chore: Make service account configurable and add option to opt out of…

… creation (#3404)

Signed-off-by: Stef Graces <stefgraces@hotmail.com>
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

cmd/build/helmify/kustomize-for-helm.yaml

@@ -145,6 +145,7 @@ spec:
         HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK
       dnsPolicy: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DNS_POLICY
+      serviceAccountName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_NAME
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -223,6 +224,7 @@ spec:
         HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK
       dnsPolicy: HELMSUBST_DEPLOYMENT_AUDIT_DNS_POLICY
+      serviceAccountName: HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_NAME
 ---
 apiVersion: v1
 kind: Secret

cmd/build/helmify/main.go

@@ -22,8 +22,9 @@ var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`)
 var nameRegex = regexp.MustCompile(`(?m)^  name:[\s]+([\S]+)[\s]*$`)
 
 const (
-	DeploymentKind = "Deployment"
-	end            = "{{- end }}"
+	DeploymentKind     = "Deployment"
+	ServiceAccountKind = "ServiceAccount"
+	end                = "{{- end }}"
 )
 
 func isRbacKind(str string) bool {
@@ -153,6 +154,10 @@ func (ks *kindSet) Write() error {
 				obj = "{{- if .Values.rbac.create }}\n" + obj + end + "\n"
 			}
 
+			if name == "gatekeeper-admin" && kind == ServiceAccountKind {
+				obj = "{{- if .Values.serviceAccount.gatekeeperAdmin.create }}\n" + obj + end + "\n"
+			}
+
 			if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
 				obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
 			}

cmd/build/helmify/replacements.go

@@ -23,6 +23,10 @@ var replacements = map[string]string{
 
 	"HELMSUBST_DEPLOYMENT_AUDIT_DNS_POLICY": `{{ .Values.audit.dnsPolicy }}`,
 
+	"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_NAME": `{{ .Values.controllerManager.serviceAccount.name }}`,
+
+	"HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_NAME": `{{ .Values.audit.serviceAccount.name }}`,
+
 	"HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT": `{{ .Values.audit.healthPort }}`,
 
 	"HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT": `{{ .Values.audit.metricsPort }}`,

cmd/build/helmify/static/templates/namespace-post-install.yaml

@@ -32,7 +32,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label
+      serviceAccount: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
       {{- if .Values.postInstall.probeWebhook.enabled }}
       volumes:
       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
@@ -90,10 +90,11 @@ spec:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postInstall.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label
+  name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
@@ -103,6 +104,7 @@ metadata:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -155,7 +157,7 @@ roleRef:
   name: gatekeeper-update-namespace-label
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label
+    name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/templates/namespace-post-upgrade.yaml

@@ -27,7 +27,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+      serviceAccount: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
       {{- if .Values.postUpgrade.labelNamespace.priorityClassName }}
       priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }}
       {{- end }}
@@ -82,10 +82,11 @@ spec:
         {{- toYaml .nodeSelector | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postUpgrade.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label-post-upgrade
+  name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
@@ -94,6 +95,7 @@ metadata:
     "helm.sh/hook": post-upgrade
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -143,7 +145,7 @@ roleRef:
   name: gatekeeper-update-namespace-label-post-upgrade
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label-post-upgrade
+    name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/templates/upgrade-crds-hook.yaml

@@ -36,27 +36,29 @@ metadata:
     helm.sh/hook-weight: "1"
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-admin-upgrade-crds
+    name: {{ .Values.upgradeCRDs.serviceAccount.name }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
   name: gatekeeper-admin-upgrade-crds
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 ---
+{{- if .Values.upgradeCRDs.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
-  name: gatekeeper-admin-upgrade-crds
+  name: {{ .Values.upgradeCRDs.serviceAccount.name }}
   namespace: '{{ .Release.Namespace }}'
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
     helm.sh/hook-weight: "1"
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -82,7 +84,7 @@ spec:
         {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
         {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: gatekeeper-admin-upgrade-crds
+      serviceAccountName: {{ .Values.upgradeCRDs.serviceAccount.name }}
       restartPolicy: Never
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:

cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml

@@ -26,7 +26,7 @@ spec:
       imagePullSecrets:
       {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-delete-webhook-configs
+      serviceAccount: {{ .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.name }}
       {{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
       priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
       {{- end }}
@@ -59,10 +59,11 @@ spec:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-delete-webhook-configs
+  name: {{ .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
@@ -72,6 +73,7 @@ metadata:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -131,7 +133,7 @@ roleRef:
   name: gatekeeper-delete-webhook-configs
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-delete-webhook-configs
+    name: {{ .Values.preUninstall.deleteWebhookConfigurations.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/values.yaml

@@ -60,6 +60,9 @@ preInstall:
       tag: v3.17.0-beta.0
 postUpgrade:
   labelNamespace:
+    serviceAccount:
+      name: gatekeeper-update-namespace-label-post-upgrade
+      create: true
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
@@ -90,6 +93,9 @@ postUpgrade:
     runAsUser: 1000
 postInstall:
   labelNamespace:
+    serviceAccount:
+      name: gatekeeper-update-namespace-label
+      create: true
     enabled: true
     extraRules: []
     image:
@@ -131,6 +137,9 @@ postInstall:
     runAsUser: 1000
 preUninstall:
   deleteWebhookConfigurations:
+    serviceAccount:
+      name: gatekeeper-delete-webhook-configs
+      create: true
     extraRules: []
     enabled: false
     image:
@@ -159,6 +168,8 @@ podCountLimit: "100"
 secretAnnotations: {}
 enableRuntimeDefaultSeccompProfile: true
 controllerManager:
+  serviceAccount:
+    name: gatekeeper-admin
   exemptNamespaces: []
   exemptNamespacePrefixes: []
   hostNetwork: false
@@ -215,6 +226,8 @@ controllerManager:
       #   - ipBlock:
       #       cidr: 0.0.0.0/0
 audit:
+  serviceAccount:
+    name: gatekeeper-admin
   enablePubsub: false
   connection: audit-connection
   channel: audit-channel
@@ -272,6 +285,9 @@ disabledBuiltins: ["{http.send}"]
 psp:
   enabled: false
 upgradeCRDs:
+  serviceAccount:
+    create: true
+    name: gatekeeper-admin-upgrade-crds
   enabled: true
   extraRules: []
   priorityClassName: ""
@@ -280,3 +296,6 @@ rbac:
 externalCertInjection:
   enabled: false
   secretName: gatekeeper-webhook-server-cert
+serviceAccount:
+  gatekeeperAdmin:
+    create: true

manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.serviceAccount.gatekeeperAdmin.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,3 +10,4 @@ metadata:
     release: '{{ .Release.Name }}'
   name: gatekeeper-admin
   namespace: '{{ .Release.Namespace }}'
+{{- end }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -155,7 +155,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
-      serviceAccountName: gatekeeper-admin
+      serviceAccountName: {{ .Values.audit.serviceAccount.name }}
       terminationGracePeriodSeconds: 60
       tolerations:
         {{- toYaml .Values.audit.tolerations | nindent 8 }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -168,7 +168,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
-      serviceAccountName: gatekeeper-admin
+      serviceAccountName: {{ .Values.controllerManager.serviceAccount.name }}
       terminationGracePeriodSeconds: 60
       tolerations:
         {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}

manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml

@@ -32,7 +32,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label
+      serviceAccount: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
       {{- if .Values.postInstall.probeWebhook.enabled }}
       volumes:
       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
@@ -90,10 +90,11 @@ spec:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postInstall.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label
+  name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
@@ -103,6 +104,7 @@ metadata:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -155,7 +157,7 @@ roleRef:
   name: gatekeeper-update-namespace-label
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label
+    name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml

@@ -27,7 +27,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+      serviceAccount: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
       {{- if .Values.postUpgrade.labelNamespace.priorityClassName }}
       priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }}
       {{- end }}
@@ -82,10 +82,11 @@ spec:
         {{- toYaml .nodeSelector | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postUpgrade.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label-post-upgrade
+  name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
@@ -94,6 +95,7 @@ metadata:
     "helm.sh/hook": post-upgrade
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -143,7 +145,7 @@ roleRef:
   name: gatekeeper-update-namespace-label-post-upgrade
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label-post-upgrade
+    name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}