From cb15699c7b6c475cbf070627243a795a123a3368 Mon Sep 17 00:00:00 2001
From: mugioka <okamugi0722@gmail.com>
Date: Fri, 15 Apr 2022 02:07:09 +0900
Subject: [PATCH] feat: be able to create the dedicated k8s sa for pipecd
 server with helm chart.

Hi team, PipeCD is very good software.
Currently, the default service account annotation must be edited in order to use GCP Workload Identity or AWS WebIdentity.
This change should improve convenience by allowing k8s service accounts dedicated to PipeCD Server to be created from the helm chart.

Signed-off-by: mugioka <okamugi0722@gmail.com>
---
 manifests/pipecd/templates/deployment.yaml     |  3 +++
 manifests/pipecd/templates/serviceaccount.yaml | 12 ++++++++++++
 manifests/pipecd/values.yaml                   |  7 +++++++
 3 files changed, 22 insertions(+)
 create mode 100644 manifests/pipecd/templates/serviceaccount.yaml

diff --git a/manifests/pipecd/templates/deployment.yaml b/manifests/pipecd/templates/deployment.yaml
index 8c3caa79f1..f4539c32c8 100644
--- a/manifests/pipecd/templates/deployment.yaml
+++ b/manifests/pipecd/templates/deployment.yaml
@@ -227,6 +227,9 @@ spec:
         {{- include "pipecd.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: ops
     spec:
+      {{- if .Values.serviceAccount.create -}}
+      serviceAccountName: {{ include "pipecd.fullname" . }}-server
+      {{- end }}
       containers:
 {{- if .Values.cloudSQLProxy.enabled }}
         - name: cloud-sql-proxy
diff --git a/manifests/pipecd/templates/serviceaccount.yaml b/manifests/pipecd/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..d6c8f66036
--- /dev/null
+++ b/manifests/pipecd/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "pipecd.fullname" . }}-server
+  labels:
+    {{- include "pipecd.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/manifests/pipecd/values.yaml b/manifests/pipecd/values.yaml
index c447f518be..ca71ea21b3 100644
--- a/manifests/pipecd/values.yaml
+++ b/manifests/pipecd/values.yaml
@@ -10,6 +10,13 @@ ingress:
     # kubernetes.io/ingress.allow-http: "false"
     # kubernetes.io/ingress.global-static-ip-name: pipecd
 
+# ServiceAccount
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+
 # Workloads.
 gateway:
   replicasCount: 1