feat: allow creating or reusing an existing sa

golgoth31 · golgoth31 · commit f21e7c44deee · 2024-03-06T11:25:19.000+01:00
diff --git a/deploy/charts/google-cas-issuer/README.md b/deploy/charts/google-cas-issuer/README.md
@@ -43,5 +43,7 @@ A Helm chart for jetstack/google-cas-issuer
 | replicaCount | int | `1` | Number of replicas of google-cas-issuer to run. |
 | resources | object | `{}` | Kubernetes pod resource requests/limits for google-cas-issuer. |
 | serviceAccount.annotations | object | `{}` | Optional annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name used to create the service account or the name of an existing service account to use if not creating one. if create is false, this name is required or the default service account will be used. |
 | tolerations | list | `[]` | Kubernetes pod tolerations for google-cas-issuer |
 
diff --git a/deploy/charts/google-cas-issuer/templates/_helpers.tpl b/deploy/charts/google-cas-issuer/templates/_helpers.tpl
@@ -42,3 +42,14 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
 {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cert-manager-google-cas-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cert-manager-google-cas-issuer.name" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml b/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml
@@ -10,7 +10,7 @@ roleRef:
   name: {{ include "cert-manager-google-cas-issuer.name" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
 {{- if .Values.app.approval.enabled }}
diff --git a/deploy/charts/google-cas-issuer/templates/deployment.yaml b/deploy/charts/google-cas-issuer/templates/deployment.yaml
@@ -31,7 +31,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "cert-manager-google-cas-issuer.name" . }}
+      serviceAccountName: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
diff --git a/deploy/charts/google-cas-issuer/templates/rolebinding.yaml b/deploy/charts/google-cas-issuer/templates/rolebinding.yaml
@@ -11,5 +11,5 @@ roleRef:
   name: {{ include "cert-manager-google-cas-issuer.name" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
diff --git a/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml b/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml
@@ -1,9 +1,10 @@
+{{ if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   labels:
 {{ include "cert-manager-google-cas-issuer.labels" . | indent 4 }}
   annotations:
 {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+{{- end }}
diff --git a/deploy/charts/google-cas-issuer/values.yaml b/deploy/charts/google-cas-issuer/values.yaml
@@ -37,11 +37,16 @@ imagePullSecrets: []
 commonLabels: {}
 
 serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: true
+  # -- The name used to create the service account or the name of an existing service account to use if not creating one.
+  # if create is false, this name is required or the default service account will be used.
+  name: ""
   # -- Optional annotations to add to the service account
   annotations: {}
 
 app:
-    # -- Verbosity of google-cas-issuer logging.
+  # -- Verbosity of google-cas-issuer logging.
   logLevel: 1 # 1-5
 
   # -- Handle RBAC permissions for approving Google CAS issuer
@@ -61,9 +66,9 @@ app:
     #   name: cert-manager-approver-policy
     #   namespace: cert-manager
     subjects:
-    - kind: ServiceAccount
-      name: cert-manager
-      namespace: cert-manager
+      - kind: ServiceAccount
+        name: cert-manager
+        namespace: cert-manager
 
   # metrics controls exposing google-cas-issuer metrics.
   metrics:
@@ -80,7 +85,8 @@ podAnnotations: {}
 podLabels: {}
 
 # -- Kubernetes pod resource requests/limits for google-cas-issuer.
-resources: {}
+resources:
+  {}
   # limits:
   #   cpu: 100m
   #   memory: 128Mi
@@ -89,12 +95,14 @@ resources: {}
   #   memory: 128Mi
 
 # -- Kubernetes node selector: node labels for pod assignment
-nodeSelector: {}
+nodeSelector:
+  {}
   # -- Allow scheduling of DaemonSet on linux nodes only
   # kubernetes.io/os: linux
 
 # -- Kubernetes affinity: constraints for pod assignment
-affinity: {}
+affinity:
+  {}
   # nodeAffinity:
   #  requiredDuringSchedulingIgnoredDuringExecution:
   #    nodeSelectorTerms:
@@ -105,7 +113,8 @@ affinity: {}
   #        - master
 
 # -- Kubernetes pod tolerations for google-cas-issuer
-tolerations: []
+tolerations:
+  []
   # -- Allow scheduling of DaemonSet on all nodes
   # - operator: "Exists"
 
