deployment/helm: user dedicated serviceaccount for topology-updater

Change the configuration so that, by default, we use a dedicated serviceaccount for topology-updater (similar to topology-gc, nfd-master and nfd-worker). Fix the templates so that the serviceaccount and clusterrolebinding are only created when topology-updater is enabled (clusterrole was already handled this way). This patch also correctly documents the default value of rbac.create parameter of topology-updater and topology-gc. (cherry picked from commit 526aab87cf)
2025-03-13 20:30:03 +00:00 · 2023-05-05 08:24:42 +03:00 · 2023-05-05 08:24:42 +03:00 · bd69dc6183
commit bd69dc6183
parent ded5cac89f
4 changed files with 4 additions and 4 deletions
--- a/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml
+++ b/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml
@ -16,7 +16,7 @@ subjects:
 {{- end }}

 ---
-{{- if .Values.topologyUpdater.rbac.create }}
+{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml
+++ b/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml
@ -13,7 +13,7 @@ metadata:
 {{- end }}

 ---
-{{- if .Values.topologyUpdater.serviceAccount.create }}
+{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/deployment/helm/node-feature-discovery/values.yaml
+++ b/deployment/helm/node-feature-discovery/values.yaml
@ -389,7 +389,7 @@ topologyUpdater:
  createCRDs: false

  serviceAccount:
-    create: false
+    create: true
    annotations: {}
    name:
  rbac:
--- a/docs/deployment/helm.md
+++ b/docs/deployment/helm.md
@ -161,7 +161,7 @@ We have introduced the following Chart parameters.
 | `topologyUpdater.serviceAccount.create`       | bool   | true    | Specifies whether the service account for topology updater should be created                                                                                                                          |
 | `topologyUpdater.serviceAccount.annotations`  | dict   | {}      | Annotations to add to the service account for topology updater                                                                                                                                        |
 | `topologyUpdater.serviceAccount.name`         | string |         | The name of the service account for topology updater to use. If not set and create is true, a name is generated using the fullname template and `-topology-updater` suffix                            |
-| `topologyUpdater.rbac.create`                 | bool   | false   | Specifies whether to create [RBAC][rbac] configuration for topology updater                                                                                                                           |
+| `topologyUpdater.rbac.create`                 | bool   | true    | Specifies whether to create [RBAC][rbac] configuration for topology updater                                                                                                                           |
 | `topologyUpdater.kubeletConfigPath`           | string | ""      | Specifies the kubelet config host path                                                                                                                                                                |
 | `topologyUpdater.kubeletPodResourcesSockPath` | string | ""      | Specifies the kubelet sock path to read pod resources                                                                                                                                                 |
 | `topologyUpdater.updateInterval`              | string | 60s     | Time to sleep between CR updates. Non-positive value implies no CR update.                                                                                                                            |