Readding ServiceAccount (#212)

jansenfuller · web-flow · commit 3f78f2d4c533 · 2026-06-10T03:32:09.000Z
* Readding ServiceAccount

* Bumping version
diff --git a/helm/taskchampion-sync-server/Chart.yaml b/helm/taskchampion-sync-server/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: taskchampion-sync-server
 description: A Helm chart for deploying TaskChampion Sync Server on Kubernetes
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: "0.7.0"
 keywords:
   - taskchampion
diff --git a/helm/taskchampion-sync-server/templates/_helpers.tpl b/helm/taskchampion-sync-server/templates/_helpers.tpl
@@ -93,4 +93,8 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{- define "taskchampion-sync-server.postgres-secret-name" -}}
 {{- printf "%s-connection" .Release.Name -}}
+{{- end -}}
+
+{{- define "taskchampion-sync-server.serviceAccountName" -}}
+{{- default (include "taskchampion-sync-server.fullname" .) .Values.serviceAccount.name -}}
 {{- end -}}
diff --git a/helm/taskchampion-sync-server/templates/deployment.yaml b/helm/taskchampion-sync-server/templates/deployment.yaml
@@ -23,6 +23,9 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "taskchampion-sync-server.serviceAccountName" . }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
       {{- if and .Values.postgres.enabled .Values.postgres.initContainer.enabled }}
diff --git a/helm/taskchampion-sync-server/templates/serviceaccount.yaml b/helm/taskchampion-sync-server/templates/serviceaccount.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "taskchampion-sync-server.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "taskchampion-sync-server.labels" . | nindent 4 }}
+{{- end }}
diff --git a/helm/taskchampion-sync-server/values.yaml b/helm/taskchampion-sync-server/values.yaml
@@ -96,6 +96,16 @@ replicas:
   enabled: false
   count: 1
 
+# ServiceAccount configuration
+# The app does not access the Kubernetes API, so no RBAC permissions are needed.
+# A dedicated ServiceAccount is created to give the pod a stable identity
+# for network policies, pod security, or future RBAC.
+serviceAccount:
+  # create specifies whether a ServiceAccount should be created
+  create: true
+  # name sets the ServiceAccount name
+  name: taskchampion-sync-server
+
 # Security context for the pod
 # NOTE: runAsUser and runAsGroup are intentionally unset.
 # The Docker entrypoint requires root to chown the data directory and then
