feat!: harmonize service account binding

README.md

@@ -213,12 +213,14 @@ helm delete --namespace test my-application
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| rbac.enabled | bool | `true` | Enable RBAC. |
-| rbac.serviceAccount.enabled | bool | `false` | Deploy Service Account. |
-| rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. |
-| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. |
-| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. |
+| rbac.enabled | bool | `true` | Enable RBAC. This fields also controls the `automountServiceAccountToken` field in the pod spec. |
+| rbac.serviceAccount.create | bool | `false` | Specifies whether to create a dedicated service account. If set to `true`, a new service account will be created. |
+| rbac.serviceAccount.name | string | `""` | The name of the service account. Behavior based on its value and `rbac.serviceAccount.create`: If `rbac.serviceAccount.create` is `false` and `name` is empty, the default service account ("default") is used. If `rbac.serviceAccount.create` is `false` and `name` is set, the provided name is used. If `rbac.serviceAccount.create` is `true` and `name` is empty, a name is auto-generated using the fullname template. If `rbac.serviceAccount.create` is `true` and `name` is set, the provided name is used for creation. |
+| rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. If `rbac.serviceAccount.create` is set to true, these labels are appended to the service account. |
+| rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. If `rbac.serviceAccount.create` is set to true, these annotations are appended to the service account. |
 | rbac.roles | list | `nil` | Namespaced Roles. |
+| rbac.additionalLabels | object | `nil` | Additional labels for the Role and RoleBinding resources. |
+| rbac.annotations | object | `nil` | Annotations for the Role and RoleBinding resources. |
 
 ### ConfigMap Parameters
 

application/templates/_helpers.tpl

@@ -68,3 +68,18 @@ reference:
   kind: Route
   name: {{ include "application.name" . }}
 {{- end }}
+
+{{/*
+Get the name of the service account to use.
+If the service account is set to be created, return the service account name or a default name.
+If the service account is not set to be created and a name is provided, return the provided name;
+otherwise, return the default namespace service account.
+*/}}
+{{- define "application.serviceAccountName" }}
+  {{- $saName := .Values.rbac.serviceAccount.name }}
+  {{- if .Values.rbac.serviceAccount.create }}
+    {{- empty $saName | ternary (include "application.name" .) (quote $saName) }}
+  {{- else }}
+    {{- empty $saName | ternary "default" (quote $saName) }}
+  {{- end }}
+{{- end }}

application/templates/cronjob.yaml

@@ -56,13 +56,8 @@ spec:
           annotations: {{ toYaml . | nindent 12 }}
           {{- end }}
         spec:
-          {{- if $.Values.rbac.enabled }}
-          {{- if $.Values.rbac.serviceAccount.name }}
-          serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-            {{- else }}
-          serviceAccountName: {{ template "application.name" $ }}
-          {{- end }}
-          {{- end }}
+          automountServiceAccountToken: {{ $.Values.rbac.enabled }}
+          serviceAccountName: {{ include "application.serviceAccountName" $ }}
           containers:
           - name: {{ $name }}
             {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}

application/templates/deployment.yaml

@@ -74,6 +74,8 @@ spec:
           ]
 {{- end }}
     spec:
+      automountServiceAccountToken: {{ $.Values.rbac.enabled }}
+      serviceAccountName: {{ include "application.serviceAccountName" $ }}
       {{- with .Values.deployment.hostAliases }}
       hostAliases: {{- toYaml . | nindent 6 }}
       {{- end }}
@@ -310,13 +312,6 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
-      {{- if .Values.rbac.serviceAccount.enabled }}
-      {{- if .Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ .Values.rbac.serviceAccount.name }}
-      {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
       {{- if .Values.deployment.hostNetwork }}
       hostNetwork: {{ .Values.deployment.hostNetwork }}
       {{- end }}

application/templates/job.yaml

@@ -36,13 +36,8 @@ spec:
       annotations: {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      {{- if $.Values.rbac.enabled }}
-      {{- if $.Values.rbac.serviceAccount.name }}
-      serviceAccountName: {{ $.Values.rbac.serviceAccount.name }}
-        {{- else }}
-      serviceAccountName: {{ template "application.name" $ }}
-      {{- end }}
-      {{- end }}
+      automountServiceAccountToken: {{ $.Values.rbac.enabled }}
+      serviceAccountName: {{ include "application.serviceAccountName" $ }}
       containers:
       - name: {{ $name }}
         {{- $image := required (print "Undefined image repo for container '" $name "'") $job.image.repository }}
@@ -101,7 +96,7 @@ spec:
       restartPolicy: OnFailure
       {{ end }}
       {{- with $job.imagePullSecrets}}
-      imagePullSecrets: 
+      imagePullSecrets:
 {{ toYaml . | indent 8 }}
       {{ end }}
       {{- if $job.dnsConfig }}

application/templates/rolebinding.yaml

@@ -21,11 +21,7 @@ roleRef:
   name: {{ template "application.name" $ }}-role-{{ .name }}
 subjects:
   - kind: ServiceAccount
-  {{- if $.Values.rbac.serviceAccount.name }}
-    name: {{ $.Values.rbac.serviceAccount.name }}
-  {{- else }}
-    name: {{ template "application.name" $ }}
-  {{- end }}
+    name: {{ include "application.serviceAccountName" $ }}
     namespace: {{ $.Release.Namespace }}
 {{- end }}
 {{- end }}

application/templates/serviceaccount.yaml

@@ -1,9 +1,9 @@
-{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.enabled }}
+{{- if and .Values.rbac.enabled .Values.rbac.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ default (include "application.name" .) .Values.rbac.serviceAccount.name }}
+  name: {{ include "application.serviceAccountName" . }}
   namespace: {{ template "application.namespace" . }}
   labels:
     {{- include "application.labels" $ | nindent 4 }}

application/tests/cronjob_test.yaml

@@ -115,3 +115,80 @@ tests:
           path: spec.jobTemplate.spec.template.metadata.annotations
           value:
             helm.sh/hook: "pre-install,pre-upgrade"
+
+  - it: yields default service account name when create is disabled and no existing service account name is given
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.create: false
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: default
+
+  - it: uses service account name override when present
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.create: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.create: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.serviceAccountName
+          value: example-app
+
+  - it: enables automountServiceAccountToken when RBAC is enabled
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac:
+        enabled: true
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.automountServiceAccountToken
+          value: true
+
+  - it: disables automountServiceAccountToken when RBAC is disabled
+    set:
+      cronJob:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac:
+        enabled: false
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.automountServiceAccountToken
+          value: false

application/tests/deployment_test.yaml

@@ -87,16 +87,17 @@ tests:
           path: spec.template.spec.containers[0].image
           value: example-image:example-tag@sha256:example-digest
 
-  - it: yields empty service account name when disabled
+  - it: yields default service account name when create is disabled and no existing service account name is given
     set:
-      rbac.serviceAccount.enabled: false
+      rbac.serviceAccount.create: false
     asserts:
-      - notExists:
+      - equal:
           path: spec.template.spec.serviceAccountName
+          value: default
 
   - it: uses service account name override when present
     set:
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: example-sa
     asserts:
       - equal:
@@ -106,13 +107,31 @@ tests:
   - it: uses a generated service account name when not given
     set:
       applicationName: example-app
-      rbac.serviceAccount.enabled: true
+      rbac.serviceAccount.create: true
       rbac.serviceAccount.name: ""
     asserts:
       - equal:
           path: spec.template.spec.serviceAccountName
           value: example-app
 
+  - it: enables automountServiceAccountToken when RBAC is enabled
+    set:
+      applicationName: example-app
+      rbac.enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: true
+
+  - it: disables automountServiceAccountToken when RBAC is disabled
+    set:
+      applicationName: example-app
+      rbac.enabled: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+
   - it: uses grpc probing when set
     set:
       applicationName: example-app

application/tests/job_test.yaml

@@ -115,3 +115,78 @@ tests:
           path: spec.template.metadata.annotations
           value:
             helm.sh/hook: "pre-install,pre-upgrade"
+
+  - it: yields empty service account name when disabled
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.create: false
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+
+  - it: uses service account name override when present
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      rbac.serviceAccount.create: true
+      rbac.serviceAccount.name: example-sa
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-sa
+
+  - it: uses a generated service account name when not given
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.serviceAccount.create: true
+      rbac.serviceAccount.name: ""
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: example-app
+
+  - it: enables automountServiceAccountToken when RBAC is enabled
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: true
+
+  - it: disables automountServiceAccountToken when RBAC is disabled
+    set:
+      job:
+        enabled: true
+        jobs:
+          example:
+            image:
+              repository: example-image
+      applicationName: example-app
+      rbac.enabled: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

application/tests/rolebinding_test.yaml

@@ -121,6 +121,7 @@ tests:
         roles:
           - name: example
         serviceAccount:
+          create: true
           name: ""
     asserts:
       - equal: