[Application] Support existing ServiceAccount name

chart-tests/application/ci/test-additional-port-values.yaml

@@ -5,20 +5,18 @@ resources:
   limits:
     cpu: 100m
     memory: 100Mi
-spec:
-  values:
-    container:
-      port: 8000
-    service:
-      port: 8000
-      backendConfig:
-        enabled: true
-        securityPolicyName: uri-path-policy
-    additionalPorts:
-      - name: https
-        protocol: TCP
-        containerPort: 8081
-        servicePort: 81
-      - name: grpc
-        protocol: TCP
-        containerPort: 8082
+container:
+  port: 8000
+service:
+  port: 8000
+  backendConfig:
+    enabled: true
+    securityPolicyName: uri-path-policy
+additionalPorts:
+  - name: https
+    protocol: TCP
+    containerPort: 8081
+    servicePort: 81
+  - name: grpc
+    protocol: TCP
+    containerPort: 8082

chart-tests/application/ci/test-existing-service-account-values.yaml

@@ -0,0 +1,9 @@
+resources:
+  requests:
+    cpu: 10m
+    memory: 50Mi
+  limits:
+    cpu: 100m
+    memory: 100Mi
+serviceAccount:
+  existingServiceAccountName: name-me-butterfly

charts/application/Chart.yaml

@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 1.0.0
-version: 1.23.0
+version: 1.24.0

charts/application/templates/_helpers.tpl

@@ -39,3 +39,14 @@ Selector labels
 {{ include "commonLabels" . }}
 {{ include "selectorLabels" . }}
 {{- end -}}
+
+{{/*
+ServiceAccount name
+*/}}
+{{- define "serviceAccountName" -}}
+{{- if .Values.serviceAccount.existingServiceAccountName -}}
+{{- .Values.serviceAccount.existingServiceAccountName | quote -}}
+{{- else -}}
+{{- .Release.Name -}}
+{{- end -}}
+{{- end -}}

charts/application/templates/_podTemplate.tpl

@@ -21,7 +21,7 @@ metadata:
     {{- end }}
     {{- end }}
 spec:
-  serviceAccountName: {{ .Release.Name }}
+  serviceAccountName: {{ include "serviceAccountName" . }}
   {{- if .Values.podSecurityContext }}
   securityContext:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}

charts/application/templates/k8s-service-account.yaml

@@ -1,7 +1,8 @@
+{{- if not .Values.serviceAccount.existingServiceAccountName }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ include "serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "labels" . | nindent 4 }}
@@ -10,3 +11,4 @@ metadata:
     iam.gke.io/gcp-service-account: {{ .Values.serviceAccount.workloadIdentityServiceAccount }}
   {{- end }}
 automountServiceAccountToken: {{ or .Values.serviceAccount.automountServiceAccountToken (not (empty .Values.serviceAccount.rbac)) }}
+{{- end }}

charts/application/values.yaml

@@ -150,6 +150,14 @@ encryptedSecret:
   mountPath:
 
 serviceAccount:
+  # giving an `existingServiceAccountName` will map that one instead of creating an own; the refered SA has to already exist
+  ## you may want to manual set:
+  ## ```
+  ## nodeSelector:
+  ##   iam.gke.io/gke-metadata-server-enabled: "true"
+  ## ```
+  ## if using workload identity with your own SA (done automatically when using `workloadIdentityServiceAccount` for automatically created SA)
+  existingServiceAccountName:
   # service account email address for use with workload identity, see https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
   workloadIdentityServiceAccount:
   # secret containing a 'key.json' of the GCP service account key to be used by this app
@@ -268,7 +276,7 @@ prepJob:
   command: []
   # key/value pairs that will be bound as env
   configuration: {}
-  # pre-existing service account to be used
+  # pre-existing service account to be used (as automatically created one does not exist yet on-install of helm release)
   serviceAccountName:
   resources: {}
   #  requests: