From 00db956ef02821a16bd9f6e62ddad10594244cdd Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Mon, 16 Feb 2026 12:15:09 -0500 Subject: [PATCH 1/7] Removed repository value --- charts/iap/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index 0e3d943..ef8e7ce 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -87,7 +87,8 @@ external-dns: # The image name will depend on the entitlement that has been granted. image: # -- The image repository - repository: 497639811223.dkr.ecr.us-east-2.amazonaws.com/itential-platform-ecm-gm + # -- Contact Itential to get the correct image repository for your entitlement. + repository: # -- The image pull policy pullPolicy: IfNotPresent # -- The image tag From 514b6361c3c834eea60ef87182df4af49aba563f Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Mon, 2 Mar 2026 15:47:27 -0500 Subject: [PATCH 2/7] removed serviceAccoutnName --- charts/iap/Chart.yaml | 2 +- charts/iap/templates/_helpers.tpl | 11 ----------- charts/iap/templates/statefulset.yaml | 1 - charts/iap/values.yaml | 7 ++----- 4 files changed, 3 insertions(+), 18 deletions(-) diff --git a/charts/iap/Chart.yaml b/charts/iap/Chart.yaml index a997ee9..6bca383 100644 --- a/charts/iap/Chart.yaml +++ b/charts/iap/Chart.yaml @@ -10,7 +10,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.0 +version: 1.9.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/iap/templates/_helpers.tpl b/charts/iap/templates/_helpers.tpl index f2aed98..7d9b8f9 100644 --- a/charts/iap/templates/_helpers.tpl +++ b/charts/iap/templates/_helpers.tpl @@ -52,17 +52,6 @@ app.kubernetes.io/name: {{ include "iap.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{/* -Create the name of the service account to use -*/}} -{{- define "iap.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "iap.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - {{/* Common annotations. */}} diff --git a/charts/iap/templates/statefulset.yaml b/charts/iap/templates/statefulset.yaml index a41ad9d..b747206 100644 --- a/charts/iap/templates/statefulset.yaml +++ b/charts/iap/templates/statefulset.yaml @@ -41,7 +41,6 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: "" securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.hostAliases }} diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index ef8e7ce..81361af 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -97,9 +97,6 @@ image: # -- The secrets object used to pull the image from the repo imagePullSecrets: [] -serviceAccount: - name: - # The issuer to be used if using cert-manager to generate the TLS certificates issuer: # -- Toggle to use the issuer object or not @@ -199,7 +196,7 @@ ingress: # -- The name of this Kubernetes ingress object name: "iap-ingress" # -- The ingress controller class name - className: "alb" + className: "alb" # Change to blank more comments describing options # -- The ingress controller path type pathType: Prefix # Load balancer configuration @@ -452,7 +449,7 @@ env: # ITENTIAL_MONGO_URL: "" # -- Instruct the MongoDB driver to use TLS protocols when connecting to the database. - ITENTIAL_MONGO_TLS_ENABLED: "false" + ITENTIAL_MONGO_TLS_ENABLED: "false" # should be true by deafult # -- If true, disables the validation checks for TLS certificates on other servers in the cluster # and allows the use of invalid or self-signed certificates to connect. From 72c3eb665afe1309e43693076b6c18176ea24bf0 Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Mon, 2 Mar 2026 15:48:33 -0500 Subject: [PATCH 3/7] updated test --- charts/iap/tests/test-values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/iap/tests/test-values.yaml b/charts/iap/tests/test-values.yaml index 69a5c83..794fed8 100644 --- a/charts/iap/tests/test-values.yaml +++ b/charts/iap/tests/test-values.yaml @@ -42,9 +42,6 @@ image: # -- The secrets object used to pull the image from the repo imagePullSecrets: [] -serviceAccount: - name: - # The issuer to be used if using cert-manager to generate the TLS certificates issuer: # -- Toggle to use the issuer object or not From d1d6e23f147caf8399aaec0ad262e786c16d8966 Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Tue, 3 Mar 2026 11:27:28 -0500 Subject: [PATCH 4/7] updated values --- charts/iap/values.yaml | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index 81361af..71c252d 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -193,10 +193,19 @@ service: ingress: # -- The ingress object can be disabled and will not be created with this set to false enabled: true - # -- The name of this Kubernetes ingress object + # -- The name of this Kubernetes ingress object. name: "iap-ingress" - # -- The ingress controller class name - className: "alb" # Change to blank more comments describing options + # -- The ingress controller class name. Common options: + # -- alb - AWS Application Load Balancer (AWS Load Balancer Controller) + # -- nginx - ingress-nginx (self-hosted, most common) + # -- traefik - Traefik ingress controller + # -- gce - Google Cloud GKE HTTP(S) Load Balancer + # -- azure/application-gateway - Azure Application Gateway Ingress Controller (AGIC) + # -- haproxy - HAProxy ingress controller + # -- istio - Istio Gateway (service mesh) + # -- kong - Kong ingress controller + # -- contour - Contour (Envoy-based) ingress controller + className: "" # -- The ingress controller path type pathType: Prefix # Load balancer configuration @@ -224,23 +233,6 @@ ingress: # -- The annotations for this ingress object. These are passed into the template as is and will # render as you see here. Itential leveraged AWS ALB but others should work. annotations: - alb.ingress.kubernetes.io/backend-protocol: "HTTPS" - alb.ingress.kubernetes.io/healthcheck-path: "/health/status" - alb.ingress.kubernetes.io/healthcheck-port: "3443" - alb.ingress.kubernetes.io/healthcheck-protocol: "HTTPS" - alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15" - alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5" - alb.ingress.kubernetes.io/healthy-threshold-count: "2" - # Include port 8080 if using Gateway Manager with IAG5, otherwise remove it - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443},{"HTTPS": 8080}]' - alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60 - alb.ingress.kubernetes.io/load-balancer-name: "itential-iap-lb" - alb.ingress.kubernetes.io/scheme: "internet-facing" - alb.ingress.kubernetes.io/success-codes: "200" - alb.ingress.kubernetes.io/target-type: "ip" - alb.ingress.kubernetes.io/unhealthy-threshold-count: "2" - alb.ingress.kubernetes.io/websocket-paths: "/ws" - alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=3600 # TLS is terminated at the statefulset pod by design. tls: [] @@ -449,7 +441,7 @@ env: # ITENTIAL_MONGO_URL: "" # -- Instruct the MongoDB driver to use TLS protocols when connecting to the database. - ITENTIAL_MONGO_TLS_ENABLED: "false" # should be true by deafult + ITENTIAL_MONGO_TLS_ENABLED: "true" # -- If true, disables the validation checks for TLS certificates on other servers in the cluster # and allows the use of invalid or self-signed certificates to connect. From e3bf9157dd72bef55cdf0389e8cb309d5f4a466d Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Tue, 3 Mar 2026 12:13:08 -0500 Subject: [PATCH 5/7] updated values --- charts/iap/values.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index 71c252d..7d34886 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -195,16 +195,15 @@ ingress: enabled: true # -- The name of this Kubernetes ingress object. name: "iap-ingress" - # -- The ingress controller class name. Common options: + # -- The ingress controller class name tells Kubernetes which ingress controller should + # -- handle this ingress object. If left empty, the cluster's default IngressClass + # -- (if configured) will be used. + # -- Common options # -- alb - AWS Application Load Balancer (AWS Load Balancer Controller) # -- nginx - ingress-nginx (self-hosted, most common) - # -- traefik - Traefik ingress controller # -- gce - Google Cloud GKE HTTP(S) Load Balancer # -- azure/application-gateway - Azure Application Gateway Ingress Controller (AGIC) # -- haproxy - HAProxy ingress controller - # -- istio - Istio Gateway (service mesh) - # -- kong - Kong ingress controller - # -- contour - Contour (Envoy-based) ingress controller className: "" # -- The ingress controller path type pathType: Prefix From 950dc40f3325d41a2348c3416d4d8ffed8748e33 Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Tue, 3 Mar 2026 13:27:28 -0500 Subject: [PATCH 6/7] removed nginx --- charts/iap/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index 7d34886..b8ef1ea 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -200,7 +200,6 @@ ingress: # -- (if configured) will be used. # -- Common options # -- alb - AWS Application Load Balancer (AWS Load Balancer Controller) - # -- nginx - ingress-nginx (self-hosted, most common) # -- gce - Google Cloud GKE HTTP(S) Load Balancer # -- azure/application-gateway - Azure Application Gateway Ingress Controller (AGIC) # -- haproxy - HAProxy ingress controller From c772fd4219050c49b85c9a13bf4a9a094b6e3d2f Mon Sep 17 00:00:00 2001 From: Nick Andreano Date: Fri, 6 Mar 2026 11:53:59 -0500 Subject: [PATCH 7/7] added serviceAccount.Name --- README.md | 1 + charts/iap/templates/statefulset.yaml | 1 + charts/iap/tests/statefulset_test.yaml | 49 ++++++++++++++++++++++++++ charts/iap/values.yaml | 6 ++++ 4 files changed, 57 insertions(+) diff --git a/README.md b/README.md index eb5bb20..5bf1b6c 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,7 @@ understand. | processExporter.port | int | `9256` | Process exporter metrics port | | replicaCount | int | `2` | The number of pods to start | | securityContext | object | `{}` | Additional security context | +| serviceAccount.name | string | `""` | The name of the service account to assign to the StatefulSet pods. When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). When left empty, Kubernetes will use the default service account in the namespace. | | service.name | string | `"iap-service"` | The name of this Kubernetes service object. | | service.port | int | `443` | The port that this service object is listening on. | | service.type | string | `"ClusterIP"` | The service type. | diff --git a/charts/iap/templates/statefulset.yaml b/charts/iap/templates/statefulset.yaml index b747206..0e2195a 100644 --- a/charts/iap/templates/statefulset.yaml +++ b/charts/iap/templates/statefulset.yaml @@ -41,6 +41,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name | default "" | quote }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.hostAliases }} diff --git a/charts/iap/tests/statefulset_test.yaml b/charts/iap/tests/statefulset_test.yaml index 4296394..c927326 100644 --- a/charts/iap/tests/statefulset_test.yaml +++ b/charts/iap/tests/statefulset_test.yaml @@ -1034,6 +1034,55 @@ tests: path: spec.template.spec.initContainers[0].args[1] pattern: '.*BRANCHES=\(\s+\).*' + # Service Account Tests + - it: should default serviceAccountName to empty string + set: + statefulset.enabled: true + replicaCount: 1 + image: + repository: "test/app" + tag: "v1.0.0" + pullPolicy: "IfNotPresent" + service: + port: 80 + applicationPort: 8080 + useTLS: false + podSecurityContext: {} + securityContext: {} + persistentVolumeClaims: + enabled: false + processExporter: + enabled: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: "" + + - it: should set serviceAccountName when serviceAccount.name is provided + set: + statefulset.enabled: true + replicaCount: 1 + image: + repository: "test/app" + tag: "v1.0.0" + pullPolicy: "IfNotPresent" + service: + port: 80 + applicationPort: 8080 + useTLS: false + podSecurityContext: {} + securityContext: {} + persistentVolumeClaims: + enabled: false + processExporter: + enabled: false + serviceAccount: + name: "my-service-account" + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: "my-service-account" + # Additional TLS Secrets Integration Tests - it: should handle additionalTLSSecrets in StatefulSet set: diff --git a/charts/iap/values.yaml b/charts/iap/values.yaml index b8ef1ea..0fc9e4c 100644 --- a/charts/iap/values.yaml +++ b/charts/iap/values.yaml @@ -97,6 +97,12 @@ image: # -- The secrets object used to pull the image from the repo imagePullSecrets: [] +serviceAccount: + # -- The name of the service account to assign to the StatefulSet pods. + # -- When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). + # -- When left empty, Kubernetes will use the default service account in the namespace. + name: "" + # The issuer to be used if using cert-manager to generate the TLS certificates issuer: # -- Toggle to use the issuer object or not