diff --git a/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml b/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml index aad5c8a0..2ecb1820 100644 --- a/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml +++ b/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml @@ -18,6 +18,20 @@ tests: path: spec.template.spec.serviceAccountName value: default + - it: default with flag should pass + set: + enforceServiceAccountCreation: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: &deploymentDocument 0 + isKind: + of: Deployment + - documentIndex: *deploymentDocument + equal: + path: spec.template.spec.serviceAccountName + value: default + - it: with create, without name should pass set: serviceAccount: @@ -59,7 +73,24 @@ tests: set: serviceAccount: create: false - name: mySA + name: &serviceAccountName mySA + asserts: + - hasDocuments: + count: 1 + - documentIndex: &deploymentDocument 0 + isKind: + of: Deployment + - documentIndex: *deploymentDocument + equal: + path: spec.template.spec.serviceAccountName + value: *serviceAccountName + + - it: without create, with name, with flag should pass + set: + enforceServiceAccountCreation: true + serviceAccount: + create: false + name: &serviceAccountName mySA asserts: - hasDocuments: count: 1 @@ -75,7 +106,7 @@ tests: set: serviceAccount: create: false - name: mySA + name: &serviceAccountName mySA extraServiceAccounts: mySA2: create: false @@ -90,7 +121,7 @@ tests: - documentIndex: *deploymentDocument equal: path: spec.template.spec.serviceAccountName - value: default + value: *serviceAccountName - it: with extraServiceAccounts identifier should pass set: diff --git a/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml b/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml index 1c86a26a..1c44598b 100644 --- a/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml +++ b/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml @@ -27,6 +27,41 @@ tests: isKind: of: ServiceAccount + - it: controller uses named ServiceAccount by default + set: + serviceAccount: + create: false + name: &ServiceAccountName test + + asserts: + - hasDocuments: + count: 1 + - documentIndex: &DeploymentDocument 0 + isKind: + of: Deployment + - documentIndex: *DeploymentDocument + equal: + path: spec.template.spec.serviceAccountName + value: *ServiceAccountName + + - it: controller uses `default` ServiceAccount if flag is enabled + set: + enforceServiceAccountCreation: true + serviceAccount: + create: false + name: test + + asserts: + - hasDocuments: + count: 1 + - documentIndex: &DeploymentDocument 0 + isKind: + of: Deployment + - documentIndex: *DeploymentDocument + equal: + path: spec.template.spec.serviceAccountName + value: default + - it: a serviceAccount and Secret are created when enabled set: serviceAccount: diff --git a/charts/library/common/Chart.yaml b/charts/library/common/Chart.yaml index 5b81f7d8..6c03c256 100644 --- a/charts/library/common/Chart.yaml +++ b/charts/library/common/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: common description: Function library for Helm charts type: library -version: 3.5.0 +version: 3.5.1 kubeVersion: ">=1.22.0-0" keywords: - common @@ -16,13 +16,4 @@ annotations: artifacthub.io/changes: |- - kind: added description: |- - Add support for binary files in configMapsFromFolderBasePath - - kind: added - description: |- - Add support for internalTrafficPolicy field in Services - - kind: added - description: |- - Add support for multiple ServiceAccounts - - kind: added - description: |- - Add support for multiple RBAC resources + Add feature flag to override enforcing the creation of a default ServiceAccount diff --git a/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl b/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl index ae17088b..bb2303bd 100644 --- a/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl +++ b/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl @@ -7,8 +7,12 @@ Returns the value for serviceAccountName {{- $serviceAccountName := "default" -}} - {{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}} - {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}} + {{- if $rootContext.Values.enforceServiceAccountCreation -}} + {{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}} + {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}} + {{- end -}} + {{- else -}} + {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}} {{- end -}} {{- with $controllerObject.serviceAccount -}} diff --git a/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl b/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl index c187188f..3555390c 100644 --- a/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl +++ b/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl @@ -5,7 +5,11 @@ Return a ServiceAccount Object by its Identifier. {{- $rootContext := .rootContext -}} {{- $identifier := .id -}} {{- if eq $identifier "default" -}} - {{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $rootContext.Values.serviceAccount) -}} + {{- $serviceAccount := deepCopy $rootContext.Values.serviceAccount -}} + {{- if and (eq ($serviceAccount.name) "") (not $serviceAccount.create ) -}} + {{- $_ := set $serviceAccount "name" "default" -}} + {{- end -}} + {{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $serviceAccount) -}} {{- else -}} {{- $serviceAccountValues := dig "extraServiceAccounts" $identifier nil $rootContext.Values.serviceAccount -}} {{- if not (empty $serviceAccountValues) -}} diff --git a/charts/library/common/values.schema.json b/charts/library/common/values.schema.json index 4f0ddd90..9be6c2a7 100644 --- a/charts/library/common/values.schema.json +++ b/charts/library/common/values.schema.json @@ -34,6 +34,9 @@ "$ref": "schemas/controllers.json#/instance" } }, + "enforceServiceAccountCreation": { + "type": "boolean" + }, "serviceAccount": { "$ref": "schemas/serviceAccount.json#/settings" }, diff --git a/charts/library/common/values.yaml b/charts/library/common/values.yaml index 0679e141..cc27b320 100644 --- a/charts/library/common/values.yaml +++ b/charts/library/common/values.yaml @@ -399,6 +399,10 @@ controllers: {} # # Each initContainer should have its own key # initContainers: {} +# -- If true forces the controllers to use the `default` ServiceAccount for the namespace if one is not explicitly defined. +# This feature flag will be removed on future versions where this will be the default behavior. +enforceServiceAccountCreation: false + serviceAccount: # -- Specifies whether a service account should be created # The identifier for this ServiceAccount will be `default`