From 931bd434636990138d810bc48b54e62831474ea9 Mon Sep 17 00:00:00 2001
From: "aleksej.paschenko" <aleksej.paschenko@gmail.com>
Date: Tue, 2 Nov 2021 12:49:03 +0300
Subject: [PATCH] [SHIPA-2035] Use user-provided service account (#184)

---
 config/crd/bases/theketch.io_apps.yaml              | 4 ++++
 internal/api/v1beta1/app_types.go                   | 3 +++
 internal/chart/application_chart.go                 | 4 ++++
 internal/chart/application_chart_test.go            | 7 ++++++-
 internal/chart/testdata/charts/dashboard-nginx.yaml | 4 ++++
 internal/templates/common/yamls/deployment.yaml     | 3 +++
 6 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/config/crd/bases/theketch.io_apps.yaml b/config/crd/bases/theketch.io_apps.yaml
index 5df50c6a..07311183 100644
--- a/config/crd/bases/theketch.io_apps.yaml
+++ b/config/crd/bases/theketch.io_apps.yaml
@@ -2312,6 +2312,10 @@ spec:
                       type: object
                   type: object
                 type: array
+              serviceAccountName:
+                description: ServiceAccountName specifies a service account name to
+                  be used for this application.
+                type: string
               version:
                 type: string
             required:
diff --git a/internal/api/v1beta1/app_types.go b/internal/api/v1beta1/app_types.go
index d1d1024f..4bfd9c8d 100644
--- a/internal/api/v1beta1/app_types.go
+++ b/internal/api/v1beta1/app_types.go
@@ -229,6 +229,9 @@ type AppSpec struct {
 
 	// Annotations is a list of annotations that will be applied to Services/Deployments/Gateways.
 	Annotations []MetadataItem `json:"annotations,omitempty"`
+
+	// ServiceAccountName specifies a service account name to be used for this application.
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // MetadataItem represent a request to add label/annotations to processes
diff --git a/internal/chart/application_chart.go b/internal/chart/application_chart.go
index 0eaa74fc..11778e38 100644
--- a/internal/chart/application_chart.go
+++ b/internal/chart/application_chart.go
@@ -54,6 +54,9 @@ type app struct {
 	MetadataLabels []ketchv1.MetadataItem
 	// MetadataAnnotations is a list of labels to be added to k8s resources.
 	MetadataAnnotations []ketchv1.MetadataItem `json:"metadataAnnotations"`
+	// ServiceAccountName specifies a service account name to be used for this application.
+	// SA should exist.
+	ServiceAccountName string `json:"serviceAccountName"`
 }
 
 type deployment struct {
@@ -127,6 +130,7 @@ func New(application *ketchv1.App, framework *ketchv1.Framework, opts ...Option)
 			Group:               ketchv1.Group,
 			MetadataLabels:      application.Spec.Labels,
 			MetadataAnnotations: application.Spec.Annotations,
+			ServiceAccountName:  application.Spec.ServiceAccountName,
 		},
 		IngressController: &framework.Spec.IngressController,
 	}
diff --git a/internal/chart/application_chart_test.go b/internal/chart/application_chart_test.go
index 7e1f85dc..3880e5b6 100644
--- a/internal/chart/application_chart_test.go
+++ b/internal/chart/application_chart_test.go
@@ -182,6 +182,11 @@ func TestNewApplicationChart(t *testing.T) {
 		},
 	}
 
+	setServiceAccount := func(app *ketchv1.App) *ketchv1.App {
+		out := *app
+		out.Spec.ServiceAccountName = "custom-service-account"
+		return &out
+	}
 	// convertSecureEndpoints returns a copy of app with Cnames made not secure
 	convertSecureEndpoints := func(app *ketchv1.App) *ketchv1.App {
 		out := *app
@@ -218,7 +223,7 @@ func TestNewApplicationChart(t *testing.T) {
 				WithTemplates(templates.NginxDefaultTemplates),
 				WithExposedPorts(exportedPorts),
 			},
-			application:       convertSecureEndpoints(dashboard),
+			application:       setServiceAccount(convertSecureEndpoints(dashboard)),
 			framework:         frameworkWithoutClusterIssuer,
 			wantYamlsFilename: "dashboard-nginx",
 		},
diff --git a/internal/chart/testdata/charts/dashboard-nginx.yaml b/internal/chart/testdata/charts/dashboard-nginx.yaml
index 47932924..2a8332ff 100755
--- a/internal/chart/testdata/charts/dashboard-nginx.yaml
+++ b/internal/chart/testdata/charts/dashboard-nginx.yaml
@@ -147,6 +147,7 @@ spec:
         theketch.io/app-deployment-version: "3"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-web-3
           command: ["python"]
@@ -217,6 +218,7 @@ spec:
         theketch.io/app-deployment-version: "3"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-worker-3
           command: ["celery"]
@@ -268,6 +270,7 @@ spec:
         theketch.io/app-deployment-version: "4"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-web-4
           command: ["python"]
@@ -318,6 +321,7 @@ spec:
         theketch.io/app-deployment-version: "4"
         theketch.io/is-isolated-run: "false"
     spec:
+      serviceAccountName: custom-service-account
       containers:
         - name: dashboard-worker-4
           command: ["celery"]
diff --git a/internal/templates/common/yamls/deployment.yaml b/internal/templates/common/yamls/deployment.yaml
index a6e027b9..19612eef 100644
--- a/internal/templates/common/yamls/deployment.yaml
+++ b/internal/templates/common/yamls/deployment.yaml
@@ -39,6 +39,9 @@ spec:
         {{ $.Values.app.group }}/app-deployment-version: {{ $deployment.version | quote }}
         {{ $.Values.app.group }}/is-isolated-run: "false"
     spec:
+      {{- if $.Values.app.serviceAccountName }}
+      serviceAccountName: {{ $.Values.app.serviceAccountName }}
+      {{- end }}
       containers:
         - name: {{ $.Values.app.name }}-{{ $process.name }}-{{ $deployment.version }}
           command: {{ $process.cmd | toJson }}