deployment/helm: user dedicated serviceaccount for topology-updater

Change the configuration so that, by default, we use a dedicated
serviceaccount for topology-updater (similar to topology-gc, nfd-master
and nfd-worker).

Fix the templates so that the serviceaccount and clusterrolebinding are
only created when topology-updater is enabled (clusterrole was already
handled this way).

This patch also correctly documents the default value of rbac.create
parameter of topology-updater and topology-gc.

deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml

@@ -16,7 +16,7 @@ subjects:
 {{- end }}
 
 ---
-{{- if .Values.topologyUpdater.rbac.create }}
+{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

deployment/helm/node-feature-discovery/templates/serviceaccount.yaml

@@ -13,7 +13,7 @@ metadata:
 {{- end }}
 
 ---
-{{- if .Values.topologyUpdater.serviceAccount.create }}
+{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

deployment/helm/node-feature-discovery/values.yaml

@@ -400,7 +400,7 @@ topologyUpdater:
   createCRDs: false
 
   serviceAccount:
-    create: false
+    create: true
     annotations: {}
     name:
   rbac:

docs/deployment/helm.md

@@ -163,7 +163,7 @@ We have introduced the following Chart parameters.
 | `topologyUpdater.serviceAccount.create`       | bool   | true                    | Specifies whether the service account for topology updater should be created                                                                                                                          |
 | `topologyUpdater.serviceAccount.annotations`  | dict   | {}                      | Annotations to add to the service account for topology updater                                                                                                                                        |
 | `topologyUpdater.serviceAccount.name`         | string |                         | The name of the service account for topology updater to use. If not set and create is true, a name is generated using the fullname template and `-topology-updater` suffix                            |
-| `topologyUpdater.rbac.create`                 | bool   | false                   | Specifies whether to create [RBAC][rbac] configuration for topology updater                                                                                                                           |
+| `topologyUpdater.rbac.create`                 | bool   | true                    | Specifies whether to create [RBAC][rbac] configuration for topology updater                                                                                                                           |
 | `topologyUpdater.kubeletConfigPath`           | string | ""                      | Specifies the kubelet config host path                                                                                                                                                                |
 | `topologyUpdater.kubeletPodResourcesSockPath` | string | ""                      | Specifies the kubelet sock path to read pod resources                                                                                                                                                 |
 | `topologyUpdater.updateInterval`              | string | 60s                     | Time to sleep between CR updates. Non-positive value implies no CR update.                                                                                                                            |
@@ -188,7 +188,7 @@ We have introduced the following Chart parameters.
 | `topologyGC.serviceAccount.create`            | bool   | true    | Specifies whether the service account for topology garbage collector should be created                                                                                                                |
 | `topologyGC.serviceAccount.annotations`       | dict   | {}      | Annotations to add to the service account for topology garbage collector                                                                                                                              |
 | `topologyGC.serviceAccount.name`              | string |         | The name of the service account for topology garbage collector to use. If not set and create is true, a name is generated using the fullname template and `-topology-gc` suffix                       |
-| `topologyGC.rbac.create`                      | bool   | false   | Specifies whether to create [RBAC][rbac] configuration for topology garbage collector                                                                                                                 |
+| `topologyGC.rbac.create`                      | bool   | true    | Specifies whether to create [RBAC][rbac] configuration for topology garbage collector                                                                                                                 |
 | `topologyGC.interval`                         | string | 1h      | Time between periodic garbage collector runs                                                                                                                                                          |
 | `topologyGC.podSecurityContext`               | dict   | {}      | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings |
 | `topologyGC.securityContext`                  | dict   | {}      | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)                                                    |