fix(falco): reintroduce service account

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
falcosecurity · Feb 6, 2024 · 53e41ca · 53e41ca
1 parent 8880802
commit 53e41ca
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 1 deletion.
diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -3,6 +3,10 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.0.1
+
+* Reintroduce the service account.
+
 ## v4.0.0
 The new chart introduces some breaking changes. For folks upgrading Falco please see the BREAKING-CHANGES.md file.
 

diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 4.0.0
+version: 4.1.0
 appVersion: "0.37.0"
 description: Falco
 keywords:

diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -16,6 +16,7 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  serviceAccountName: {{ include "falco.serviceAccountName" . }}
   {{- with .Values.podSecurityContext }}
   securityContext:
     {{- toYaml . | nindent 4}}

diff --git a/charts/falco/templates/serviceaccount.yaml b/charts/falco/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "falco.serviceAccountName" . }}
+  namespace: {{ include "falco.namespace" . }}
+  labels:
+    {{- include "falco.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/falco/tests/unit/serviceAccount_test.go b/charts/falco/tests/unit/serviceAccount_test.go
@@ -0,0 +1,59 @@
+package unit
+
+import (
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestServiceAccount(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs(chartPath)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name     string
+		values   map[string]string
+		expected func(t *testing.T, sa *corev1.ServiceAccount)
+	}{
+		{
+			"defaultValues",
+			nil,
+			func(t *testing.T, sa *corev1.ServiceAccount) {
+				require.Equal(t, sa.Name, "")
+			},
+		},
+		{
+			"kind=kmod",
+			map[string]string{
+				"serviceAccount.create": "true",
+			},
+			func(t *testing.T, sa *corev1.ServiceAccount) {
+				require.Equal(t, sa.Name, "rendered-resources-falco")
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			options := &helm.Options{SetValues: testCase.values}
+			output, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/serviceaccount.yaml"})
+			if err != nil {
+				require.True(t, strings.Contains(err.Error(), "Error: could not find template templates/serviceaccount.yaml in chart"))
+			}
+
+			var sa corev1.ServiceAccount
+			helm.UnmarshalK8SYaml(t, output, &sa)
+
+			testCase.expected(t, &sa)
+		})
+	}
+}
diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -26,6 +26,15 @@ namespaceOverride: ""
 # -- Add additional pod annotations
 podAnnotations: {}
 
+serviceAccount:
+  # -- Specifies whether a service account should be created.
+  create: false
+  # -- Annotations to add to the service account.
+  annotations: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
 # -- Add additional pod labels
 podLabels: {}