feat: allow usage of existing service account

stakater · Nov 15, 2024 · 0ef820d · 0ef820d
1 parent 2c97270
commit 0ef820d
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 23 deletions.
diff --git a/application/templates/_helpers.tpl b/application/templates/_helpers.tpl
@@ -68,3 +68,18 @@ reference:
   kind: Route
   name: {{ include "application.name" . }}
 {{- end }}
+
+{{- define "application.service-account-name" }}
+{{- if .Values.rbac.enabled }}
+  {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }}
+    {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }}
+  {{- end }}
+  {{- if .Values.rbac.serviceAccount.enabled }}
+    {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }}
+  {{- else }}
+    {{- default "null" .Values.rbac.existingServiceAccountName }}
+  {{- end }}
+{{- else }}
+  null
+{{- end }}
+{{- end }}
diff --git a/application/templates/cronjob.yaml b/application/templates/cronjob.yaml
@@ -54,13 +54,7 @@ spec:
           annotations: {{ toYaml . | nindent 12 }}
           {{- end }}
         spec:
-          {{- if $.Values.rbac.enabled }}
-          {{- if $.Values.rbac.serviceAccount.name }}
-          serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-            {{- else }}
-          serviceAccountName: {{ template "application.name" $ }}
-          {{- end }}
-          {{- end }}
+          serviceAccountName: {{ template "application.service-account-name" $ }}
           containers:
           - name: {{ $name }}
             {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}

diff --git a/application/templates/deployment.yaml b/application/templates/deployment.yaml
@@ -74,6 +74,7 @@ spec:
           ]
 {{- end }}
     spec:
+      serviceAccountName: {{ template "application.service-account-name" $ }}
       {{- if .Values.deployment.hostAliases }}
       hostAliases:
 {{ toYaml .Values.deployment.hostAliases | indent 6 }}
@@ -308,13 +309,6 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
-      {{- if .Values.rbac.serviceAccount.enabled }}
-      {{- if .Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ .Values.rbac.serviceAccount.name }}
-      {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
       {{- if .Values.deployment.hostNetwork }}
       hostNetwork: {{ .Values.deployment.hostNetwork }}
       {{- end }}

diff --git a/application/templates/job.yaml b/application/templates/job.yaml
@@ -37,13 +37,7 @@ spec:
       annotations: {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      {{- if $.Values.rbac.enabled }}
-      {{- if $.Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-        {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
+      serviceAccountName: {{ template "application.service-account-name" $ }}
       containers:
       - name: {{ $name }}
 

diff --git a/application/templates/serviceaccount.yaml b/application/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ default (include "application.name" .) .Values.rbac.serviceAccount.name }}
+  name: {{ template "application.service-account-name" . }}
   namespace: {{ template "application.namespace" . }}
   labels:
     {{- include "application.labels" $ | nindent 4 }}

diff --git a/application/tests/cronjob_test.yaml b/application/tests/cronjob_test.yaml
@@ -77,3 +77,47 @@ tests:
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].image
           value: example-image:example-tag@sha256:example-digest
+
+  - it: yields empty service account name when disabled
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: false
+    asserts:
+      - isNullOrEmpty:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+
+  - it: uses service account name override when present
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-app
diff --git a/application/tests/deployment_test.yaml b/application/tests/deployment_test.yaml
@@ -91,7 +91,7 @@ tests:
     set:
       rbac.serviceAccount.enabled: false
     asserts:
-      - notExists:
+      - isNullOrEmpty:
           path: spec.template.spec.serviceAccountName
 
   - it: uses service account name override when present

diff --git a/application/tests/job_test.yaml b/application/tests/job_test.yaml
@@ -95,3 +95,47 @@ tests:
           path: spec.template.metadata.annotations
           value:
             helm.sh/hook: "pre-install,pre-upgrade"
+
+  - it: yields empty service account name when disabled
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: false
+    asserts:
+      - isNullOrEmpty:
+          path: spec.template.spec.serviceAccountName
+
+  - it: uses service account name override when present
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-app