fix: set service account on orchestration migration jobs (#5973)

Author: bkenez

charts/camunda-platform-8.8/templates/orchestration/migration-data-job.yaml

@@ -16,6 +16,7 @@ spec:
         checksum/env-vars: {{ include (print $.Template.BasePath "/orchestration/migration-data-configmap-env-vars.yaml") . | sha256sum }}
     spec:
       restartPolicy: OnFailure
+      serviceAccountName: {{ include "orchestration.serviceAccountName" . }}
       imagePullSecrets: {{- include "orchestration.imagePullSecrets" . | nindent 8 }}
       {{- if .Values.orchestration.podSecurityContext }}
       securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.orchestration.podSecurityContext "context" $) | nindent 8 }}

charts/camunda-platform-8.8/templates/orchestration/migration-identity-job.yaml

@@ -15,6 +15,7 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/orchestration/migration-identity-configmap.yaml") . | sha256sum }}
     spec:
       restartPolicy: OnFailure
+      serviceAccountName: {{ include "orchestration.serviceAccountName" . }}
       imagePullSecrets: {{- include "orchestration.imagePullSecrets" . | nindent 8 }}
       {{- if .Values.orchestration.podSecurityContext }}
       securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.orchestration.podSecurityContext "context" $) | nindent 8 }}

charts/camunda-platform-8.8/test/unit/orchestration/golden/migration-data-job.golden.yaml

@@ -29,6 +29,7 @@ spec:
       annotations:
     spec:
       restartPolicy: OnFailure
+      serviceAccountName: camunda-platform-test-zeebe
       imagePullSecrets:
         []
       securityContext:

charts/camunda-platform-8.8/test/unit/orchestration/golden/migration-identity-job.golden.yaml

@@ -29,6 +29,7 @@ spec:
       annotations:
     spec:
       restartPolicy: OnFailure
+      serviceAccountName: camunda-platform-test-zeebe
       imagePullSecrets:
         []
       securityContext:

charts/camunda-platform-8.8/test/unit/orchestration/migration_data_job_test.go

@@ -319,3 +319,33 @@ func (s *MigrationDataJobTest) TestCustomTrustStoreConfiguration() {
 
 	testhelpers.RunTestCasesE(s.T(), s.chartPath, s.release, s.namespace, s.templates, testCases)
 }
+
+func (s *MigrationDataJobTest) TestServiceAccount() {
+	testCases := []testhelpers.TestCase{
+		{
+			Name: "TestServiceAccountDefault",
+			Values: map[string]string{
+				"orchestration.migration.data.enabled": "true",
+			},
+			Verifier: func(t *testing.T, output string, err error) {
+				var job batchv1.Job
+				helm.UnmarshalK8SYaml(s.T(), output, &job)
+				s.Require().Equal("camunda-platform-test-zeebe", job.Spec.Template.Spec.ServiceAccountName)
+			},
+		},
+		{
+			Name: "TestServiceAccountCustomName",
+			Values: map[string]string{
+				"orchestration.migration.data.enabled": "true",
+				"orchestration.serviceAccount.name":    "custom-sa",
+			},
+			Verifier: func(t *testing.T, output string, err error) {
+				var job batchv1.Job
+				helm.UnmarshalK8SYaml(s.T(), output, &job)
+				s.Require().Equal("custom-sa", job.Spec.Template.Spec.ServiceAccountName)
+			},
+		},
+	}
+
+	testhelpers.RunTestCasesE(s.T(), s.chartPath, s.release, s.namespace, s.templates, testCases)
+}

charts/camunda-platform-8.8/test/unit/orchestration/migration_identity_job_test.go

@@ -158,3 +158,35 @@ func (s *MigrationIdentityJobTest) TestDifferentValuesInputs() {
 
 	testhelpers.RunTestCasesE(s.T(), s.chartPath, s.release, s.namespace, s.templates, testCases)
 }
+
+func (s *MigrationIdentityJobTest) TestServiceAccount() {
+	testCases := []testhelpers.TestCase{
+		{
+			Name: "TestServiceAccountDefault",
+			Values: map[string]string{
+				"orchestration.migration.identity.enabled":             "true",
+				"orchestration.migration.identity.secret.inlineSecret": "very-secret-thus-plaintext",
+			},
+			Verifier: func(t *testing.T, output string, err error) {
+				var job batchv1.Job
+				helm.UnmarshalK8SYaml(s.T(), output, &job)
+				s.Require().Equal("camunda-platform-test-zeebe", job.Spec.Template.Spec.ServiceAccountName)
+			},
+		},
+		{
+			Name: "TestServiceAccountCustomName",
+			Values: map[string]string{
+				"orchestration.migration.identity.enabled":             "true",
+				"orchestration.migration.identity.secret.inlineSecret": "very-secret-thus-plaintext",
+				"orchestration.serviceAccount.name":                    "custom-sa",
+			},
+			Verifier: func(t *testing.T, output string, err error) {
+				var job batchv1.Job
+				helm.UnmarshalK8SYaml(s.T(), output, &job)
+				s.Require().Equal("custom-sa", job.Spec.Template.Spec.ServiceAccountName)
+			},
+		},
+	}
+
+	testhelpers.RunTestCasesE(s.T(), s.chartPath, s.release, s.namespace, s.templates, testCases)
+}