# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs
# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
# regular serviceAccount is created with the same name and exists for the lifetime of the release.
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- if $proxy.validateConfigOnDeploy }}
{{- if $proxy.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
    {{- if $proxy.extraLabels.serviceAccount }}
    {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }}
    {{- end }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "3"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if $proxy.annotations.serviceAccount }}
  {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }}
{{- end -}}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
{{- end }}
{{- end }}