require at least 1 primary on enabled SAs

2026-06-17 15:38:49 +08:00 · 2023-02-02 16:19:32 +02:00
parent afb2d839d0
commit 0af9740539
4 changed files with 37 additions and 4 deletions
--- a/library/common-test/tests/pod/service_account_name_test.yaml
+++ b/library/common-test/tests/pod/service_account_name_test.yaml
@@ -19,6 +19,7 @@ tests:
      serviceAccount:
        sa-name1:
          enabled: true
+          primary: true
    asserts:
      - documentIndex: &cronJobDoc 1
        isKind:
@@ -55,6 +56,7 @@ tests:
      serviceAccount:
        sa-name1:
          enabled: true
+          primary: true
          targetSelectAll: true
    asserts:
      - documentIndex: &deploymentDoc 1
@@ -88,6 +90,7 @@ tests:
      serviceAccount:
        sa-name1:
          enabled: true
+          primary: true
          targetSelector:
            - workload-name1
            - workload-name2
@@ -119,6 +122,7 @@ tests:
      serviceAccount:
        sa-name1:
          enabled: true
+          primary: true
          targetSelector:
            - workload-name1
        sa-name2:
--- a/library/common-test/tests/serviceAccount/metadata_test.yaml
+++ b/library/common-test/tests/serviceAccount/metadata_test.yaml
@@ -20,6 +20,7 @@ tests:
      serviceAccount:
        my-sa1:
          enabled: true
+          primary: true
          labels:
            label1: "{{ .Values.label1 }}"
            label2: label2
--- a/library/common-test/tests/serviceAccount/validation_test.yaml
+++ b/library/common-test/tests/serviceAccount/validation_test.yaml
@@ -5,8 +5,12 @@ tests:
  - it: should fail with name longer than 63 characters
    set:
      serviceAccount:
+        my-sa:
+          enabled: true
+          primary: true
        my-service-account-super-long-name-that-is-longer-than-63-characters:
          enabled: true
+          primary: false
    asserts:
      - failedTemplate:
          errorMessage: Name [release-name-common-test-my-service-account-super-long-name-that-is-longer-than-63-characters] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.
@@ -14,19 +18,22 @@ tests:
  - it: should fail with name starting with underscore
    set:
      serviceAccount:
-        _my-sa:
+        my-sa1:
          enabled: true
-          data:
-            foo: bar
+          primary: true
+        _my-sa2:
+          enabled: true
+          primary: false
    asserts:
      - failedTemplate:
-          errorMessage: Name [release-name-common-test-_my-sa] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.
+          errorMessage: Name [release-name-common-test-_my-sa2] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.

  - it: should fail with labels not a dict
    set:
      serviceAccount:
        my-sa:
          enabled: true
+          primary: true
          labels: "not a dict"
    asserts:
      - failedTemplate:
@@ -37,6 +44,7 @@ tests:
      serviceAccount:
        my-sa:
          enabled: true
+          primary: true
          annotations: "not a dict"
    asserts:
      - failedTemplate:
@@ -54,3 +62,16 @@ tests:
    asserts:
      - failedTemplate:
          errorMessage: Service Account - Only one service account can be primary
+
+  - it: should fail without any primary on enabled service accounts
+    set:
+      serviceAccount:
+        my-sa:
+          enabled: true
+          primary: false
+        my-sa2:
+          enabled: true
+          primary: false
+    asserts:
+      - failedTemplate:
+          errorMessage: Service Account - At least one enabled service account must be primary
--- a/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl
+++ b/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl
@@ -33,11 +33,13 @@ objectData:

  {{/* Initialize values */}}
  {{- $hasPrimary := false -}}
+  {{- $hasEnabled := false -}}

  {{- range $name, $serviceAccount := .Values.serviceAccount -}}

    {{/* If service account is enabled */}}
    {{- if $serviceAccount.enabled -}}
+      {{- $hasEnabled = true -}}

      {{/* And service account is primary */}}
      {{- if and (hasKey $serviceAccount "primary") ($serviceAccount.primary) -}}
@@ -54,4 +56,9 @@ objectData:
    {{- end -}}
  {{- end -}}

+  {{/* Require at least one primary service account, if any enabled */}}
+  {{- if and $hasEnabled (not $hasPrimary) -}}
+    {{- fail "Service Account - At least one enabled service account must be primary" -}}
+  {{- end -}}
+
 {{- end -}}