feat: ability to specify externally created service account and just to override sa name without overriding fullname from tpl

.github/workflows/ci.yaml

@@ -17,9 +17,9 @@ jobs:
     env:
       # UPDATE_HERE
       # https://hub.docker.com/r/rancher/k3s/tags
-      K3S_VERSION: v1.31.1-k3s1
+      K3S_VERSION: v1.31.2-k3s1
       # https://github.com/helm-unittest/helm-unittest/releases
-      HELM_UNITTEST_VERSION: 0.6.2
+      HELM_UNITTEST_VERSION: 0.6.3
 
     steps:
 

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.31.x | v3.9.1 | 0.20.2 | 0.14.1 |
+| v1.31.x | v3.9.1 | 0.20.3 | 0.14.1 |
 | v1.30.x | v3.9.0 | 0.19.4 | 0.13.3 |
 | v1.29.x | v3.8.1 | 0.18.6 | 0.12.6 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.20.2
+version: 0.20.3
 appVersion: 0.14.1
 type: application
 description: Helm chart deploys sops-secrets-operator

chart/helm3/sops-secrets-operator/README.md

@@ -169,6 +169,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | securityContext.seccompProfileName | string | `""` | if seccompProfile.type is set to Localhost, set localhostProfile to value of seccompProfileName (user must specify value) |
 | securityContext.seccompProfileType | string | `"RuntimeDefault"` | seccompProfile.type |
 | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account |
+| serviceAccount.enabled | bool | `true` |  |
+| serviceAccount.name | string | `""` | Custom service account name to use instead of automatically generated name (if enabled - chart will generate SA, if not enabled - will use preconfigured) |
 | tolerations | list | `[]` | Tolerations to be applied to operator pod |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

chart/helm3/sops-secrets-operator/templates/cluster_role_binding.yaml

@@ -11,7 +11,7 @@ metadata:
 {{ include "sops-secrets-operator.labels" . | indent 4 }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "sops-secrets-operator.fullname" . }}
+  name: {{ .Values.serviceAccount.name | default (tpl ( include "sops-secrets-operator.fullname" . ) .) }}
   namespace: {{ .Release.Namespace }}
 roleRef:
 {{- if .Values.namespaced }}

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -29,7 +29,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "sops-secrets-operator.fullname" . }}
+      serviceAccountName: {{ .Values.serviceAccount.name | default (tpl ( include "sops-secrets-operator.fullname" . ) .) }}
       {{- if .Values.gpg.enabled }}
       initContainers:
         - name: init-myservice

chart/helm3/sops-secrets-operator/templates/service_account.yaml

@@ -1,12 +1,12 @@
-{{- if .Values.rbac.enabled }}
+{{- if (and .Values.rbac.enabled .Values.serviceAccount.enabled) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
 {{- with .Values.serviceAccount.annotations }}
   annotations:
 {{ toYaml . | indent 4 }}
 {{- end }}
-  name: {{ include "sops-secrets-operator.fullname" . }}
+  name: {{ .Values.serviceAccount.name | default (tpl ( include "sops-secrets-operator.fullname" . ) .) }}
   labels:
 {{ include "sops-secrets-operator.labels" . | indent 4 }}
 {{- end }}

chart/helm3/sops-secrets-operator/templates/validation.yaml

@@ -0,0 +1,3 @@
+{{- if and (not .Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }}
+{{- fail "Error: serviceAccount 'name' must be set if serviceAccount 'enabled' is set to false" }}
+{{- end }}

chart/helm3/sops-secrets-operator/tests/monitor_test.yaml

@@ -56,5 +56,5 @@ tests:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: sops-secrets-operator
         app.kubernetes.io/version: "0.14.1"
-        helm.sh/chart: sops-secrets-operator-0.20.2
+        helm.sh/chart: sops-secrets-operator-0.20.3
         custom-label: custom-value

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -31,7 +31,7 @@ tests:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: sops-secrets-operator
         app.kubernetes.io/version: 0.14.1
-        helm.sh/chart: sops-secrets-operator-0.20.2
+        helm.sh/chart: sops-secrets-operator-0.20.3
 
 # custom name
 - it: should correctly render custome name

chart/helm3/sops-secrets-operator/tests/service_account_test.yaml

@@ -0,0 +1,103 @@
+suite: operator service account tests
+templates:
+- service_account.yaml
+
+tests:
+
+# api
+- it: should set correct kind and apiVersion
+  asserts:
+  - isKind:
+      of: ServiceAccount
+  - isAPIVersion:
+      of: v1
+  - hasDocuments:
+      count: 1
+
+# deployment metadata and labels
+- it: should correctly render default service account metadata
+  release:
+    name: sops
+    namespace: sops
+  asserts:
+  - equal:
+      path: metadata.name
+      value: sops-sops-secrets-operator
+  - equal:
+      path: metadata.labels
+      # UPDATE_HERE
+      value:
+        app.kubernetes.io/instance: sops
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: sops-secrets-operator
+        app.kubernetes.io/version: 0.14.1
+        helm.sh/chart: sops-secrets-operator-0.20.3
+
+# custom name
+- it: should correctly render custome service account name
+  release:
+    name: sops
+    namespace: sops
+  set:
+    serviceAccount:
+      name: AzureSA
+  asserts:
+  - equal:
+      path: metadata.name
+      value: AzureSA
+
+# sa disabled
+- it: should not render service account if disabled
+  release:
+    name: sops
+    namespace: sops
+  set:
+    serviceAccount:
+      enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+# rbac disabled
+- it: should not render service account if rbac disabled
+  release:
+    name: sops
+    namespace: sops
+  set:
+    rbac:
+      enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+# both sa and rbac are disabled
+- it: should not render service account if rbac and sa are disabled
+  release:
+    name: sops
+    namespace: sops
+  set:
+    serviceAccount:
+      enabled: false
+    rbac:
+      enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+# sa empty annotations
+- it: sa annotations should be empty by default
+  asserts:
+  - notExists:
+      path: metadata.annotations
+
+# sa annotations
+- it: sa annotations should be empty by default
+  set:
+    serviceAccount:
+      annotations:
+        abc: "abc"
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        abc: abc

chart/helm3/sops-secrets-operator/tests/validation_test.yaml

@@ -0,0 +1,30 @@
+suite: "Validation Tests"
+
+templates:
+  - "templates/validation.yaml"
+
+tests:
+  - it: "should succeed if '.serviceAccount.enabled' is true (default case)"
+    set:
+      serviceAccount:
+        enabled: true
+        name:
+    asserts:
+    - notFailedTemplate: {}
+
+  - it: "should succeed if '.serviceAccount.enabled' is false and 'name' is set"
+    set:
+      serviceAccount:
+        enabled: false
+        name: "AzureSA"
+    asserts:
+      - notFailedTemplate: {}
+
+  - it: "should fail if '.serviceAccount.enabled' is false and '.serviceAccount.name' is not set"
+    set:
+      serviceAccount:
+        enabled: false
+        name: ""
+    asserts:
+    - failedTemplate:
+        errorMessage: "Error: serviceAccount 'name' must be set if serviceAccount 'enabled' is set to false"

chart/helm3/sops-secrets-operator/values.yaml

@@ -43,6 +43,9 @@ podAnnotations: {}
 podLabels: {}
 
 serviceAccount:
+  enabled: true
+  # -- Custom service account name to use instead of automatically generated name (if enabled - chart will generate SA, if not enabled - will use preconfigured)
+  name: ""
   # -- Annotations to be added to the service account
   annotations: {}