feat: create serviceAccount for sync catalog cluster role bind

hashicorp · Oct 15, 2018 · 6fff68a · 6fff68a
1 parent 32ed79e
commit 6fff68a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/templates/sync-catalog-deployment.yaml b/templates/sync-catalog-deployment.yaml
@@ -1,4 +1,5 @@
 # The deployment for running the Connect sidecar injector
+{{- $rbacEnabled := (or (and (ne (.Values.syncCatalog.rbac.enabled | toString) "-") .Values.syncCatalog.rbac.enabled) (and (eq (.Values.syncCatalog.rbac.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
 apiVersion: apps/v1
 kind: Deployment
@@ -25,6 +26,9 @@ spec:
         release: {{ .Release.Name }}
         component: sync-catalog
     spec:
+      {{- if $rbacEnabled }}
+      serviceAccountName: {{ template "consul.fullname" . }}:sync-catalog
+      {{- end }}
       containers:
         - name: consul-sync-catalog
           image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"

diff --git a/templates/sync-cluster-role-binding.yaml b/templates/sync-cluster-role-binding.yaml
@@ -4,7 +4,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: consul:sync
+  name: {{ template "consul.fullname" . }}:sync-catalog
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
@@ -13,9 +13,9 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: consul:sync
+  name: {{ template "consul.fullname" . }}:sync-catalog
 subjects:
-  - kind: Group
-    name: system:serviceaccounts:{{ .Release.Namespace }}
-    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ template "consul.fullname" . }}:sync-catalog
+    namespace: {{ .Release.Namespace }}
 {{- end }}
diff --git a/templates/sync-cluster-role.yaml b/templates/sync-cluster-role.yaml
@@ -4,7 +4,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: consul:sync
+  name: {{ template "consul.fullname" . }}:sync-catalog
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}

diff --git a/test/unit/sync-catalog-deployment.bats b/test/unit/sync-catalog-deployment.bats
@@ -149,3 +149,17 @@ load _helpers
       yq '.spec.template.spec.containers[0].command | any(contains("-k8s-service-prefix=\"foo-\""))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# serviceAccount
+
+@test "syncCatalog/Deployment: serviceAccount set with rbac.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-catalog-deployment.yaml  \
+      --set 'syncCatalog.enabled=true' \
+      --set 'syncCatalog.rbac.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.serviceAccountName | contains("sync-catalog")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}