feat(chart): merge additional datastore service accounts with require…

…d ones (#424)
padok-team · Dec 6, 2024 · 56f62f7 · 56f62f7
1 parent cd4d884
commit 56f62f7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/deploy/charts/burrito/templates/config.yaml b/deploy/charts/burrito/templates/config.yaml
@@ -22,10 +22,15 @@ Datastore Authorized Service Accounts
 {{- end }}
 {{- end }}
 {{- $controller := printf "%s/%s" .Release.Namespace "burrito-controllers" }}
-{{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $controller }}
+# check if the service account is already in the list, to prevent adding it multiple times if the config rerenders
+{{- if not (has $controller $config.datastore.serviceAccounts) }}
+  {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $controller }}
+{{- end }}
 {{- $server := printf "%s/%s" .Release.Namespace "burrito-server" }}
-{{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $server }}
-{{- $_ := set $config.datastore "serviceAccounts" $datastoreAuthorizedServiceAccounts }}
+{{- if not (has $server $config.datastore.serviceAccounts) }}
+  {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $server }}
+{{- end }}
+{{- $_ := set $config.datastore "serviceAccounts" (concat $datastoreAuthorizedServiceAccounts $config.datastore.serviceAccounts) }}
 
 {{/*
 TLS certificates

diff --git a/deploy/charts/burrito/values.yaml b/deploy/charts/burrito/values.yaml
@@ -58,7 +58,7 @@ config:
     # -- Provider cache custom configuration
     hermitcrab: {}
     datastore:
-      # -- Service account to use for datastore operations (e.g. reading/writing to storage)
+      # -- Service accounts that are allowed to access the datastore API in namespace/name format (not the service account used by the datastore pods, check datastore.serviceAccount.metadata for that)
       serviceAccounts: []
       storage:
         # -- Use in-memory storage for testing - not intended for production use, data will be lost on datastore restart
@@ -369,6 +369,7 @@ datastore:
     labels:
       app.kubernetes.io/component: datastore
       app.kubernetes.io/name: burrito-datastore
+  # -- Service account configuration for the Burrito datastore deployment. Use this to grant permission to the datastore to interact with external storage
   serviceAccount:
     metadata:
       annotations: {}