Add support for ServiceAccount secrets (closes #58)

snowplow-devops · Sep 26, 2022 · cf9ffdf · cf9ffdf
1 parent e250e0e
commit cf9ffdf
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 0.1.22 (2022-09-23)
+---------------------------
+charts/cloudserviceaccount: Add support for ServiceAccount secrets (#58)
+
 Version 0.1.21 (2022-09-22)
 ---------------------------
 charts/service-deployment: Add support for 'exec' readiness probes in deployment (#56)

diff --git a/charts/cloudserviceaccount/Chart.yaml b/charts/cloudserviceaccount/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cloudserviceaccount
 description: A helm chart which can create a ServiceAccount with cloud specific bindings
-version: 0.1.0
+version: 0.2.0
 icon: https://raw.githubusercontent.com/snowplow-devops/helm-charts/master/docs/logo/snowplow.png
 home: https://github.com/snowplow-devops/helm-charts
 sources:

diff --git a/charts/cloudserviceaccount/README.md b/charts/cloudserviceaccount/README.md
@@ -39,3 +39,4 @@ helm delete cloudserviceaccount
 | name | string | `"my-service-account"` | Name of the service-account to create |
 | aws.roleARN | string | `""` | IAM Role ARN to bind to the k8s service account |
 | gcp.serviceAccount | string | `""` | Service Account email to bind to the k8s service account |
+| secrets | list | `[]` | List of secrets allowed to be used by pods running using this ServiceAccount |
diff --git a/charts/cloudserviceaccount/templates/serviceaccount.yaml b/charts/cloudserviceaccount/templates/serviceaccount.yaml
@@ -2,11 +2,18 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ .Values.name }}
   annotations:
-  {{- if eq .Values.global.cloud "gcp" }}
+  {{- if and (eq .Values.global.cloud "gcp") (.Values.gcp.serviceAccount) }}
     iam.gke.io/gcp-service-account: {{ .Values.gcp.serviceAccount }}
-  {{- else if eq .Values.global.cloud "aws" }}
+  {{- else if and (eq .Values.global.cloud "aws") (.Values.aws.roleARN) }}
     eks.amazonaws.com/role-arn: {{ .Values.aws.roleARN }}
   {{- end }}
+{{- if .Values.secrets }}
+secrets:
+{{- range $v := .Values.secrets }}
+-  name: {{ $v }}
+{{- end }}
+{{- end }}
 {{- end }}
diff --git a/charts/cloudserviceaccount/values.yaml b/charts/cloudserviceaccount/values.yaml
@@ -8,3 +8,6 @@ aws:
 gcp:
   # -- Service Account email to bind to the k8s service account
   serviceAccount: ""
+# -- List of secrets allowed to be used by pods running using this ServiceAccount
+secrets: []
+# - ssl-certificates