35 lines
1.5 KiB
YAML
35 lines
1.5 KiB
YAML
# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs
|
|
# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
|
|
# regular serviceAccount is created with the same name and exists for the lifetime of the release.
|
|
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
|
|
{{- if $auth.validateConfigOnDeploy }}
|
|
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
|
|
{{- if $auth.serviceAccount.create }}
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ template "teleport-cluster.auth.hookServiceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "teleport-cluster.auth.labels" . | nindent 4 }}
|
|
{{- if $auth.extraLabels.serviceAccount }}
|
|
{{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
|
|
{{- end }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install,pre-upgrade
|
|
"helm.sh/hook-weight": "3"
|
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
|
{{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
|
|
{{- if $auth.annotations.serviceAccount }}
|
|
{{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
|
|
{{- end }}
|
|
{{- if $auth.azure.clientID }}
|
|
azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
|
|
{{- end }}
|
|
{{- end -}}
|
|
{{- if $projectedServiceAccountToken }}
|
|
automountServiceAccountToken: false
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|