evertrust · antoninguyot · May 13, 2025 · May 13, 2025 · May 13, 2025 · Copilot
@@ -75,3 +75,16 @@ Prints true if an upgrade job should run, false if not.
     {{- end }}
 {{- end }}
 {{- end }}
+
+{{/*
+Returns the proper service account name depending if an explicit service account name is set
+in the values file. If the name is not set it will default to either stream.fullname if serviceAccount.create
+is true or default otherwise.
+*/}}
+{{- define "stream.serviceAccountName" -}}
+    {{- if .Values.serviceAccount.create -}}
+        {{- default (include "common.names.fullname" .) (print .Values.serviceAccount.name) -}}
+    {{- else -}}
+        {{- default "default" (print .Values.serviceAccount.name) -}}
-        {{- default (include "common.names.fullname" .) (print .Values.serviceAccount.name) -}}
-    {{- else -}}
-        {{- default "default" (print .Values.serviceAccount.name) -}}
+        {{- default (include "common.names.fullname" .) .Values.serviceAccount.name -}}
+    {{- else -}}
+        {{- default "default" .Values.serviceAccount.name -}}
-        {{- default (include "common.names.fullname" .) (print .Values.serviceAccount.name) -}}
-    {{- else -}}
-        {{- default "default" (print .Values.serviceAccount.name) -}}
+        {{- default (include "common.names.fullname" .) .Values.serviceAccount.name -}}
+    {{- else -}}
+        {{- default "default" .Values.serviceAccount.name -}}
+    {{- end -}}
+{{- end -}}
@@ -64,6 +64,8 @@ spec:
           {{- end }}
           {{- end }}
         spec:
+          serviceAccountName: {{ template "stream.serviceAccountName" . }}
+          automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
           containers:
           - name: backup
             image: {{ include "common.images.image" (dict "imageRoot" .Values.backup.image) }}

@@ -31,6 +31,8 @@ spec:
         {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
         {{- end }}
     spec:
+      serviceAccountName: {{ template "stream.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
       {{- if .Values.hostAliases }}
       hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
       {{- end }}

@@ -1,4 +1,4 @@
-{{ if .Values.rbac.create }}
+{{ if and .Values.serviceAccount.create .Values.rbac.create }}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -14,7 +14,7 @@ metadata:
   name: {{ template "common.names.fullname" . }}-lease-updater
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: {{ template "stream.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
@@ -36,7 +36,7 @@ metadata:
   name: {{ template "common.names.fullname" . }}-pod-reader
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: {{ template "stream.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role

@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "stream.serviceAccountName" . }}
+  labels: {{- include "stream.labels.standard" . | nindent 4 }}
+  {{- if .Values.commonLabels }}
+  {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}
@@ -7,6 +7,8 @@ spec:
   template:
     spec:
       {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.upgrade.image) "context" $) | nindent 6 }}
+      serviceAccountName: {{ template "stream.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
       containers:
         - name: stream-upgrade
           image: {{ include "common.images.image" (dict "imageRoot" .Values.upgrade.image "global" .Values.global) }}

@@ -474,6 +474,24 @@ tls:
 rbac:
   create: true
 
+## Stream pods ServiceAccount
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+  ## @param serviceAccount.create Enable the creation of a ServiceAccount for Horizon pods
+  ##
+  create: true
+  ## @param serviceAccount.name Name of the created ServiceAccount
+  ## If not set and create is true, a name is generated using the horizon.fullname template
+  ##
+  name: ""
+  ## @param serviceAccount.annotations Annotations for Horizon Service Account
+  ##
+  annotations: {}
+  ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
+  ##
+  automountServiceAccountToken: true
+
 ## @param leases.enabled Whether leases should be used when launching multiple replicas of Stream pods. This requires the leases.akka.io CRD to be installed.
 leases:
   enabled: true
@@ -665,7 +683,6 @@ backup:
   ## @param envFrom [array] Extra env vars passed to the backup pods
   envFrom: []
 
-
 ## @param extraObjects [array] Create a dynamic manifests via values:
 extraObjects:
   []