From c127a42128b0af1f458e63938dfa5d9ea723ef29 Mon Sep 17 00:00:00 2001 From: Zadkiel AHARONIAN Date: Fri, 15 Nov 2024 12:25:33 +0100 Subject: [PATCH] feat: allow usage of existing service account --- README.md | 1 + application/templates/_helpers.tpl | 15 ++++++++ application/templates/cronjob.yaml | 8 +---- application/templates/deployment.yaml | 8 +---- application/templates/job.yaml | 8 +---- application/templates/serviceaccount.yaml | 2 +- application/tests/cronjob_test.yaml | 44 +++++++++++++++++++++++ application/tests/deployment_test.yaml | 2 +- application/tests/job_test.yaml | 44 +++++++++++++++++++++++ application/values.yaml | 3 ++ 10 files changed, 112 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 73e1f9f3..2cfc0032 100644 --- a/README.md +++ b/README.md @@ -214,6 +214,7 @@ helm delete --namespace test my-application | Key | Type | Default | Description | |-----|------|---------|-------------| | rbac.enabled | bool | `true` | Enable RBAC. | +| rbac.existingServiceAccountName | string | `""` | Existing Service Account Name. | | rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. | | rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. | | rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. | diff --git a/application/templates/_helpers.tpl b/application/templates/_helpers.tpl index d678c846..402bac0b 100644 --- a/application/templates/_helpers.tpl +++ b/application/templates/_helpers.tpl @@ -68,3 +68,18 @@ reference: kind: Route name: {{ include "application.name" . }} {{- end }} + +{{- define "application.service-account-name" }} +{{- if .Values.rbac.enabled }} + {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }} + {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }} + {{- end }} + {{- if .Values.rbac.serviceAccount.enabled }} + {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }} + {{- else }} + {{- default "null" .Values.rbac.existingServiceAccountName }} + {{- end }} +{{- else }} + null +{{- end }} +{{- end }} diff --git a/application/templates/cronjob.yaml b/application/templates/cronjob.yaml index 3db0c94c..5ea469cd 100644 --- a/application/templates/cronjob.yaml +++ b/application/templates/cronjob.yaml @@ -54,13 +54,7 @@ spec: annotations: {{ toYaml . | nindent 12 }} {{- end }} spec: - {{- if $.Values.rbac.enabled }} - {{- if $.Values.rbac.serviceAccount.name }} - serviceAccountName: {{ $.Values.rbac.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ template "application.name" $ }} - {{- end }} - {{- end }} + serviceAccountName: {{ template "application.service-account-name" $ }} containers: - name: {{ $name }} {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }} diff --git a/application/templates/deployment.yaml b/application/templates/deployment.yaml index 4f5bfd23..b417df1b 100644 --- a/application/templates/deployment.yaml +++ b/application/templates/deployment.yaml @@ -74,6 +74,7 @@ spec: ] {{- end }} spec: + serviceAccountName: {{ template "application.service-account-name" $ }} {{- if .Values.deployment.hostAliases }} hostAliases: {{ toYaml .Values.deployment.hostAliases | indent 6 }} @@ -308,13 +309,6 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.rbac.serviceAccount.enabled }} - {{- if .Values.rbac.serviceAccount.name }} - serviceAccountName: {{ .Values.rbac.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ template "application.name" $ }} - {{- end }} - {{- end }} {{- if .Values.deployment.hostNetwork }} hostNetwork: {{ .Values.deployment.hostNetwork }} {{- end }} diff --git a/application/templates/job.yaml b/application/templates/job.yaml index 8097a15d..27539f96 100644 --- a/application/templates/job.yaml +++ b/application/templates/job.yaml @@ -37,13 +37,7 @@ spec: annotations: {{ toYaml . | nindent 8 }} {{- end }} spec: - {{- if $.Values.rbac.enabled }} - {{- if $.Values.rbac.serviceAccount.name }} - serviceAccountName: {{ $.Values.rbac.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ template "application.name" $ }} - {{- end }} - {{- end }} + serviceAccountName: {{ template "application.service-account-name" $ }} containers: - name: {{ $name }} diff --git a/application/templates/serviceaccount.yaml b/application/templates/serviceaccount.yaml index 3c361ddb..c548face 100644 --- a/application/templates/serviceaccount.yaml +++ b/application/templates/serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ default (include "application.name" .) .Values.rbac.serviceAccount.name }} + name: {{ template "application.service-account-name" . }} namespace: {{ template "application.namespace" . }} labels: {{- include "application.labels" $ | nindent 4 }} diff --git a/application/tests/cronjob_test.yaml b/application/tests/cronjob_test.yaml index 2cbb6cef..59cffe9c 100644 --- a/application/tests/cronjob_test.yaml +++ b/application/tests/cronjob_test.yaml @@ -77,3 +77,47 @@ tests: - equal: path: spec.jobTemplate.spec.template.spec.containers[0].image value: example-image:example-tag@sha256:example-digest + + - it: yields empty service account name when disabled + set: + cronJob: + enabled: true + jobs: + example: + image: + repository: example-image + rbac.serviceAccount.enabled: false + asserts: + - isNullOrEmpty: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + + - it: uses service account name override when present + set: + cronJob: + enabled: true + jobs: + example: + image: + repository: example-image + rbac.serviceAccount.enabled: true + rbac.serviceAccount.name: example-sa + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: example-sa + + - it: uses a generated service account name when not given + set: + cronJob: + enabled: true + jobs: + example: + image: + repository: example-image + applicationName: example-app + rbac.serviceAccount.enabled: true + rbac.serviceAccount.name: "" + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.serviceAccountName + value: example-app diff --git a/application/tests/deployment_test.yaml b/application/tests/deployment_test.yaml index 28f895d9..6bcafc42 100644 --- a/application/tests/deployment_test.yaml +++ b/application/tests/deployment_test.yaml @@ -91,7 +91,7 @@ tests: set: rbac.serviceAccount.enabled: false asserts: - - notExists: + - isNullOrEmpty: path: spec.template.spec.serviceAccountName - it: uses service account name override when present diff --git a/application/tests/job_test.yaml b/application/tests/job_test.yaml index 0edc5cda..2441db3b 100644 --- a/application/tests/job_test.yaml +++ b/application/tests/job_test.yaml @@ -95,3 +95,47 @@ tests: path: spec.template.metadata.annotations value: helm.sh/hook: "pre-install,pre-upgrade" + + - it: yields empty service account name when disabled + set: + job: + enabled: true + jobs: + example: + image: + repository: example-image + rbac.serviceAccount.enabled: false + asserts: + - isNullOrEmpty: + path: spec.template.spec.serviceAccountName + + - it: uses service account name override when present + set: + job: + enabled: true + jobs: + example: + image: + repository: example-image + rbac.serviceAccount.enabled: true + rbac.serviceAccount.name: example-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: example-sa + + - it: uses a generated service account name when not given + set: + job: + enabled: true + jobs: + example: + image: + repository: example-image + applicationName: example-app + rbac.serviceAccount.enabled: true + rbac.serviceAccount.name: "" + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: example-app diff --git a/application/values.yaml b/application/values.yaml index 3569adb6..42a573ed 100644 --- a/application/values.yaml +++ b/application/values.yaml @@ -654,6 +654,9 @@ rbac: # -- (bool) Enable RBAC. # @section -- RBAC Parameters enabled: true + # -- (string) Existing Service Account Name. + # @section -- RBAC Parameters + existingServiceAccountName: "" serviceAccount: # -- (bool) Deploy Service Account. # @section -- RBAC Parameters