From fab84d169f24e405f4c82489476178f9dda56382 Mon Sep 17 00:00:00 2001
From: Rob Caskey <89029510+rob-1126@users.noreply.github.com>
Date: Wed, 18 Sep 2024 13:42:25 -0400
Subject: [PATCH] =?UTF-8?q?implement=20astro.dagDeploy.serviceAccount.crea?=
 =?UTF-8?q?te=20and=20astro.dagDeploy.service=E2=80=A6=20(#528)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* add astro.dagDeploy.serviceAccount.create and astro.dagDeploy.serviceAccount.name

* update standard template convention for dag server service account

* update dag server service account

* rework naming to use old naming

* Update values.yaml

Co-authored-by: Daniel Hoherd <danielh@astronomer.io>

* update test cases

* add missing tests

---------

Co-authored-by: Rob J. Caskey <rob@rob.caskey@astronomer.io>
Co-authored-by: pgvishnuram <81585115+pgvishnuram@users.noreply.github.com>
Co-authored-by: pgvishnuram <vishnu@astronomer.io>
Co-authored-by: Daniel Hoherd <danielh@astronomer.io>
---
 templates/_helpers.yaml                       | 12 ++++++
 templates/dag-deploy/dag-deploy-role.yaml     |  2 +-
 .../dag-deploy/dag-deploy-rolebinding.yaml    |  4 +-
 .../dag-deploy/dag-server-serviceaccount.yaml |  4 +-
 .../dag-deploy/dag-server-statefulset.yaml    |  2 +-
 tests/chart/test_dag_server_serviceaccount.py | 37 ++++++++++++++++++-
 values.yaml                                   |  2 +
 7 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/templates/_helpers.yaml b/templates/_helpers.yaml
index 6ca8a29c..cb65e532 100644
--- a/templates/_helpers.yaml
+++ b/templates/_helpers.yaml
@@ -164,6 +164,18 @@ proxy_cookie_domain                     off;
 proxy_redirect                          off;
 {{ end }}
 
+{{/*
+Create the name of the dag-server service account to use
+*/}}
+{{- define "astro.dagDeploy.serviceAccountName" -}}
+{{- if .Values.dagDeploy.serviceAccount.create -}}
+    {{ default (printf "%s-dag-server" (include "airflow.fullname" .)) .Values.dagDeploy.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.dagDeploy.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
 {{/*
 Create the name of the webserver service account to use
 */}}
diff --git a/templates/dag-deploy/dag-deploy-role.yaml b/templates/dag-deploy/dag-deploy-role.yaml
index 432a89ea..2cd8177c 100644
--- a/templates/dag-deploy/dag-deploy-role.yaml
+++ b/templates/dag-deploy/dag-deploy-role.yaml
@@ -1,7 +1,7 @@
 #################################
 # dag-deploy-role
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
diff --git a/templates/dag-deploy/dag-deploy-rolebinding.yaml b/templates/dag-deploy/dag-deploy-rolebinding.yaml
index 7b6de8ef..18436978 100644
--- a/templates/dag-deploy/dag-deploy-rolebinding.yaml
+++ b/templates/dag-deploy/dag-deploy-rolebinding.yaml
@@ -1,7 +1,7 @@
 #################################
 # dag-deploy-rolebinding
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -9,7 +9,7 @@ metadata:
   name: {{ .Release.Name }}-dag-server-rolebinding
 subjects:
 - kind: ServiceAccount
-  name: {{ .Release.Name }}-dag-server
+  name: {{ template "astro.dagDeploy.serviceAccountName" . }}
   namespace: "{{ .Release.Namespace }}"
 roleRef:
   kind: Role
diff --git a/templates/dag-deploy/dag-server-serviceaccount.yaml b/templates/dag-deploy/dag-server-serviceaccount.yaml
index a2131b97..92e8ce6e 100644
--- a/templates/dag-deploy/dag-server-serviceaccount.yaml
+++ b/templates/dag-deploy/dag-server-serviceaccount.yaml
@@ -1,11 +1,11 @@
 #################################
 ## dag-server ServiceAccount   ##
 #################################
-{{- if .Values.dagDeploy.enabled }}
+{{- if and .Values.dagDeploy.enabled .Values.dagDeploy.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-dag-server
+  name: {{ template "astro.dagDeploy.serviceAccountName" . }}
   labels:
     component: dag-server
     tier: airflow
diff --git a/templates/dag-deploy/dag-server-statefulset.yaml b/templates/dag-deploy/dag-server-statefulset.yaml
index f860ba13..d425e3b0 100644
--- a/templates/dag-deploy/dag-server-statefulset.yaml
+++ b/templates/dag-deploy/dag-server-statefulset.yaml
@@ -42,7 +42,7 @@ spec:
       imagePullSecrets:
         - name: {{ template "astro.registry_secret" . }}
       {{- end }}
-      serviceAccountName: {{ .Release.Name }}-dag-server
+      serviceAccountName: {{ template "astro.dagDeploy.serviceAccountName" . }}
       securityContext: {{ toYaml .Values.dagDeploy.securityContext | nindent 8 }}
       containers:
         - name: dag-server
diff --git a/tests/chart/test_dag_server_serviceaccount.py b/tests/chart/test_dag_server_serviceaccount.py
index e72a5707..f3815501 100644
--- a/tests/chart/test_dag_server_serviceaccount.py
+++ b/tests/chart/test_dag_server_serviceaccount.py
@@ -41,12 +41,45 @@ def test_dag_server_service_dag_server_annotations(self, kube_version):
         }
         docs = render_chart(
             kube_version=kube_version,
-            show_only="templates/dag-deploy/dag-server-serviceaccount.yaml",
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
             values=values,
         )
-        assert len(docs) == 1
+        assert len(docs) == 2
         doc = docs[0]
         assert doc["kind"] == "ServiceAccount"
         assert doc["apiVersion"] == "v1"
         assert doc["metadata"]["name"] == "release-name-dag-server"
         assert doc["metadata"]["annotations"] == annotations
+        assert "release-name-dag-server" == docs[1]["spec"]["template"]["spec"]["serviceAccountName"]
+
+    def test_dag_server_serviceaccount_overrides_defaults(self, kube_version):
+        """Test that a serviceAccount overridable with disabled creation"""
+        values = {
+            "dagDeploy": {
+                "enabled": True,
+                "serviceAccount": {"create": False},
+            }
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
+            values=values,
+        )
+        assert len(docs) == 1
+        assert "default" == docs[0]["spec"]["template"]["spec"]["serviceAccountName"]
+
+    def test_dag_server_serviceaccount_overrides(self, kube_version):
+        """Test that a serviceAccount overridable with disabled creation"""
+        values = {
+            "dagDeploy": {
+                "enabled": True,
+                "serviceAccount": {"create": False, "name": "dag-server"},
+            }
+        }
+        docs = render_chart(
+            kube_version=kube_version,
+            show_only=["templates/dag-deploy/dag-server-serviceaccount.yaml", "templates/dag-deploy/dag-server-statefulset.yaml"],
+            values=values,
+        )
+        assert len(docs) == 1
+        assert "dag-server" == docs[0]["spec"]["template"]["spec"]["serviceAccountName"]
diff --git a/values.yaml b/values.yaml
index ca3bd1e9..94ed9494 100644
--- a/values.yaml
+++ b/values.yaml
@@ -564,6 +564,8 @@ dagDeploy:
 
   serviceAccount:
     annotations: {}
+    name: ~
+    create: true
 
   resources: {}
   #  limits: