diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4123e36..15b144b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -295,6 +295,17 @@ Sets extra ui service annotations {{- end }} {{- end -}} +{{/* +Create the name of the service account to use +*/}} +{{- define "vault.serviceAccount.name" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Sets extra service account annotations */}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 37e06e9..1fcdc0a 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -16,7 +16,7 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }} + name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} {{ end }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index f9494b4..99649a6 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -17,7 +17,7 @@ roleRef: name: {{ template "vault.fullname" . }}-discovery-role subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }} + name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} {{ end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index b375182..f92dbb2 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,10 +1,11 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ include "vault.chart" . }} @@ -14,3 +15,4 @@ metadata: {{ template "vault.serviceAccount.annotations" . }} {{ end }} {{ end }} +{{ end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index aeb1667..8b9cea9 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -42,7 +42,7 @@ spec: priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} terminationGracePeriodSeconds: 10 - serviceAccountName: {{ template "vault.fullname" . }} + serviceAccountName: {{ template "vault.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index fe09c2a..29e18b5 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -2,6 +2,34 @@ load _helpers +@test "server/ServiceAccount: specify service account name" { + cd `chart_dir` + + local actual=$( (helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.create=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.dev.enabled=true' \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] + +} + @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 2b3a2da..1ffb72d 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1164,3 +1164,46 @@ load _helpers yq '.spec.template.spec.securityContext.runAsGroup | length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +#-------------------------------------------------------------------- +# serviceAccount + +@test "server/standalone-StatefulSet: serviceAccount.name is set" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.serviceAccount.create=false' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'server.serviceAccount.name=user-defined-ksa' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "user-defined-ksa" ] +} + +@test "server/standalone-StatefulSet: serviceAccount.name is not set" { + cd `chart_dir` + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.serviceAccount.create=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "default" ] + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.serviceAccount.create=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) + [ "${actual}" = "RELEASE-NAME-vault" ] + + +} diff --git a/values.yaml b/values.yaml index ef76997..b23e3a8 100644 --- a/values.yaml +++ b/values.yaml @@ -496,6 +496,11 @@ server: # Definition of the serviceAccount used to run Vault. serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount.