From 7204ffbcaba338d863bc7ac14ee83735fff8a854 Mon Sep 17 00:00:00 2001
From: David Sabatie <david.sabatie@agicap.com>
Date: Wed, 6 Mar 2024 11:25:19 +0100
Subject: [PATCH] feat: allow creating or reusing an existing sa

---
 deploy/charts/google-cas-issuer/README.md         | 14 +++++++-------
 .../google-cas-issuer/templates/_helpers.tpl      | 11 +++++++++++
 .../templates/clusterrolebinding.yaml             |  2 +-
 .../google-cas-issuer/templates/deployment.yaml   |  2 +-
 .../google-cas-issuer/templates/rolebinding.yaml  |  2 +-
 .../templates/serviceaccount.yaml                 |  5 +++--
 deploy/charts/google-cas-issuer/values.yaml       | 15 ++++++++++-----
 7 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/deploy/charts/google-cas-issuer/README.md b/deploy/charts/google-cas-issuer/README.md
index f051fc159..156a7e750 100644
--- a/deploy/charts/google-cas-issuer/README.md
+++ b/deploy/charts/google-cas-issuer/README.md
@@ -19,7 +19,7 @@ This option decides if the CRDs should be installed as part of the Helm installa
 > true
 > ```
 
-This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources  
+This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
 (Certificates, Issuers, ...) will be removed too by the garbage collector.
 #### **replicaCount** ~ `number`
 > Default value:
@@ -151,7 +151,7 @@ Optional additional labels to add to the google-cas-issuer Pods
 > {}
 > ```
 
-Kubernetes pod resource requests/limits for google-cas-issuer.  
+Kubernetes pod resource requests/limits for google-cas-issuer.
 For example:
 
 ```yaml
@@ -168,7 +168,7 @@ requests:
 > {}
 > ```
 
-Kubernetes node selector: node labels for pod assignment  
+Kubernetes node selector: node labels for pod assignment
 For example:
 
 ```yaml
@@ -180,7 +180,7 @@ kubernetes.io/os: linux
 > {}
 > ```
 
-Kubernetes affinity: constraints for pod assignment  
+Kubernetes affinity: constraints for pod assignment
 For example:
 
 ```yaml
@@ -199,8 +199,8 @@ nodeAffinity:
 > []
 > ```
 
-Kubernetes pod tolerations for google-cas-issuer  
-For example:  
+Kubernetes pod tolerations for google-cas-issuer
+For example:
  - operator: "Exists"
 #### **priorityClassName** ~ `string`
 > Default value:
@@ -210,4 +210,4 @@ For example:
 
 Optional priority class to be used for the google-cas-issuer pods.
 
-<!-- /AUTO-GENERATED -->
\ No newline at end of file
+<!-- /AUTO-GENERATED -->
diff --git a/deploy/charts/google-cas-issuer/templates/_helpers.tpl b/deploy/charts/google-cas-issuer/templates/_helpers.tpl
index 54d0a44dc..9bb2a46be 100644
--- a/deploy/charts/google-cas-issuer/templates/_helpers.tpl
+++ b/deploy/charts/google-cas-issuer/templates/_helpers.tpl
@@ -42,3 +42,14 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
 {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cert-manager-google-cas-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cert-manager-google-cas-issuer.name" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml b/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml
index 59cb20e78..c01c77b78 100644
--- a/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml
+++ b/deploy/charts/google-cas-issuer/templates/clusterrolebinding.yaml
@@ -10,7 +10,7 @@ roleRef:
   name: {{ include "cert-manager-google-cas-issuer.name" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
 {{- if .Values.app.approval.enabled }}
diff --git a/deploy/charts/google-cas-issuer/templates/deployment.yaml b/deploy/charts/google-cas-issuer/templates/deployment.yaml
index 9b81668be..71148dd18 100644
--- a/deploy/charts/google-cas-issuer/templates/deployment.yaml
+++ b/deploy/charts/google-cas-issuer/templates/deployment.yaml
@@ -31,7 +31,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "cert-manager-google-cas-issuer.name" . }}
+      serviceAccountName: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
diff --git a/deploy/charts/google-cas-issuer/templates/rolebinding.yaml b/deploy/charts/google-cas-issuer/templates/rolebinding.yaml
index 278fdf944..b138b6a31 100644
--- a/deploy/charts/google-cas-issuer/templates/rolebinding.yaml
+++ b/deploy/charts/google-cas-issuer/templates/rolebinding.yaml
@@ -11,5 +11,5 @@ roleRef:
   name: {{ include "cert-manager-google-cas-issuer.name" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
diff --git a/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml b/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml
index 7981d331f..89d9db0f6 100644
--- a/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml
+++ b/deploy/charts/google-cas-issuer/templates/serviceaccount.yaml
@@ -1,9 +1,10 @@
+{{ if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "cert-manager-google-cas-issuer.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "cert-manager-google-cas-issuer.serviceAccountName" . }}
   labels:
 {{ include "cert-manager-google-cas-issuer.labels" . | indent 4 }}
   annotations:
 {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+{{- end }}
diff --git a/deploy/charts/google-cas-issuer/values.yaml b/deploy/charts/google-cas-issuer/values.yaml
index d14605ec9..bbf2dcc7b 100644
--- a/deploy/charts/google-cas-issuer/values.yaml
+++ b/deploy/charts/google-cas-issuer/values.yaml
@@ -37,11 +37,16 @@ imagePullSecrets: []
 commonLabels: {}
 
 serviceAccount:
-  # Optional annotations to add to the service account
+  # -- Specifies whether a service account should be created
+  create: true
+  # -- The name used to create the service account or the name of an existing service account to use if not creating one.
+  # if create is false, this name is required or the default service account will be used.
+  name: ""
+  # -- Optional annotations to add to the service account
   annotations: {}
 
 app:
-  # Verbosity of google-cas-issuer logging.
+  # -- Verbosity of google-cas-issuer logging.
   logLevel: 1 # 1-5
 
   # Handle RBAC permissions for approving Google CAS issuer
@@ -62,9 +67,9 @@ app:
     #   name: cert-manager-approver-policy
     #   namespace: cert-manager
     subjects:
-    - kind: ServiceAccount
-      name: cert-manager
-      namespace: cert-manager
+      - kind: ServiceAccount
+        name: cert-manager
+        namespace: cert-manager
 
   # metrics controls exposing google-cas-issuer metrics.
   metrics: