From bfb8643fc3622e316303ff6b7fedccfdfc683d0d Mon Sep 17 00:00:00 2001 From: Florian Heubeck Date: Fri, 30 Aug 2024 09:42:32 +0200 Subject: [PATCH] [Application] Support existing ServiceAccount name --- .../ci/test-additional-port-values.yaml | 32 +++++++++---------- .../test-existing-service-account-values.yaml | 9 ++++++ charts/application/Chart.yaml | 2 +- charts/application/templates/_helpers.tpl | 11 +++++++ charts/application/templates/_podTemplate.tpl | 2 +- .../templates/k8s-service-account.yaml | 4 ++- charts/application/values.yaml | 10 +++++- 7 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 chart-tests/application/ci/test-existing-service-account-values.yaml diff --git a/chart-tests/application/ci/test-additional-port-values.yaml b/chart-tests/application/ci/test-additional-port-values.yaml index 8f24e3d..6eac208 100644 --- a/chart-tests/application/ci/test-additional-port-values.yaml +++ b/chart-tests/application/ci/test-additional-port-values.yaml @@ -5,20 +5,18 @@ resources: limits: cpu: 100m memory: 100Mi -spec: - values: - container: - port: 8000 - service: - port: 8000 - backendConfig: - enabled: true - securityPolicyName: uri-path-policy - additionalPorts: - - name: https - protocol: TCP - containerPort: 8081 - servicePort: 81 - - name: grpc - protocol: TCP - containerPort: 8082 +container: + port: 8000 +service: + port: 8000 + backendConfig: + enabled: true + securityPolicyName: uri-path-policy +additionalPorts: + - name: https + protocol: TCP + containerPort: 8081 + servicePort: 81 + - name: grpc + protocol: TCP + containerPort: 8082 diff --git a/chart-tests/application/ci/test-existing-service-account-values.yaml b/chart-tests/application/ci/test-existing-service-account-values.yaml new file mode 100644 index 0000000..4332331 --- /dev/null +++ b/chart-tests/application/ci/test-existing-service-account-values.yaml @@ -0,0 +1,9 @@ +resources: + requests: + cpu: 10m + memory: 50Mi + limits: + cpu: 100m + memory: 100Mi +serviceAccount: + existingServiceAccountName: name-me-butterfly diff --git a/charts/application/Chart.yaml b/charts/application/Chart.yaml index aaefc7f..1dd2fe8 100644 --- a/charts/application/Chart.yaml +++ b/charts/application/Chart.yaml @@ -7,4 +7,4 @@ maintainers: - name: MediaMarktSaturn url: https://github.com/MediaMarktSaturn appVersion: 1.0.0 -version: 1.23.0 +version: 1.24.0 diff --git a/charts/application/templates/_helpers.tpl b/charts/application/templates/_helpers.tpl index 177c244..9367055 100644 --- a/charts/application/templates/_helpers.tpl +++ b/charts/application/templates/_helpers.tpl @@ -39,3 +39,14 @@ Selector labels {{ include "commonLabels" . }} {{ include "selectorLabels" . }} {{- end -}} + +{{/* +ServiceAccount name +*/}} +{{- define "serviceAccountName" -}} +{{- if .Values.serviceAccount.existingServiceAccountName -}} +{{- .Values.serviceAccount.existingServiceAccountName | quote -}} +{{- else -}} +{{- .Release.Name -}} +{{- end -}} +{{- end -}} diff --git a/charts/application/templates/_podTemplate.tpl b/charts/application/templates/_podTemplate.tpl index 2436275..65cecdd 100644 --- a/charts/application/templates/_podTemplate.tpl +++ b/charts/application/templates/_podTemplate.tpl @@ -21,7 +21,7 @@ metadata: {{- end }} {{- end }} spec: - serviceAccountName: {{ .Release.Name }} + serviceAccountName: {{ include "serviceAccountName" . }} {{- if .Values.podSecurityContext }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 4 }} diff --git a/charts/application/templates/k8s-service-account.yaml b/charts/application/templates/k8s-service-account.yaml index 5d2543c..caf98f4 100644 --- a/charts/application/templates/k8s-service-account.yaml +++ b/charts/application/templates/k8s-service-account.yaml @@ -1,7 +1,8 @@ +{{- if not .Values.serviceAccount.existingServiceAccountName }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Release.Name }} + name: {{ include "serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "labels" . | nindent 4 }} @@ -10,3 +11,4 @@ metadata: iam.gke.io/gcp-service-account: {{ .Values.serviceAccount.workloadIdentityServiceAccount }} {{- end }} automountServiceAccountToken: {{ or .Values.serviceAccount.automountServiceAccountToken (not (empty .Values.serviceAccount.rbac)) }} +{{- end }} diff --git a/charts/application/values.yaml b/charts/application/values.yaml index 92b9f03..37b71f2 100644 --- a/charts/application/values.yaml +++ b/charts/application/values.yaml @@ -150,6 +150,14 @@ encryptedSecret: mountPath: serviceAccount: + # giving an `existingServiceAccountName` will map that one instead of creating an own; the refered SA has to already exist + ## you may want to manual set: + ## ``` + ## nodeSelector: + ## iam.gke.io/gke-metadata-server-enabled: "true" + ## ``` + ## if using workload identity with your own SA (done automatically when using `workloadIdentityServiceAccount` for automatically created SA) + existingServiceAccountName: # service account email address for use with workload identity, see https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity workloadIdentityServiceAccount: # secret containing a 'key.json' of the GCP service account key to be used by this app @@ -268,7 +276,7 @@ prepJob: command: [] # key/value pairs that will be bound as env configuration: {} - # pre-existing service account to be used + # pre-existing service account to be used (as automatically created one does not exist yet on-install of helm release) serviceAccountName: resources: {} # requests: