account-name" . }}
   namespace: {{ template "application.namespace" . }}
   labels:
     {{- include "application.labels" $ | nindent 4 }}

application/tests/cronjob_test.yaml

@@ -77,3 +77,47 @@ tests:
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].image
           value: example-image:example-tag@sha256:example-digest
+
+  - it: yields empty service account name when disabled
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: false
+    asserts:
+      - isNullOrEmpty:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+
+  - it: uses service account name override when present
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-app

application/tests/deployment_test.yaml

@@ -91,7 +91,7 @@ tests:
     set:
       rbac.serviceAccount.enabled: false
     asserts:
-      - notExists:
+      - isNullOrEmpty:
           path: spec.template.spec.serviceAccountName
 
   - it: uses service account name override when present

application/tests/job_test.yaml

@@ -95,3 +95,47 @@ tests:
           path: spec.template.metadata.annotations
           value:
             helm.sh/hook: "pre-install,pre-upgrade"
+
+  - it: yields empty service account name when disabled
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: false
+    asserts:
+      - isNullOrEmpty:
+          path: spec.template.spec.serviceAccountName
+
+  - it: uses service account name override when present
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-app

application/values.yaml

@@ -654,6 +654,9 @@ rbac:
   # -- (bool) Enable RBAC.
   # @section -- RBAC Parameters
   enabled: true
+  # -- (string) Existing Service Account Name.
+  # @section -- RBAC Parameters
+  existingServiceAccountName: ""
   serviceAccount:
     # -- (bool) Deploy Service Account.
     # @section -- RBAC Parameters