implement astro.dagDeploy.serviceAccount.create and astro.dagDeploy.s…

…ervice… (#528) * add astro.dagDeploy.serviceAccount.create and astro.dagDeploy.serviceAccount.name * update standard template convention for dag server service account * update dag server service account * rework naming to use old naming * Update values.yaml Co-authored-by: Daniel Hoherd <[email protected]> * update test cases * add missing tests --------- Co-authored-by: Rob J. Caskey <[email protected]@astronomer.io> Co-authored-by: pgvishnuram <[email protected]> Co-authored-by: pgvishnuram <[email protected]> Co-authored-by: Daniel Hoherd <[email protected]>
astronomer · Sep 18, 2024 · fab84d1 · fab84d1
1 parent 599a10a
commit fab84d1
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 8 deletions.
diff --git a/templates/_helpers.yaml b/templates/_helpers.yaml
@@ -164,6 +164,18 @@ proxy_cookie_domain                     off;
 proxy_redirect                          off;
 {{ end }}
 
+{{/*
+Create the name of the dag-server service account to use
+*/}}
+{{- define "astro.dagDeploy.serviceAccountName" -}}
+{{- if .Values.dagDeploy.serviceAccount.create -}}
+    {{ default (printf "%s-dag-server" (include "airflow.fullname" .)) .Values.dagDeploy.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.dagDeploy.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
 {{/*
 Create the name of the webserver service account to use
 */}}

diff --git a/templates/dag-deploy/dag-deploy-role.yaml b/templates/dag-deploy/dag-deploy-role.yaml
@@ -1,7 +1,7 @@
 #################################
 # dag-deploy-role
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

diff --git a/templates/dag-deploy/dag-deploy-rolebinding.yaml b/templates/dag-deploy/dag-deploy-rolebinding.yaml
@@ -1,15 +1,15 @@
 #################################
 # dag-deploy-rolebinding
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   namespace: "{{ .Release.Namespace }}"
   name: {{ .Release.Name }}-dag-server-rolebinding
 subjects:
 - kind: ServiceAccount
-  name: {{ .Release.Name }}-dag-server
+  name: {{ template "astro.dagDeploy.serviceAccountName" . }}
   namespace: "{{ .Release.Namespace }}"
 roleRef:
   kind: Role

diff --git a/templates/dag-deploy/dag-server-serviceaccount.yaml b/templates/dag-deploy/dag-server-serviceaccount.yaml
@@ -1,11 +1,11 @@
 #################################
 ## dag-server ServiceAccount   ##
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-dag-server
+  name: {{ template "astro.dagDeploy.serviceAccountName" . }}
   labels:
     component: dag-server
     tier: airflow

diff --git a/templates/dag-deploy/dag-server-statefulset.yaml b/templates/dag-deploy/dag-server-statefulset.yaml
@@ -42,7 +42,7 @@ spec:
       imagePullSecrets:
         - name: {{ template "astro.registry_secret" . }}
       {{- end }}
-      serviceAccountName: {{ .Release.Name }}-dag-server
+      serviceAccountName: {{ template "astro.dagDeploy.serviceAccountName" . }}
       securityContext: {{ toYaml .Values.dagDeploy.securityContext | nindent 8 }}
       containers:
         - name: dag-server

diff --git a/tests/chart/test_dag_server_serviceaccount.py b/tests/chart/test_dag_server_serviceaccount.py
@@ -41,12 +41,45 @@ def test_dag_server_service_dag_server_annotations(self, kube_version):
         }
         docs = render_chart(
             kube_version=kube_version,
-            show_only="templates/dag-deploy/dag-server-serviceaccount.yaml",
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
             values=values,
         )
-        assert len(docs) == 1
+        assert len(docs) == 2
         doc = docs[0]
         assert doc["kind"] == "ServiceAccount"
         assert doc["apiVersion"] == "v1"
         assert doc["metadata"]["name"] == "release-name-dag-server"
         assert doc["metadata"]["annotations"] == annotations
+        assert "release-name-dag-server" == docs[1]["spec"]["template"]["spec"]["serviceAccountName"]
+
+    def test_dag_server_serviceaccount_overrides_defaults(self, kube_version):
+        """Test that a serviceAccount overridable with disabled creation"""
+        values = {
+            "dagDeploy": {
+                "enabled": True,
+                "serviceAccount": {"create": False},
+            }
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
+            values=values,
+        )
+        assert len(docs) == 1
+        assert "default" == docs[0]["spec"]["template"]["spec"]["serviceAccountName"]
+
+    def test_dag_server_serviceaccount_overrides(self, kube_version):
+        """Test that a serviceAccount overridable with disabled creation"""
+        values = {
+            "dagDeploy": {
+                "enabled": True,
+                "serviceAccount": {"create": False, "name": "dag-server"},
+            }
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
+            values=values,
+        )
+        assert len(docs) == 1
+        assert "dag-server" == docs[0]["spec"]["template"]["spec"]["serviceAccountName"]
diff --git a/values.yaml b/values.yaml
@@ -564,6 +564,8 @@ dagDeploy:
 
   serviceAccount:
     annotations: {}
+    name: ~
+    create: true
 
   resources: {}
   #  limits: