Added rbac.existingServiceAccount

nano-byte · Aug 29, 2023 · b8844b1 · b8844b1
1 parent 94b09ee
commit b8844b1
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 7 deletions.
diff --git a/charts/generic-service/README.md b/charts/generic-service/README.md
@@ -171,6 +171,7 @@ app:
 | `sidecarTemplates`                  | `[]`                        | Strings to be templated providing additional sidecar containers to be added to the Pod                   |
 | `rbac.roles`                        | `[]`                        | Namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating)                  |
 | `rbac.clusterRoles`                 | `[]`                        | Cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating)                        |
+| `rbac.existingServiceAccount`       |                             | The name of an existing service account to use (instead of automatically creating one for the service)   |
 | `global.alertLabels`                | `{}`                        | Additional labels to apply to alert rules                                                                |
 | `global.grafana.url`                |                             | The URL of a Grafana instance with access to the service's metrics                                       |
 | `global.grafana.dashboard`          | `qqsCbY5Zz`                 | The UID of the Grafana dashboard visualizing the service's metrics                                       |

diff --git a/charts/generic-service/ci/rbac-existing-values.yaml b/charts/generic-service/ci/rbac-existing-values.yaml
@@ -0,0 +1,8 @@
+# RBAC with existing ServiceAccount test
+
+image:
+  repository: jwilder/whoami
+  tag: latest
+rbac:
+  clusterRoles: [view]
+  existingServiceAccount: default
diff --git a/charts/generic-service/ci/rbac-values.yaml b/charts/generic-service/ci/rbac-values.yaml
@@ -0,0 +1,7 @@
+# RBAC test
+
+image:
+  repository: jwilder/whoami
+  tag: latest
+rbac:
+  clusterRoles: [view]
diff --git a/charts/generic-service/templates/controller.yaml b/charts/generic-service/templates/controller.yaml
@@ -177,8 +177,8 @@ spec:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
 
-      {{- if or .Values.rbac.roles .Values.rbac.clusterRoles }}
-      serviceAccountName: {{ include "generic-service.fullname" . }}
+      {{- if or .Values.rbac.existingServiceAccount (or .Values.rbac.roles .Values.rbac.clusterRoles) }}
+      serviceAccountName: '{{ .Values.rbac.existingServiceAccount | default (include "generic-service.fullname" .) }}'
       {{- end }}
 
       terminationGracePeriodSeconds: {{ .Values.maxShutdownSeconds | int }}

diff --git a/charts/generic-service/templates/rbac.yaml b/charts/generic-service/templates/rbac.yaml
@@ -10,7 +10,7 @@ roleRef:
   name: {{ tpl . $ }}
 subjects:
   - kind: ServiceAccount
-    name: '{{ include "generic-service.fullname" $ }}'
+    name: '{{ $.Values.rbac.existingServiceAccount | default (include "generic-service.fullname" $) }}'
 ---
 {{- end }}
 
@@ -27,12 +27,12 @@ roleRef:
   name: {{ tpl . $ }}
 subjects:
   - kind: ServiceAccount
-    name: '{{ include "generic-service.fullname" $ }}'
+    name: '{{ $.Values.rbac.existingServiceAccount | default (include "generic-service.fullname" $) }}'
     namespace: '{{ $.Release.Namespace }}'
 ---
 {{- end }}
 
-{{- if or .Values.rbac.roles .Values.rbac.clusterRoles }}
+{{- if and (not .Values.rbac.existingServiceAccount) (or .Values.rbac.roles .Values.rbac.clusterRoles) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/charts/generic-service/values.schema.json b/charts/generic-service/values.schema.json
@@ -966,12 +966,16 @@
         "roles": {
           "type": "array",
           "items": {"type": "string"},
-          "description": "Namespace-specific Kubernetes RBAC Roles to assign to the service"
+          "description": "Namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating)"
         },
         "clusterRoles": {
           "type": "array",
           "items": {"type": "string"},
-          "description": "Cluster-wide Kubernetes RBAC Roles to assign to the service"
+          "description": "Cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating)"
+        },
+        "existingServiceAccount": {
+          "type": "string",
+          "description": "The name of an existing service account to use (instead of automatically creating one for the service)"
         }
       },
       "additionalProperties": false

diff --git a/charts/generic-service/values.yaml b/charts/generic-service/values.yaml
@@ -181,6 +181,7 @@ sidecarTemplates: []
 rbac:
   roles: []
   clusterRoles: []
+  existingServiceAccount: ''
 
 global:
   alertLabels: {}