[keycloak] Add service account creation (#26)

Signed-off-by: Dennis Effing <[email protected]>
codecentric · May 15, 2019 · efc33c3 · efc33c3
1 parent 9e530e4
commit efc33c3
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 1 deletion.
diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
@@ -1,5 +1,5 @@
 name: keycloak
-version: 4.13.2
+version: 4.14.0
 appVersion: 5.0.0
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:

diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
@@ -70,6 +70,7 @@ Parameter | Description | Default
 `keycloak.podAnnotations` | Extra annotations to add to pod | `{}`
 `keycloak.hostAliases` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]`
 `keycloak.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links | `false`
+`keycloak.serviceAccount.create` | If `true`, a new service account is created | `false`
 `keycloak.securityContext` | Security context for the entire pod. Every container running in the pod will inherit this security context. This might be relevant when other components of the environment inject additional containers into running pods (service meshs are the most prominent example for this) | `{fsGroup: 1000}`
 `keycloak.containerSecurityContext` | Security context for containers running in the pod. Will not be inherited by additionally injected containers | `{runAsUser: 1000, runAsNonRoot: true}`
 `keycloak.preStartScript` | Custom script to run before Keycloak starts up | ``

diff --git a/charts/keycloak/templates/_helpers.tpl b/charts/keycloak/templates/_helpers.tpl
@@ -31,6 +31,17 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create name of the service account to use
+*/}}
+{{- define "keycloak.serviceAccountName" -}}
+{{- if .Values.keycloak.serviceAccount.create -}}
+    {{ default (include "keycloak.fullname" .) .Values.keycloak.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.keycloak.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified app name for the postgres requirement.
 */}}

diff --git a/charts/keycloak/templates/serviceaccount.yaml b/charts/keycloak/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.keycloak.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "keycloak.fullname" . }}
+{{- end -}}
diff --git a/charts/keycloak/templates/statefulset.yaml b/charts/keycloak/templates/statefulset.yaml
@@ -37,6 +37,7 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
       enableServiceLinks: {{ .Values.keycloak.enableServiceLinks }}
+      serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
       securityContext:
 {{ toYaml .Values.keycloak.securityContext | indent 8 }}
     {{- with .Values.keycloak.image.pullSecrets }}

diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
@@ -28,6 +28,13 @@ keycloak:
 
   enableServiceLinks: false
 
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: false
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name:
+
   securityContext:
     fsGroup: 1000