[SHIPA-2035] Use user-provided service account (#184)

theketchio · Nov 2, 2021 · 931bd43 · 931bd43
1 parent 7d43c0d
commit 931bd43
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 1 deletion.
diff --git a/config/crd/bases/theketch.io_apps.yaml b/config/crd/bases/theketch.io_apps.yaml
@@ -2312,6 +2312,10 @@ spec:
                       type: object
                   type: object
                 type: array
+              serviceAccountName:
+                description: ServiceAccountName specifies a service account name to
+                  be used for this application.
+                type: string
               version:
                 type: string
             required:

diff --git a/internal/api/v1beta1/app_types.go b/internal/api/v1beta1/app_types.go
@@ -229,6 +229,9 @@ type AppSpec struct {
 
 	// Annotations is a list of annotations that will be applied to Services/Deployments/Gateways.
 	Annotations []MetadataItem `json:"annotations,omitempty"`
+
+	// ServiceAccountName specifies a service account name to be used for this application.
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // MetadataItem represent a request to add label/annotations to processes

diff --git a/internal/chart/application_chart.go b/internal/chart/application_chart.go
@@ -54,6 +54,9 @@ type app struct {
 	MetadataLabels []ketchv1.MetadataItem
 	// MetadataAnnotations is a list of labels to be added to k8s resources.
 	MetadataAnnotations []ketchv1.MetadataItem `json:"metadataAnnotations"`
+	// ServiceAccountName specifies a service account name to be used for this application.
+	// SA should exist.
+	ServiceAccountName string `json:"serviceAccountName"`
 }
 
 type deployment struct {
@@ -127,6 +130,7 @@ func New(application *ketchv1.App, framework *ketchv1.Framework, opts ...Option)
 			Group:               ketchv1.Group,
 			MetadataLabels:      application.Spec.Labels,
 			MetadataAnnotations: application.Spec.Annotations,
+			ServiceAccountName:  application.Spec.ServiceAccountName,
 		},
 		IngressController: &framework.Spec.IngressController,
 	}

diff --git a/internal/chart/application_chart_test.go b/internal/chart/application_chart_test.go
@@ -182,6 +182,11 @@ func TestNewApplicationChart(t *testing.T) {
 		},
 	}
 
+	setServiceAccount := func(app *ketchv1.App) *ketchv1.App {
+		out := *app
+		out.Spec.ServiceAccountName = "custom-service-account"
+		return &out
+	}
 	// convertSecureEndpoints returns a copy of app with Cnames made not secure
 	convertSecureEndpoints := func(app *ketchv1.App) *ketchv1.App {
 		out := *app
@@ -218,7 +223,7 @@ func TestNewApplicationChart(t *testing.T) {
 				WithTemplates(templates.NginxDefaultTemplates),
 				WithExposedPorts(exportedPorts),
 			},
-			application:       convertSecureEndpoints(dashboard),
+			application:       setServiceAccount(convertSecureEndpoints(dashboard)),
 			framework:         frameworkWithoutClusterIssuer,
 			wantYamlsFilename: "dashboard-nginx",
 		},

diff --git a/internal/chart/testdata/charts/dashboard-nginx.yaml b/internal/chart/testdata/charts/dashboard-nginx.yaml
@@ -147,6 +147,7 @@ spec:
         theketch.io/app-deployment-version: "3"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-web-3
           command: ["python"]
@@ -217,6 +218,7 @@ spec:
         theketch.io/app-deployment-version: "3"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-worker-3
           command: ["celery"]
@@ -268,6 +270,7 @@ spec:
         theketch.io/app-deployment-version: "4"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-web-4
           command: ["python"]
@@ -318,6 +321,7 @@ spec:
         theketch.io/app-deployment-version: "4"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-worker-4
           command: ["celery"]

diff --git a/internal/templates/common/yamls/deployment.yaml b/internal/templates/common/yamls/deployment.yaml
@@ -39,6 +39,9 @@ spec:
         {{ $.Values.app.group }}/app-deployment-version: {{ $deployment.version | quote }}
         {{ $.Values.app.group }}/is-isolated-run: "false"
     spec:
+      {{- if $.Values.app.serviceAccountName }}
+      serviceAccountName: {{ $.Values.app.serviceAccountName }}
+      {{- end }}
       containers:
         - name: {{ $.Values.app.name }}-{{ $process.name }}-{{ $deployment.version }}
           command: {{ $process.cmd | toJson }}