From 4f685d8ddcf242f9e749b6fdc7186e4fe925eb7b Mon Sep 17 00:00:00 2001
From: Michael Fraenkel <michael.fraenkel@dominodatalab.com>
Date: Tue, 30 May 2023 09:36:51 -0600
Subject: [PATCH] DOM-47188: Service account workload identity annos (#98)

When workload identity is enabled, add necessary SA annotations.
---
 .../templates/controller/serviceaccount.yaml      | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml b/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
index ed6a8e3c..88b070d1 100644
--- a/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
+++ b/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
@@ -6,18 +6,19 @@ metadata:
   labels:
     {{- include "hephaestus.controller.labels.standard" . | nindent 4 }}
   {{- with .Values.controller }}
-  {{- if or .serviceAccount.annotations .manager.cloudRegistryAuth.gcp.enabled }}
+  {{- $azureEnabled := and .manager.cloudRegistryAuth.azure.enabled .manager.cloudRegistryAuth.azure.workloadIdentity }}
+  {{- if or .serviceAccount.annotations .manager.cloudRegistryAuth.gcp.enabled $azureEnabled }}
   annotations:
     {{- with .serviceAccount.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-    {{- if .manager.cloudRegistryAuth.gcp.enabled }}
-    "iam.gke.io/gcp-service-account": {{ required "GCP ServiceAccount is required when enabled!" .manager.cloudRegistryAuth.gcp.serviceAccount | quote }}
+    {{- with .manager.cloudRegistryAuth }}
+    {{- if .gcp.enabled }}
+    "iam.gke.io/gcp-service-account": {{ required "GCP ServiceAccount is required when enabled!" .gcp.serviceAccount | quote }}
     {{- end }}
-    {{- with .manager.cloudRegistryAuth.azure }}
-    {{- if and .enabled (not .clientSecret) }}
-    "azure.workload.identity/client-id": {{ required "Azure clientID is required when enabled!" .clientID | quote }}
-    "azure.workload.identity/tenant-id": {{ required "Azure tenantID is required when enabled!" .tenantID | quote }}
+    {{- if $azureEnabled }}
+    "azure.workload.identity/client-id": {{ required "Azure clientID is required when enabled!" .azure.clientID | quote }}
+    "azure.workload.identity/tenant-id": {{ required "Azure tenantID is required when enabled!" .azure.tenantID | quote }}
     {{- end }}
     {{- end }}
   {{- end }}