feat(helm): allow to use an external serviceAccount (#12441)

Author: NitriKx

helm/defectdojo/templates/_helpers.tpl

@@ -31,6 +31,16 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "defectdojo.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "defectdojo.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "defectdojo" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
 
 {{/*
   Determine the hostname to use for PostgreSQL/Redis.

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -53,7 +53,7 @@ spec:
         checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }}
       {{- end }}
     spec:
-      serviceAccountName: {{ $fullName }}
+      serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
       - name: {{ .Values.imagePullSecrets }}
@@ -131,7 +131,7 @@ spec:
         {{- if  .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
-        {{- end }}  
+        {{- end }}
         {{- range .Values.celery.extraVolumes }}
         - name: userconfig-{{ .name }}
           readOnly: true

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -53,7 +53,7 @@ spec:
         checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }}
       {{- end }}
     spec:
-      serviceAccountName: {{ $fullName }}
+      serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
       - name: {{ .Values.imagePullSecrets }}
@@ -126,7 +126,7 @@ spec:
         {{- if  .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
-        {{- end }}  
+        {{- end }}
         {{- range .Values.celery.extraVolumes }}
         - name: userconfig-{{ .name }}
           readOnly: true

helm/defectdojo/templates/django-deployment.yaml

@@ -60,7 +60,7 @@ spec:
         checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }}
       {{- end }}
     spec:
-      serviceAccountName: {{ $fullName }}
+      serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
       - name: {{ .Values.imagePullSecrets }}

helm/defectdojo/templates/initializer-job.yaml

@@ -38,7 +38,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      serviceAccountName: {{ $fullName }}
+      serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
       - name: {{ .Values.imagePullSecrets }}

helm/defectdojo/templates/sa.yaml

@@ -1,8 +1,8 @@
-{{- $fullName := include "defectdojo.fullname" . -}}
+{{- if .Values.serviceAccount.create -}}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: {{ $fullName }}
+  name: {{ include "defectdojo.serviceAccountName" . }}
   labels:
     app.kubernetes.io/name: {{ include "defectdojo.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
@@ -11,13 +11,20 @@ metadata:
     {{- with .Values.extraLabels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+    {{- with .Values.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   annotations:
     helm.sh/resource-policy: keep
     helm.sh/hook: "pre-install"
     helm.sh/hook-delete-policy: "before-hook-creation"
     {{- with .Values.annotations }}
     {{ toYaml . | nindent 4 }}
     {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
     {{- if ne .Values.gke.workloadIdentityEmail "" }}
     iam.gke.io/gcp-service-account: {{ .Values.gke.workloadIdentityEmail }}
     {{- end }}
+{{- end }}

helm/defectdojo/templates/tests/unit-tests.yaml

@@ -11,7 +11,7 @@ metadata:
   annotations:
     helm.sh/hook: test-success
 spec:
-  serviceAccountName: {{ $fullName }}
+  serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets:
   - name: {{ .Values.imagePullSecrets }}

helm/defectdojo/values.yaml

@@ -84,6 +84,20 @@ securityContext:
     # nginx dockerfile sets USER=1001
     runAsUser: 1001
 
+serviceAccount:
+  # Specifies whether a service account should be created.
+  create: true
+
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  # name: ""
+
+  # Optional additional annotations to add to the DefectDojo's Service Account.
+  annotations: {}
+
+  # Optional additional labels to add to the DefectDojo's Service Account.
+  labels: {}
+
 dbMigrationChecker:
   enabled: true
   resources:
@@ -461,6 +475,7 @@ gke:
   # When using this option, be sure to set django.ingress.activateTLS to false
   useManagedCertificate: false
   # Workload Identity allows the K8s service account to assume the IAM access of a GCP service account to interact with other GCP services
+  # Only works with serviceAccount.create = true
   workloadIdentityEmail: ""
 
 # For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/master/bitnami/redis