# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs
# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
# regular serviceAccount is created with the same name and exists for the lifetime of the release.
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- if $auth.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ template "teleport-cluster.auth.hookServiceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
    {{- if $auth.extraLabels.serviceAccount }}
    {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
    {{- end }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "3"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
    {{- if $auth.annotations.serviceAccount }}
      {{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
    {{- end }}
    {{- if $auth.azure.clientID }}
    azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
    {{- end }}
  {{- end -}}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
{{- end }}
{{- end }}