feat: add separate SA for each component

kamiiiel · jgiovaresco · commit 85fa1951c1d0 · 2023-06-21T09:02:18.000+02:00
diff --git a/helm/CHANGELOG.md b/helm/CHANGELOG.md
@@ -3,6 +3,18 @@
 
 This file documents all notable changes to [Gravitee.io API Management 3.x](https://github.com/gravitee-io/helm-charts/tree/master/apim/3.x) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 3.20.12
+
+- Add support for managed Service Account for each product
+
+### 3.19.17
+
+- Add support for managed Service Account for each product
+
+### 3.18.28
+
+- Add support for managed Service Account for each product
+
 ### 3.20.11
 
 - Change APIM charts versioning
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -1,8 +1,7 @@
 apiVersion: v1
 name: apim
-# When the version: 3.20.11
 # Also update CHANGELOG.md
-version: 3.20.11
+version: 3.20.12
 appVersion: 3.20.x-latest
 description: Official Gravitee.io Helm chart for API Management
 home: https://gravitee.io
@@ -20,5 +19,4 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/graviteeio/apim?modal=changelog
   artifacthub.io/changes: |
-    - Change the version 3.20.11
-    - Remove duplicate annotation in ui deployment
+    - Add support for managed Service Account for each product
diff --git a/helm/templates/api/api-deployment.yaml b/helm/templates/api/api-deployment.yaml
@@ -86,9 +86,11 @@ spec:
         {{- end }}
         {{- end }}
     spec:
-      {{- if $serviceAccount }}
+      {{- if not (eq .Values.api.deployment.serviceAccount "") }}
+      serviceAccountName: {{ .Values.api.deployment.serviceAccount }}
+      {{- else if $serviceAccount }}
       serviceAccountName: {{ $serviceAccount }}
-      {{ end }}
+      {{- end }}
       affinity: {{ toYaml .Values.api.deployment.affinity | nindent 8 }}
       nodeSelector: {{ toYaml .Values.api.deployment.nodeSelector | nindent 8 }}
       topologySpreadConstraints: {{ toYaml .Values.api.deployment.topologySpreadConstraints | nindent 8 }}
diff --git a/helm/templates/api/api-upgrader-job.yaml b/helm/templates/api/api-upgrader-job.yaml
@@ -67,9 +67,11 @@ spec:
         {{- end }}
     spec:
       restartPolicy: Never
-      {{- if $serviceAccount }}
+      {{- if not (eq .Values.api.deployment.serviceAccount "") }}
+      serviceAccountName: {{ .Values.api.deployment.serviceAccount }}
+      {{- else if $serviceAccount }}
       serviceAccountName: {{ $serviceAccount }}
-      {{ end }}
+      {{- end }}
       affinity: {{ toYaml .Values.api.deployment.affinity | nindent 8 }}
       nodeSelector: {{ toYaml .Values.api.deployment.nodeSelector | nindent 8 }}
       topologySpreadConstraints: {{ toYaml .Values.api.deployment.topologySpreadConstraints | nindent 8 }}
diff --git a/helm/templates/gateway/gateway-deployment.yaml b/helm/templates/gateway/gateway-deployment.yaml
@@ -83,9 +83,11 @@ spec:
         {{- end }}
         {{- end }}
     spec:
-      {{- if $serviceAccount }}
+      {{- if not (eq .Values.gateway.deployment.serviceAccount "") }}
+      serviceAccountName: {{ .Values.gateway.deployment.serviceAccount }}
+      {{- else if $serviceAccount }}
       serviceAccountName: {{ $serviceAccount }}
-      {{ end }}
+      {{- end }}
       affinity: {{ toYaml .Values.gateway.deployment.affinity | nindent 8 }}
       nodeSelector: {{ toYaml .Values.gateway.deployment.nodeSelector | nindent 8 }}
       topologySpreadConstraints: {{ toYaml .Values.gateway.deployment.topologySpreadConstraints | nindent 8 }}
diff --git a/helm/tests/api/deployment_test.yaml b/helm/tests/api/deployment_test.yaml
@@ -148,6 +148,24 @@ tests:
           path: spec.template.spec.serviceAccountName
           value: "test-sa"
 
+  - it: Deploy with component specific ServiceAccount
+    template: api/api-deployment.yaml
+    set:
+      apim:
+        managedServiceAccount: true
+        serviceAccount: "test-sa"
+      api:
+        deployment:
+          serviceAccount: "apim-api"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Deployment
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: "apim-api"
+
   - it: Deploy with long api name
     template: api/api-deployment.yaml
     set:
diff --git a/helm/tests/gateway/deployment_test.yaml b/helm/tests/gateway/deployment_test.yaml
@@ -174,6 +174,24 @@ tests:
           path: spec.template.spec.serviceAccountName
           value: "test-sa"
 
+  - it: Deploy with component specific ServiceAccount
+    template: gateway/gateway-deployment.yaml
+    set:
+      apim:
+        managedServiceAccount: true
+        serviceAccount: "test-sa"
+      gateway:
+        deployment:
+          serviceAccount: "apim-gateway"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Deployment
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: "apim-gateway"
+
   - it: Deploy with long api name
     template: gateway/gateway-deployment.yaml
     set:
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -11,6 +11,7 @@ apim:
   managedServiceAccount: true
 
   # Custom service account override that the pod will use
+  # if customer provides a dedicated SA for any component, that will have the priority
   serviceAccount: ""
 
   roleRules:
@@ -413,6 +414,9 @@ api:
     securityContext:
       runAsUser: 1001
       runAsNonRoot: true
+
+    # Dedicated Service account provided for this component
+    serviceAccount: ""
     strategy:
       type: RollingUpdate
       rollingUpdate:
@@ -729,6 +733,9 @@ gateway:
     securityContext:
       runAsUser: 1001
       runAsNonRoot: true
+
+    # Dedicated Service account provided for this component
+    serviceAccount: ""
     strategy:
       type: RollingUpdate
       rollingUpdate:
