Istio service mesh uses Kubernetes ServiceAccounts to determine workload identities, and identities are crucial for some advanced features like the mesh authorization policy (defining which services are allowed to communicate with each other). Using the default SA makes implementing such features impossible for KeyDB deployments.
The current version of the chart already provides the serviceAccountName macro in the template helpers but no corresponding manifest code.
This PR adds generation of a dedicated SA (or reusing an existing SA if specified) and setting it in the StatefulSet template. This is a breaking change if enabled so upgrade notes are added regarding this feature. The dedicated SA is disabled by default so the new release is fully backward compatible.
Following up #48
Istio service mesh uses Kubernetes ServiceAccounts to determine workload identities, and identities are crucial for some advanced features like the mesh authorization policy (defining which services are allowed to communicate with each other). Using the default SA makes implementing such features impossible for KeyDB deployments.
The current version of the chart already provides the serviceAccountName macro in the template helpers but no corresponding manifest code.
This PR adds generation of a dedicated SA (or reusing an existing SA if specified) and setting it in the StatefulSet template. This is a breaking change if enabled so upgrade notes are added regarding this feature. The dedicated SA is disabled by default so the new release is fully backward compatible.