feat: be able to create the dedicated k8s sa for pipecd server with h…

…elm chart.

Hi team, PipeCD is very good software.
Currently, the default service account annotation must be edited in order to use GCP Workload Identity or AWS WebIdentity.
This change should improve convenience by allowing k8s service accounts dedicated to PipeCD Server to be created from the helm chart.

Signed-off-by: mugioka <[email protected]>

manifests/pipecd/templates/deployment.yaml

@@ -227,6 +227,9 @@ spec:
         {{- include "pipecd.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: ops
     spec:
+      {{- if .Values.serviceAccount.create -}}
+      serviceAccountName: {{ include "pipecd.fullname" . }}-server
+      {{- end }}
       containers:
 {{- if .Values.cloudSQLProxy.enabled }}
         - name: cloud-sql-proxy

manifests/pipecd/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "pipecd.fullname" . }}-server
+  labels:
+    {{- include "pipecd.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

manifests/pipecd/values.yaml

@@ -10,6 +10,13 @@ ingress:
     # kubernetes.io/ingress.allow-http: "false"
     # kubernetes.io/ingress.global-static-ip-name: pipecd
 
+# ServiceAccount
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+
 # Workloads.
 gateway:
   replicasCount: 1