feat(helm/provisioner): add support for coder.serviceAccount.disableCreate

johnstcn · johnstcn · commit b8713243a978 · 2024-11-24T16:49:48.000Z
diff --git a/helm/coder/values.yaml b/helm/coder/values.yaml
@@ -113,7 +113,7 @@ coder:
     annotations: {}
     # coder.serviceAccount.name -- The service account name
     name: coder
-    # coder.serviceAccount.name -- Whether to create the service account or use existing service account
+    # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account.
     disableCreate: false
 
   # coder.securityContext -- Fields related to the container's security
diff --git a/helm/provisioner/templates/coder.yaml b/helm/provisioner/templates/coder.yaml
@@ -1,5 +1,7 @@
 ---
+{{- if not .Values.coder.serviceAccount.disableCreate }}
 {{ include "libcoder.serviceaccount" (list . "coder.serviceaccount") }}
+{{- end }}
 
 ---
 {{ include "libcoder.deployment" (list . "coder.deployment") }}
diff --git a/helm/provisioner/tests/chart_test.go b/helm/provisioner/tests/chart_test.go
@@ -78,6 +78,10 @@ var testCases = []testCase{
 		name:          "extra_templates",
 		expectedError: "",
 	},
+	{
+		name:          "sa_disabled",
+		expectedError: "",
+	},
 }
 
 type testCase struct {
diff --git a/helm/provisioner/tests/testdata/sa_disabled.golden b/helm/provisioner/tests/testdata/sa_disabled.golden
@@ -0,0 +1,67 @@
+---
+# Source: coder-provisioner/templates/coder.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: coder-provisioner
+    app.kubernetes.io/part-of: coder-provisioner
+    app.kubernetes.io/version: 0.1.0
+    helm.sh/chart: coder-provisioner-0.1.0
+  name: coder-provisioner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: release-name
+      app.kubernetes.io/name: coder-provisioner
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        app.kubernetes.io/instance: release-name
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: coder-provisioner
+        app.kubernetes.io/part-of: coder-provisioner
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: coder-provisioner-0.1.0
+    spec:
+      containers:
+      - args:
+        - provisionerd
+        - start
+        command:
+        - /opt/coder
+        env:
+        - name: CODER_PROMETHEUS_ADDRESS
+          value: 0.0.0.0:2112
+        - name: CODER_PROVISIONER_DAEMON_PSK
+          valueFrom:
+            secretKeyRef:
+              key: psk
+              name: coder-provisioner-psk
+        - name: CODER_URL
+          value: http://coder.default.svc.cluster.local
+        image: ghcr.io/coder/coder:latest
+        imagePullPolicy: IfNotPresent
+        lifecycle: {}
+        name: coder
+        ports: null
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: null
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts: []
+      restartPolicy: Always
+      serviceAccountName: coder-provisioner
+      terminationGracePeriodSeconds: 600
+      volumes: []
diff --git a/helm/provisioner/tests/testdata/sa_disabled.yaml b/helm/provisioner/tests/testdata/sa_disabled.yaml
@@ -0,0 +1,6 @@
+coder:
+  image:
+    tag: latest
+  serviceAccount:
+    workspacePerms: false
+    disableCreate: true
diff --git a/helm/provisioner/values.yaml b/helm/provisioner/values.yaml
@@ -74,6 +74,8 @@ coder:
     annotations: {}
     # coder.serviceAccount.name -- The service account name
     name: coder-provisioner
+    # coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account.
+    disableCreate: false
 
   # coder.securityContext -- Fields related to the container's security
   # context (as opposed to the pod). Some fields are also present in the pod
