Make serviceAccount name a configuration option (#367)

* Make serviceAccount name a configuration option Follow Helm Best Practices when defining serviceAccount names https://helm.sh/docs/chart_best_practices/#using-rbac-resources * Use enabled instead of create for consistency * Add unit tests for user-defined service account name * ServiceAccount under server Co-authored-by: David Holsgrove <david@apnic.net> * Update ServiceAccount in RoleBindings to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433 Co-authored-by: David Holsgrove <david@apnic.net> * Update tests for helm template arg --show-only Co-authored-by: David Holsgrove <david@apnic.net> * Fix server-serviceaccount tests * serviceAccount: rename enabled to create * statefulSet: add tests for serviceAccount Co-authored-by: Nick Satterly <nick@diabol.se> Co-authored-by: David Holsgrove <david@apnic.net>
2020-08-19 04:13:02 +02:00 · 2020-08-19 04:13:02 +02:00 · 9fbe720f6b
commit 9fbe720f6b
parent 25749a7518
8 changed files with 93 additions and 4 deletions
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -295,6 +295,17 @@ Sets extra ui service annotations
  {{- end }}
 {{- end -}}

+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "vault.serviceAccount.name" -}}
+{{- if .Values.server.serviceAccount.create -}}
+    {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.server.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Sets extra service account annotations
 */}}
--- a/templates/server-clusterrolebinding.yaml
+++ b/templates/server-clusterrolebinding.yaml
@ -16,7 +16,7 @@ roleRef:
  name: system:auth-delegator
 subjects:
 - kind: ServiceAccount
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "vault.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace }}
 {{ end }}
 {{ end }}
--- a/templates/server-discovery-rolebinding.yaml
+++ b/templates/server-discovery-rolebinding.yaml
@ -17,7 +17,7 @@ roleRef:
  name: {{ template "vault.fullname" . }}-discovery-role
 subjects:
 - kind: ServiceAccount
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "vault.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace }}
 {{ end }}
 {{ end }}
--- a/templates/server-serviceaccount.yaml
+++ b/templates/server-serviceaccount.yaml
@ -1,10 +1,11 @@
 {{ template "vault.mode" . }}
 {{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
+{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "vault.fullname" . }}
+  name: {{ template "vault.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    helm.sh/chart: {{ include "vault.chart" . }}
@ -14,3 +15,4 @@ metadata:
  {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
 {{ end }}
+{{ end }}
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -42,7 +42,7 @@ spec:
      priorityClassName: {{ .Values.server.priorityClassName }}
      {{- end }}
      terminationGracePeriodSeconds: 10
-      serviceAccountName: {{ template "vault.fullname" . }}
+      serviceAccountName: {{ template "vault.serviceAccount.name" . }}
      {{ if  .Values.server.shareProcessNamespace }}
      shareProcessNamespace: true
      {{ end }}
--- a/test/unit/server-serviceaccount.bats
+++ b/test/unit/server-serviceaccount.bats
@ -2,6 +2,34 @@

 load _helpers

+@test "server/ServiceAccount: specify service account name" {
+  cd `chart_dir`
+
+  local actual=$( (helm template \
+      --show-only templates/server-serviceaccount.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'server.serviceAccount.create=false' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-serviceaccount.yaml  \
+      --set 'server.dev.enabled=true' \
+      --set 'server.serviceAccount.name=user-defined-ksa' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.name' | tee /dev/stderr)
+  [ "${actual}" = "user-defined-ksa" ]
+
+  local actual=$(helm template \
+      --show-only templates/server-serviceaccount.yaml  \
+      --set 'server.dev.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.name' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault" ]
+
+}
+
@test "server/ServiceAccount: specify annotations" {
  cd `chart_dir`
  local actual=$(helm template \
--- a/test/unit/server-statefulset.bats
+++ b/test/unit/server-statefulset.bats
@ -1164,3 +1164,46 @@ load _helpers
      yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr)
  [ "${actual}" = "false" ]
 }
+
+#--------------------------------------------------------------------
+# serviceAccount
+
+@test "server/standalone-StatefulSet: serviceAccount.name is set" {
+  cd `chart_dir`
+
+ local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.serviceAccount.create=false' \
+      --set 'server.serviceAccount.name=user-defined-ksa' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
+  [ "${actual}" = "user-defined-ksa" ]
+
+ local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.serviceAccount.create=true' \
+      --set 'server.serviceAccount.name=user-defined-ksa' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
+  [ "${actual}" = "user-defined-ksa" ]
+}
+
+@test "server/standalone-StatefulSet: serviceAccount.name is not set" {
+ cd `chart_dir`
+
+ local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.serviceAccount.create=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
+  [ "${actual}" = "default" ]
+
+ local actual=$(helm template \
+      --show-only templates/server-statefulset.yaml  \
+      --set 'server.serviceAccount.create=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
+  [ "${actual}" = "RELEASE-NAME-vault" ]
+
+
+}
--- a/values.yaml
+++ b/values.yaml
@ -496,6 +496,11 @@ server:

  # Definition of the serviceAccount used to run Vault.
  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
    # Extra annotations for the serviceAccount definition. This can either be
    # YAML or a YAML-formatted multi-line templated string map of the
    # annotations to apply to the serviceAccount.