Use existing service account for rbac doesn't work

[dounix]

The documentation in the helm-chart values states you can use an existing account with RBAC

https://github.com/pingidentity/helm-charts/blob/master/charts/ping-devops/values.yaml#L217

"account named based on the Helm installation and the specific workload being deployed. If generateServiceAccount and generateGlobalServiceAccount are false, this value can also refer to a service account created outside of Helm."

Attempting this will result in the pod spec for the security account being "default"

Looking at the logic in the template the documentation in values.yaml doesn't seem correct.

https://github.com/pingidentity/helm-charts/blob/master/charts/ping-devops/templates/pinglib/_workload.tpl#L66

spec:
      ...
      {{- if and (or $top.Values.global.rbac.generateGlobalServiceAccount $v.rbac.generateServiceAccount) $v.rbac.applyServiceAccountToWorkload }}
      serviceAccountName: {{ include "pinglib.rbac.service-account-name" (append . $v.rbac.serviceAccountName) }}
      {{/* Always set a service account for this workload yaml if Vault is enabled. */}}
      {{- else if $v.vault.enabled }}
      serviceAccountName: {{ include "pinglib.rbac.service-account-name" (append . $v.vault.hashicorp.annotations.serviceAccountName) }}
      {{- end }}

One of the generate options would need to be set, generateGlobalServiceAccount , or generateServiceAccount, precluding the use of an existing account.

Here is one potential way to fix it, adding a existingServiceAccount bool.

https://github.com/pingidentity/helm-charts/commit/d7746aebc6c9c0c5effd5a1816670e181cbb707d

[henryrecker-pingidentity]

@dounix We've fixed this issue in the new 0.9.4 release out today. The release notes describe the fix and link to an updated RBAC example showing how to use an existing service account - https://helm.pingidentity.com/release-notes/currentRelease/