fix(common): adding feature flag for default serviceaccount name (#360)

2025-07-03 08:37:03 +02:00 · 2024-10-08 16:31:24 +02:00 · 2024-10-08 16:31:24 +02:00 · f111be38e9
commit f111be38e9
parent 3e2f1204e0
7 changed files with 89 additions and 17 deletions
--- a/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml
+++ b/charts/library/common-test/tests/pod/field_serviceAccount_test.yaml
@ -18,6 +18,20 @@ tests:
          path: spec.template.spec.serviceAccountName
          value: default

+  - it: default with flag should pass
+    set:
+      enforceServiceAccountCreation: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: &deploymentDocument 0
+        isKind:
+          of: Deployment
+      - documentIndex: *deploymentDocument
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+
  - it: with create, without name should pass
    set:
      serviceAccount:
@ -59,7 +73,24 @@ tests:
    set:
      serviceAccount:
        create: false
-        name: mySA
+        name: &serviceAccountName mySA
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: &deploymentDocument 0
+        isKind:
+          of: Deployment
+      - documentIndex: *deploymentDocument
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: *serviceAccountName
+
+  - it: without create, with name, with flag should pass
+    set:
+      enforceServiceAccountCreation: true
+      serviceAccount:
+        create: false
+        name: &serviceAccountName mySA
    asserts:
      - hasDocuments:
          count: 1
@ -75,7 +106,7 @@ tests:
    set:
      serviceAccount:
        create: false
-        name: mySA
+        name: &serviceAccountName mySA
        extraServiceAccounts:
          mySA2:
            create: false
@ -90,7 +121,7 @@ tests:
      - documentIndex: *deploymentDocument
        equal:
          path: spec.template.spec.serviceAccountName
-          value: default
+          value: *serviceAccountName

  - it: with extraServiceAccounts identifier should pass
    set:
--- a/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml
+++ b/charts/library/common-test/tests/serviceAccount/serviceaccount_test.yaml
@ -27,6 +27,41 @@ tests:
        isKind:
          of: ServiceAccount

+  - it: controller uses named ServiceAccount by default
+    set:
+      serviceAccount:
+        create: false
+        name: &ServiceAccountName test
+
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: &DeploymentDocument 0
+        isKind:
+          of: Deployment
+      - documentIndex: *DeploymentDocument
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: *ServiceAccountName
+
+  - it: controller uses `default` ServiceAccount if flag is enabled
+    set:
+      enforceServiceAccountCreation: true
+      serviceAccount:
+        create: false
+        name: test
+
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: &DeploymentDocument 0
+        isKind:
+          of: Deployment
+      - documentIndex: *DeploymentDocument
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+
  - it: a serviceAccount and Secret are created when enabled
    set:
      serviceAccount:
--- a/charts/library/common/Chart.yaml
+++ b/charts/library/common/Chart.yaml
@ -3,7 +3,7 @@ apiVersion: v2
 name: common
 description: Function library for Helm charts
 type: library
-version: 3.5.0
+version: 3.5.1
 kubeVersion: ">=1.22.0-0"
 keywords:
  - common
@ -16,13 +16,4 @@ annotations:
  artifacthub.io/changes: |-
    - kind: added
      description: |-
-        Add support for binary files in configMapsFromFolderBasePath
-    - kind: added
-      description: |-
-        Add support for internalTrafficPolicy field in Services
-    - kind: added
-      description: |-
-        Add support for multiple ServiceAccounts
-    - kind: added
-      description: |-
-        Add support for multiple RBAC resources
+        Add feature flag to override enforcing the creation of a default ServiceAccount
--- a/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl
+++ b/charts/library/common/templates/lib/pod/fields/_serviceAccountName.tpl
@ -7,8 +7,12 @@ Returns the value for serviceAccountName

  {{- $serviceAccountName := "default" -}}

-  {{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}}
-    {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}}
+  {{- if $rootContext.Values.enforceServiceAccountCreation -}}
+    {{- if (get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "create") -}}
+      {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}}
+    {{- end -}}
+  {{- else -}}
+      {{- $serviceAccountName = get (include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" "default") | fromYaml) "name" -}}
  {{- end -}}

  {{- with $controllerObject.serviceAccount -}}
--- a/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl
+++ b/charts/library/common/templates/lib/serviceAccount/_getByIdentifier.tpl
@ -5,7 +5,11 @@ Return a ServiceAccount Object by its Identifier.
  {{- $rootContext := .rootContext -}}
  {{- $identifier := .id -}}
  {{- if eq $identifier "default" -}}
-      {{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $rootContext.Values.serviceAccount) -}}
+      {{- $serviceAccount := deepCopy $rootContext.Values.serviceAccount -}}
+    {{- if and (eq ($serviceAccount.name) "") (not $serviceAccount.create ) -}}
+      {{- $_ := set $serviceAccount "name" "default" -}}
+    {{- end -}}
+    {{- include "bjw-s.common.lib.serviceAccount.valuesToObject" (dict "rootContext" $rootContext "id" "default" "values" $serviceAccount) -}}
  {{- else -}}
    {{- $serviceAccountValues := dig "extraServiceAccounts" $identifier nil $rootContext.Values.serviceAccount -}}
    {{- if not (empty $serviceAccountValues) -}}
--- a/charts/library/common/values.schema.json
+++ b/charts/library/common/values.schema.json
@ -34,6 +34,9 @@
        "$ref": "schemas/controllers.json#/instance"
      }
    },
+    "enforceServiceAccountCreation": {
+      "type": "boolean"
+    },
    "serviceAccount": {
      "$ref": "schemas/serviceAccount.json#/settings"
    },
--- a/charts/library/common/values.yaml
+++ b/charts/library/common/values.yaml
@ -399,6 +399,10 @@ controllers: {}
 #     # Each initContainer should have its own key
 #     initContainers: {}

+# -- If true forces the controllers to use the `default` ServiceAccount for the namespace if one is not explicitly defined.
+# This feature flag will be removed on future versions where this will be the default behavior.
+enforceServiceAccountCreation: false
+
 serviceAccount:
  # -- Specifies whether a service account should be created
  # The identifier for this ServiceAccount will be `default`